AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

Implement plans of action and milestones for security program process | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Implement plans of action and milestones for security program process
Id d93fe1be-13e4-421d-9c21-3158e2fa2667
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1737 - Implement plans of action and milestones for security program process
Cloud environments AzureCloud = true
AzureUSGovernment = true
AzureChinaCloud = unknown
Available in AzUSGov The Policy is available in AzureUSGovernment cloud. Version: '1.*.*'
Additional metadata Name/Id: CMA_C1737 / CMA_C1737
Category: Documentation
Title: Implement plans of action and milestones for security program process
Ownership: Customer
Description: The customer is responsible for implementing a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: 1. Are developed and maintained. 2. Document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, other organizations, and the Nation; and 3. Are reported in accordance with OMB FISMA reporting requirements.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Compliance
The following 3 compliance controls are associated with this Policy definition 'Implement plans of action and milestones for security program process' (d93fe1be-13e4-421d-9c21-3158e2fa2667)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
hipaa 0179.05h1Organizational.4-05.h hipaa-0179.05h1Organizational.4-05.h 0179.05h1Organizational.4-05.h 01 Information Protection Program 0179.05h1Organizational.4-05.h 05.01 Internal Organization Shared n/a If an independent review identifies that the organization's approach and implementation to managing information security is inadequate or not compliant with the direction for information security stated in the information security policy document, management takes corrective actions. 3
ISO27001-2013 C.9.3.a ISO27001-2013_C.9.3.a ISO 27001:2013 C.9.3.a Performance Evaluation Management review Shared n/a Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. The management review shall include consideration of: a) the status of actions from previous management reviews; The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. The organization shall retain documented information as evidence of the results of management reviews. link 5
NIST_SP_800-171_R2_3 .12.2 NIST_SP_800-171_R2_3.12.2 NIST SP 800-171 R2 3.12.2 Security Assessment Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. Shared Microsoft and the customer share responsibilities for implementing this requirement. The plan of action is a key document in the information security program. Organizations develop plans of action that describe how any unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and plan of action as separate or combined documents and in any chosen format. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for plans of action. link 4
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn unknown
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn true
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn true
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add d93fe1be-13e4-421d-9c21-3158e2fa2667
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC