AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

Establish parameters for searching secret authenticators and verifiers | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Establish parameters for searching secret authenticators and verifiers
Id 0065241c-72e9-3b2c-556f-75de66332a94
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0274 - Establish parameters for searching secret authenticators and verifiers
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Additional metadata Name/Id: CMA_0274 / CMA_0274
Category: Operational
Title: Establish parameters for searching secret authenticators and verifiers
Ownership: Customer
Description: Microsoft recommends that your organization establish a process and parameters to use look-up secrets. A look-up secret is a shared secret (physical or electronic) between the claimant and verifier for authentication or used as another factor for authentication. A look-up secret is also leveraged if another authenticator is lost or malfunctioned. It is recommended that the secret is generated through approved random bit generator SP 800-90Ar1 and securely shared with the claimant / subscriber. It is recommended that the secret is shared over a secure channel. Verifiers of look-up secrets may request from the claimant the secret for authentication to be used only once, and they may store the secrets to avoid offline attacks. Look-up secrets having at least 112 bits of entropy can be hashed with an approved one-way function. Look-up secrets with fewer than 112 bits of entropy can be salted and hashed using a suitable one-way key derivation function.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Compliance
The following 4 compliance controls are associated with this Policy definition 'Establish parameters for searching secret authenticators and verifiers' (0065241c-72e9-3b2c-556f-75de66332a94)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IA-5(2) FedRAMP_High_R4_IA-5(2) FedRAMP High IA-5 (2) Identification And Authentication Pki-Based Authentication Shared n/a The information system, for PKI-based authentication: (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; (b) Enforces authorized access to the corresponding private key; (c) Maps the authenticated identity to the account of the individual or group; and (d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. Supplemental Guidance: Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. link 7
FedRAMP_Moderate_R4 IA-5(2) FedRAMP_Moderate_R4_IA-5(2) FedRAMP Moderate IA-5 (2) Identification And Authentication Pki-Based Authentication Shared n/a The information system, for PKI-based authentication: (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; (b) Enforces authorized access to the corresponding private key; (c) Maps the authenticated identity to the account of the individual or group; and (d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. Supplemental Guidance: Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. link 7
NIST_SP_800-53_R4 IA-5(2) NIST_SP_800-53_R4_IA-5(2) NIST SP 800-53 Rev. 4 IA-5 (2) Identification And Authentication Pki-Based Authentication Shared n/a The information system, for PKI-based authentication: (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information; (b) Enforces authorized access to the corresponding private key; (c) Maps the authenticated identity to the account of the individual or group; and (d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. Supplemental Guidance: Status information for certification paths includes, for example, certificate revocation lists or certificate status protocol responses. For PIV cards, validation of certifications involves the construction and verification of a certification path to the Common Policy Root trust anchor including certificate policy processing. Related control: IA-6. link 7
NIST_SP_800-53_R5 IA-5(2) NIST_SP_800-53_R5_IA-5(2) NIST SP 800-53 Rev. 5 IA-5 (2) Identification and Authentication Public Key-based Authentication Shared n/a (a) For public key-based authentication: (1) Enforce authorized access to the corresponding private key; and (2) Map the authenticated identity to the account of the individual or group; and (b) When public key infrastructure (PKI) is used: (1) Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and (2) Implement a local cache of revocation data to support path discovery and validation. link 7
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn true
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn true
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn true
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-19 17:41:40 add 0065241c-72e9-3b2c-556f-75de66332a94
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC