compliance controls are associated with this Policy definition 'Support personal verification credentials issued by legal authorities' (1d39b5d9-0392-8954-8359-575ce1957d1a)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
CIS_Azure_1.1.0 |
9.1 |
CIS_Azure_1.1.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set on Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
CIS_Azure_1.3.0 |
9.1 |
CIS_Azure_1.3.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set on Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
CIS_Azure_1.4.0 |
9.1 |
CIS_Azure_1.4.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 AppService |
Ensure App Service Authentication is set up for apps in Azure App Service |
Shared |
The customer is responsible for implementing this recommendation. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching the API app, or authenticate those that have tokens before they reach the API app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented. |
link |
5 |
CIS_Azure_2.0.0 |
9.1 |
CIS_Azure_2.0.0_9.1 |
CIS Microsoft Azure Foundations Benchmark recommendation 9.1 |
9 |
Ensure App Service Authentication is set up for apps in Azure App Service |
Shared |
This is only required for App Services which require authentication. Enabling on site like a marketing or support website will prevent unauthenticated access which would be undesirable.
Adding Authentication requirement will increase cost of App Service and require additional security components to facilitate the authentication. |
Azure App Service Authentication is a feature that can prevent anonymous HTTP requests from reaching a Web Application or authenticate those with tokens before they reach the app. If an anonymous request is received from a browser, App Service will redirect to a logon page. To handle the logon process, a choice from a set of identity providers can be made, or a custom authentication mechanism can be implemented.
By Enabling App Service Authentication, every incoming HTTP request passes through it before being handled by the application code. It also handles authentication of users with the specified provider (Azure Active Directory, Facebook, Google, Microsoft Account, and Twitter), validation, storing and refreshing of tokens, managing the authenticated sessions and injecting identity information into request headers. |
link |
5 |
FedRAMP_High_R4 |
IA-2 |
FedRAMP_High_R4_IA-2 |
FedRAMP High IA-2 |
Identification And Authentication |
Identification And Authentication
(Organizational Users) |
Shared |
n/a |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Supplemental Guidance: Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is
obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization- controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network.
Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g.,
cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level
(i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov. |
link |
10 |
FedRAMP_High_R4 |
IA-2(12) |
FedRAMP_High_R4_IA-2(12) |
FedRAMP High IA-2 (12) |
Identification And Authentication |
Acceptance Of Piv Credentials |
Shared |
n/a |
The information system accepts and electronically verifies Personal Identity Verification (PIV)
credentials.
Supplemental Guidance: This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
link |
1 |
FedRAMP_Moderate_R4 |
IA-2 |
FedRAMP_Moderate_R4_IA-2 |
FedRAMP Moderate IA-2 |
Identification And Authentication |
Identification And Authentication (Organizational Users) |
Shared |
n/a |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Supplemental Guidance: Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is
obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization- controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network.
Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g.,
cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level
(i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov. |
link |
10 |
FedRAMP_Moderate_R4 |
IA-2(12) |
FedRAMP_Moderate_R4_IA-2(12) |
FedRAMP Moderate IA-2 (12) |
Identification And Authentication |
Acceptance Of Piv Credentials |
Shared |
n/a |
The information system accepts and electronically verifies Personal Identity Verification (PIV)
credentials.
Supplemental Guidance: This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
link |
1 |
hipaa |
0830.09m3Organizational.1012-09.m |
hipaa-0830.09m3Organizational.1012-09.m |
0830.09m3Organizational.1012-09.m |
08 Network Protection |
0830.09m3Organizational.1012-09.m 09.06 Network Security Management |
Shared |
n/a |
A DMZ is established with all database(s), servers, and other system components storing or processing covered information placed behind it to limit external network traffic to the internal network. |
|
8 |
hipaa |
0870.09m3Organizational.20-09.m |
hipaa-0870.09m3Organizational.20-09.m |
0870.09m3Organizational.20-09.m |
08 Network Protection |
0870.09m3Organizational.20-09.m 09.06 Network Security Management |
Shared |
n/a |
Access to all proxies is denied, except for those hosts, ports, and services that are explicitly required. |
|
8 |
hipaa |
0927.09v1Organizational.3-09.v |
hipaa-0927.09v1Organizational.3-09.v |
0927.09v1Organizational.3-09.v |
09 Transmission Protection |
0927.09v1Organizational.3-09.v 09.08 Exchange of Information |
Shared |
n/a |
Stronger levels of authentication are implemented to control access from publicly accessible networks. |
|
4 |
hipaa |
11109.01q1Organizational.57-01.q |
hipaa-11109.01q1Organizational.57-01.q |
11109.01q1Organizational.57-01.q |
11 Access Control |
11109.01q1Organizational.57-01.q 01.05 Operating System Access Control |
Shared |
n/a |
The organization ensures that redundant user IDs are not issued to other users and that all users are uniquely identified and authenticated for both local and remote access to information systems. |
|
7 |
hipaa |
1121.01j3Organizational.2-01.j |
hipaa-1121.01j3Organizational.2-01.j |
1121.01j3Organizational.2-01.j |
11 Access Control |
1121.01j3Organizational.2-01.j 01.04 Network Access Control |
Shared |
n/a |
Remote administration sessions are authorized, encrypted, and employ increased security measures. |
|
11 |
hipaa |
1122.01q1System.1-01.q |
hipaa-1122.01q1System.1-01.q |
1122.01q1System.1-01.q |
11 Access Control |
1122.01q1System.1-01.q 01.05 Operating System Access Control |
Shared |
n/a |
Unique IDs that can be used to trace activities to the responsible individual are required for all types of organizational and non-organizational users. |
|
7 |
hipaa |
1125.01q2System.1-01.q |
hipaa-1125.01q2System.1-01.q |
1125.01q2System.1-01.q |
11 Access Control |
1125.01q2System.1-01.q 01.05 Operating System Access Control |
Shared |
n/a |
Multi-factor authentication methods are used in accordance with organizational policy (e.g., for remote network access). |
|
4 |
hipaa |
1175.01j1Organizational.8-01.j |
hipaa-1175.01j1Organizational.8-01.j |
1175.01j1Organizational.8-01.j |
11 Access Control |
1175.01j1Organizational.8-01.j 01.04 Network Access Control |
Shared |
n/a |
Remote access to business information across public networks only takes place after successful identification and authentication. |
|
5 |
hipaa |
1178.01j2Organizational.7-01.j |
hipaa-1178.01j2Organizational.7-01.j |
1178.01j2Organizational.7-01.j |
11 Access Control |
1178.01j2Organizational.7-01.j 01.04 Network Access Control |
Shared |
n/a |
Node authentication, including cryptographic techniques (e.g., machine certificates), can serve as an alternative means of authenticating groups of remote users where they are connected to a secure, shared computer facility. |
|
4 |
hipaa |
1424.05j2Organizational.5-05.j |
hipaa-1424.05j2Organizational.5-05.j |
1424.05j2Organizational.5-05.j |
14 Third Party Assurance |
1424.05j2Organizational.5-05.j 05.02 External Parties |
Shared |
n/a |
The organization has a formal mechanism to authenticate the customer's identity prior to granting access to covered information. |
|
8 |
ISO27001-2013 |
A.14.1.2 |
ISO27001-2013_A.14.1.2 |
ISO 27001:2013 A.14.1.2 |
System Acquisition, Development And Maintenance |
Securing application services on public networks |
Shared |
n/a |
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification. |
link |
32 |
ISO27001-2013 |
A.14.1.3 |
ISO27001-2013_A.14.1.3 |
ISO 27001:2013 A.14.1.3 |
System Acquisition, Development And Maintenance |
Protecting application services transactions |
Shared |
n/a |
Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay. |
link |
29 |
ISO27001-2013 |
A.9.1.2 |
ISO27001-2013_A.9.1.2 |
ISO 27001:2013 A.9.1.2 |
Access Control |
Access to networks and network services |
Shared |
n/a |
Users shall only be provided with access to the network and network services that they have been specifically authorized to use. |
link |
29 |
ISO27001-2013 |
A.9.2.1 |
ISO27001-2013_A.9.2.1 |
ISO 27001:2013 A.9.2.1 |
Access Control |
User registration and de-registration |
Shared |
n/a |
A formal user registration and de-registration process shall be implemented to enable assignment of access rights. |
link |
27 |
ISO27001-2013 |
A.9.4.2 |
ISO27001-2013_A.9.4.2 |
ISO 27001:2013 A.9.4.2 |
Access Control |
Secure log-on procedures |
Shared |
n/a |
Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. |
link |
17 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.info.3 Electronic signature |
mp.info.3 Electronic signature |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.info.4 Time stamps |
mp.info.4 Time stamps |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
NIST_SP_800-171_R2_3 |
.5.1 |
NIST_SP_800-171_R2_3.5.1 |
NIST SP 800-171 R2 3.5.1 |
Identification and Authentication |
Identify system users, processes acting on behalf of users, and devices. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device. [SP 800-63-3] provides guidance on digital identities. |
link |
9 |
NIST_SP_800-53_R4 |
IA-2 |
NIST_SP_800-53_R4_IA-2 |
NIST SP 800-53 Rev. 4 IA-2 |
Identification And Authentication |
Identification And Authentication (Organizational Users) |
Shared |
n/a |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Supplemental Guidance: Organizational users include employees or individuals that organizations deem to have equivalent status of employees (e.g., contractors, guest researchers). This control applies to all accesses other than: (i) accesses that are explicitly identified and documented in AC-14; and (ii) accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique identification of individuals in group accounts (e.g., shared privilege accounts) or for detailed accountability of individual activity. Organizations employ passwords, tokens, or biometrics to authenticate user identities, or in the case multifactor authentication, or some combination thereof. Access to organizational information systems is defined as either local access or network access. Local access is any access to organizational information systems by users (or processes acting on behalf of users) where such access is
obtained by direct connections without the use of networks. Network access is access to organizational information systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks (e.g., the Internet). Internal networks include local area networks and wide area networks. In addition, the use of encrypted virtual private networks (VPNs) for network connections between organization- controlled endpoints and non-organization controlled endpoints may be treated as internal networks from the perspective of protecting the confidentiality and integrity of information traversing the network.
Organizations can satisfy the identification and authentication requirements in this control by complying with the requirements in Homeland Security Presidential Directive 12 consistent with the specific organizational implementation plans. Multifactor authentication requires the use of two or more different factors to achieve authentication. The factors are defined as: (i) something you know (e.g., password, personal identification number [PIN]); (ii) something you have (e.g.,
cryptographic identification device, token); or (iii) something you are (e.g., biometric). Multifactor solutions that require devices separate from information systems gaining access include, for example, hardware tokens providing time-based or challenge-response authenticators and smart cards such as the U.S. Government Personal Identity Verification card and the DoD common access card. In addition to identifying and authenticating users at the information system level
(i.e., at logon), organizations also employ identification and authentication mechanisms at the application level, when necessary, to provide increased information security. Identification and authentication requirements for other than organizational users are described in IA-8. Related controls: AC-2, AC-3, AC-14, AC-17, AC-18, IA-4, IA-5, IA-8.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov. |
link |
10 |
NIST_SP_800-53_R4 |
IA-2(12) |
NIST_SP_800-53_R4_IA-2(12) |
NIST SP 800-53 Rev. 4 IA-2 (12) |
Identification And Authentication |
Acceptance Of Piv Credentials |
Shared |
n/a |
The information system accepts and electronically verifies Personal Identity Verification (PIV)
credentials.
Supplemental Guidance: This control enhancement applies to organizations implementing logical access control systems (LACS) and physical access control systems (PACS). Personal Identity Verification (PIV) credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. OMB Memorandum 11-11 requires federal agencies to continue implementing the requirements specified in HSPD-12 to enable agency-wide use of PIV credentials. Related controls: AU-2, PE-3, SA-4. |
link |
1 |
NIST_SP_800-53_R5 |
IA-2 |
NIST_SP_800-53_R5_IA-2 |
NIST SP 800-53 Rev. 5 IA-2 |
Identification and Authentication |
Identification and Authentication (organizational Users) |
Shared |
n/a |
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
link |
10 |
NIST_SP_800-53_R5 |
IA-2(12) |
NIST_SP_800-53_R5_IA-2(12) |
NIST SP 800-53 Rev. 5 IA-2 (12) |
Identification and Authentication |
Acceptance of PIV Credentials |
Shared |
n/a |
Accept and electronically verify Personal Identity Verification-compliant credentials. |
link |
1 |
|
op.acc.1 Identification |
op.acc.1 Identification |
404 not found |
|
|
|
n/a |
n/a |
|
66 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.acc.5 Authentication mechanism (external users) |
op.acc.5 Authentication mechanism (external users) |
404 not found |
|
|
|
n/a |
n/a |
|
72 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.pl.3 Acquisition of new components |
op.pl.3 Acquisition of new components |
404 not found |
|
|
|
n/a |
n/a |
|
61 |
PCI_DSS_v4.0 |
8.2.1 |
PCI_DSS_v4.0_8.2.1 |
PCI DSS v4.0 8.2.1 |
Requirement 08: Identify Users and Authenticate Access to System Components |
User identification and related accounts for users and administrators are strictly managed throughout an account’s lifecycle |
Shared |
n/a |
All users are assigned a unique ID before access to system components or cardholder data is allowed. |
link |
3 |