| Source | Azure Portal | ||
| Display name | Microsoft Managed Control 1199 - Configuration Change Control | Cryptography Management | ||
| Id | a9a08d1c-09b1-48f1-90ea-029bbdf7111e | ||
| Version | 1.0.0 Details on versioning |
||
| Versioning |
Versions supported for Versioning: 0 Built-in Versioning [Preview] |
||
| Category | Regulatory Compliance Microsoft Learn |
||
| Description | Microsoft implements this Configuration Management control | ||
| Additional metadata |
Name/Id: ACF1199 / Microsoft Managed Control 1199 Category: Configuration Management Title: Configuration Change Control | Cryptography Management Ownership: Customer, Microsoft Description: The organization ensures that cryptographic mechanisms used to provide all security safeguards that rely on cryptography are under configuration management. Requirements: Azure Security manages cryptographic secrets on behalf of service teams using an approved secret management store, either Azure Key Vault or dSMS. Microsoft uses the stores to implement cryptographic mechanisms, including to administer and store both group and shared account credentials, as well as to obtain and renew certificates. Cryptography changes follow the standard security review process. Cryptographic changes not expressly allowed by established baselines - e.g. when an Azure team requests a non-standard change to configuration settings - are not allowed to be made to the Azure current configuration without a completed review. The security review process is run by security representatives in C+AI Security. Changes made to cryptography are not implemented unless approved via the security review process including approval by Crypto Board. Azure Security controls the configuration of the stores using the Cryptographic Controls SOP, with which the stores are required to comply. For instance, when Microsoft deprecates formerly-approved cryptographic algorithms or key lengths through the change management process, the secret management stores are able to check the inventory of all existing secrets to identify any that rely on the newly-deprecated mechanism. |
||
| Mode | Indexed | ||
| Type | Static | ||
| Preview | False | ||
| Deprecated | False | ||
| Effect | Fixed audit |
||
| RBAC role(s) | none | ||
| Rule aliases | none | ||
| Rule resource types | IF (2) Microsoft.Resources/subscriptions Microsoft.Resources/subscriptions/resourceGroups |
||
| Compliance | Not a Compliance control | ||
| Initiatives usage | none | ||
| History | none | ||
| JSON compare | n/a | ||
| JSON |
|