Regulatory compliance standards in Microsoft Defender for Cloud

Microsoft Defender for Cloud streamlines the regulatory compliance process by helping you to identify issues that are preventing you from meeting a particular compliance standard, or achieving compliance certification.

Industry standards, regulatory standards, and benchmarks are represented in Defender for Cloud as security standards, and appear in the Regulatory compliance dashboard.

Compliance controls

Each security standard consists of multiple compliance controls, which are logical groups of related security recommendations.

Defender for Cloud continually assesses the environment-in-scope against any compliance controls that can be automatically assessed. Based on assessments, it shows resources as being compliant or non-compliant with controls.

Note

It's important to note that if standards have compliance controls that can't be automatically assessed, Defender for Cloud isn't able to decide whether a resource complies with the control. In this case, the control will show as greyed out.

Viewing compliance standards

The Regulatory compliance dashboard provides an interactive overview of compliance state.

Screenshot showing the regulatory compliance dashboard.

In the dashboard you can:

  • Get a summary of standards controls that have been passed.
  • Get of summary of standards that have the lowest pass rate for resources.
  • Review standards that are applied within the selected scope.
  • Review assessments for compliance controls within each applied standard.
  • Get a summary report for a specific standard.
  • Manage compliance policies to see the standards assigned to a specific scope.
  • Run a query to create a custom compliance report
  • Create a "compliance over time workbook" to track compliance status over time.
  • Download audit reports.
  • Review compliance offerings for Microsoft and third-party audits.

Compliance standard details

For each compliance standard you can view:

  • Scope for the standard.
  • Each standard broken down into groups of controls and subcontrols.
  • When you apply a standard to a scope, you can see a summary of compliance assessment for resources within the scope, for each standard control.
  • The status of the assessments reflects compliance with the standard. There are three states:
    • A green circle indicates that resources in scope are compliant with the control.
    • A red circle indicates that resources are not compliant with the control.
    • Unavailable controls are those that can't be automatically assessed and thus Defender for Cloud is unable to access whether resources are compliant.

You can drill down into controls to get information about resources that have passed/failed assessments, and for remediation steps.

Default compliance standards

By default, when you enable Defender for Cloud, the following standards are enabled:

Available compliance standards

The following standards are available in Defender for Cloud:

Standards for Azure subscriptions Standards for AWS accounts Standards for GCP projects
Australian Government ISM Protected AWS Foundational Security Best Practices Brazilian General Personal Data Protection Law (LGPD)
Canada Federal PBMM AWS Well-Architected Framework California Consumer Privacy Act (CCPA)
CIS Azure Foundations Brazilian General Personal Data Protection Law (LGPD) CIS Controls
CIS Azure Kubernetes Service (AKS) Benchmark California Consumer Privacy Act (CCPA) CIS GCP Foundations
CMMC CIS Amazon Elastic Kubernetes Service (EKS) Benchmark CIS Google Cloud Platform Foundation Benchmark
FedRAMP ‘H’ & ‘M’ CIS AWS Foundations CIS Google Kubernetes Engine (GKE) Benchmark
HIPAA/HITRUST CRI Profile CRI Profile
ISO/IEC 27001 CSA Cloud Controls Matrix (CCM) CSA Cloud Controls Matrix (CCM)
New Zealand ISM Restricted GDPR Cybersecurity Maturity Model Certification (CMMC)
NIST SP 800-171 ISO/IEC 27001 FFIEC Cybersecurity Assessment Tool (CAT)
NIST SP 800-53 ISO/IEC 27002 GDPR
PCI DSS NIST Cybersecurity Framework (CSF) ISO/IEC 27001
RMIT Malaysia NIST SP 800-172 ISO/IEC 27002
SOC 2 PCI DSS ISO/IEC 27017
Spanish ENS NIST Cybersecurity Framework (CSF)
SWIFT CSP CSCF NIST SP 800-53
UK OFFICIAL and UK NHS NIST SP 800-171
NIST SP 800-172
PCI DSS
Sarbanes Oxley Act (SOX)
SOC 2