The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security). It provides a process for selecting controls to protect organizations against cyberattacks, natural disasters, structural failures, and other threats.
For US government entities and others with compliance requirements based on NIST SP 800-53, the Azure implementation of this standard helps you proactively manage and monitor compliance of your Azure environments. This standard provides governance guardrails to help organization assess specific NIST SP 800-53 R4 controls, and it enables you to use a core set of policies for any Azure-deployed architecture that must implement these controls.
These control mappings include:
- Account management. Helps with the review of accounts of that may not comply with an organization’s account management requirements.
- Separation of duties. Helps in maintaining an appropriate number of Azure subscription owners.
- Least privilege. Audits accounts that should be prioritized for review.
- Remote access. Helps with monitoring and control of remote access.
- Audit review, analysis, and reporting. Helps ensure that events are logged and enforces deployment of the Log Analytics agent on Azure virtual machines.
- Least functionality. Helps monitor virtual machines where an application white list is recommended but has not yet been configured.
- Identification and authentication. Helps restrict and control privileged access.
- Vulnerability scanning. Helps with the management of information system vulnerabilities.
- Denial of service protection. Audits if the Azure DDoS Protection standard tier is enabled.
- Boundary protection. Helps with the management and control of the system boundary.
- Transmission confidentiality and integrity. Helps protect the confidentiality and integrity of transmitted information.
- Flaw remediation. Helps with the management of information system flaws.
- Malicious code protection. Helps the management of endpoint protection, including malicious code protection.
- Information system monitoring. Helps with monitoring a system by auditing and enforcing logging across Azure resources.
Each control category listed above is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a 1:1 or complete match between a control and one or more policies. As such, Compliant refers only to the Azure policies themselves; this doesn’t ensure you’re fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren’t addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status.