README.md

Instructions

Important

Microsoft Azure and Microsoft Azure Government cloud services meets requirements of the US Federal Risk & Authorization Management Program (FedRAMP) and of the US Department of Defense, from information impact levels 2 through 5. More information on Azure compliance can be found here. The current list of in-scope cloud services across Azure and Azure Government for FedRAMP and DoD CC SRG compliance offerings can be found here.

[!IMPORTANT] Customers should use these 'implementation-statements' as a starting point to populate their System Security Plans (SSP) and other relevant compliance documentation. However, Customer responsibility statements are guiding principles for customers and their 3PAOs (compliance assessors) and should be used as reference points for implementations statements and overall responsibilities. Microsoft provides general guidance on responsibilities and pre-populates, to the extent feasible, implementation statements based on Azure services in scope. Customer configurations can vary due to the scope of their implementation. Please evaluate all statements before final SSP incorporation.

[!IMPORTANT] Disclaimer: Customers are wholly responsible for ensuring their own compliance with all applicable laws and regulations. Information provided in this post does not constitute legal advice, and customers should consult their legal advisors for any questions regarding legal or regulatory compliance.

1. Clone current directory and all its sub-directories and files.
   • Optionally, use VSCode extension for assistance with authoring and managing 'implementation-statements' in markdowns.
2. Replace all instance of "Org." with your organization name in all the markdown files.
3. Update "Implementation Status" and "Control Origination" sections with applicable selections for your cloud service.
4. "Org. Shared Responsibilities Guidance" is set of instructions for you to implement your cloud service specific responsibilities
   • After implementation, remove this section from document before producing final SSP.
5. Review, replace placeholders (marked by TODO: and otherwise) and fill out additional details as applicable in "Implementation Statement" section for each control and their applicable subparts.
6. Fill our details of any planned controls in "Org. Planned Controls" section or remove the section before finalizing SSP.
7. "Org.'s Customer Responsibility" section is for you to describe responsibilities that customers of your cloud service need to implement. Fill out the details as applicable or remove the section before finalizing SSP.

Feedback

For more information, questions, or feedback please contact us.