From 3c32a5efbf1ff1631497714a30f60c3ed0b4e779 Mon Sep 17 00:00:00 2001 From: LManning-Dev <54150471+LManning-Dev@users.noreply.github.com> Date: Thu, 8 Sep 2022 14:47:09 -0400 Subject: [PATCH 1/2] Breaking NIST into NISTRev4 and NISTRev5 Breaking NIST into NISTRev4 and NISTRev5 --- docs/deployment-guide-bicep.md | 4 ++-- docs/policies.md | 6 ++--- src/bicep/add-ons/tier3/tier3.bicep | 2 +- src/bicep/form/mlz.portal.json | 13 +++++++---- src/bicep/mlz.bicep | 9 ++++---- ... NISTRev4-policyAssignmentParameters.json} | 0 .../NISTRev5-policyAssignmentParameters.json | 22 +++++++++++++++++++ src/bicep/modules/policy-assignment.bicep | 19 ++++++++++------ 8 files changed, 54 insertions(+), 21 deletions(-) rename src/bicep/modules/policies/{NIST-policyAssignmentParameters.json => NISTRev4-policyAssignmentParameters.json} (100%) create mode 100644 src/bicep/modules/policies/NISTRev5-policyAssignmentParameters.json diff --git a/docs/deployment-guide-bicep.md b/docs/deployment-guide-bicep.md index 6ed23569e..6f2c51c44 100644 --- a/docs/deployment-guide-bicep.md +++ b/docs/deployment-guide-bicep.md @@ -76,14 +76,14 @@ MLZ has optional features that can be enabled by setting parameters on the deplo #### Azure Policy Initiatives: NIST, IL5, CMMC -To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the `deployPolicy=true` parameter with `policy` assigned to one of the following: `NIST`, `IL5`, or `CMMC`. +To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the `deployPolicy=true` parameter with `policy` assigned to one of the following: `NISTRev4`, `NISTRev5`, `IL5`, or `CMMC`. The result will be a policy assignment created for each resource group deployed by MLZ that can be viewed in the 'Compliance' view of Azure Policy in the Azure Portal. Parameter name | Default Value | Description -------------- | ------------- | ----------- `deployPolicy` | 'false' | When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false". -`policy` | 'NIST' | [NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud. +`policy` | 'NISTRev4' | [NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NISTRev4". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud. Under the [src/bicep/modules/policies](../src/bicep/modules/policies) directory are JSON files named for the initiatives with default parameters (except for a Log Analytics workspace ID value `` that we substitute at deployment time -- any other parameter can be modified as needed). diff --git a/docs/policies.md b/docs/policies.md index 761b54a1f..00aabb533 100644 --- a/docs/policies.md +++ b/docs/policies.md @@ -40,14 +40,14 @@ Deploying policy assignments for NIST along with a standard deployment of MLZ is ### Deploying with Bicep -To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the parameter with one of the following, NIST, IL5 or CMMC. For example: +To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the parameter with one of the following, NISTRev4, NISTRev5, IL5 or CMMC. For example: ```plaintext az deployment sub create \ --location eastus \ --template-file mlz.bicep \ --parameters deployPolicy=true \ - --parameters policy= + --parameters policy= ``` Or, you can apply policy after deploying MLZ: @@ -57,7 +57,7 @@ az deployment group create \ --resource-group \ --name \ --template-file ./src/bicep/modules/policy-assignment.bicep \ - --parameters builtInAssignment= logAnalyticsWorkspaceName= \ + --parameters builtInAssignment= logAnalyticsWorkspaceName= \ --parameters logAnalyticsWorkspaceName= \ --parameters logAnalyticsWorkspaceResourceGroupName= ``` diff --git a/src/bicep/add-ons/tier3/tier3.bicep b/src/bicep/add-ons/tier3/tier3.bicep index 28fedf0f3..49c18fe72 100644 --- a/src/bicep/add-ons/tier3/tier3.bicep +++ b/src/bicep/add-ons/tier3/tier3.bicep @@ -42,7 +42,7 @@ param hubVirtualNetworkResourceId string = mlzDeploymentVariables.hub.Value.virt param logAnalyticsWorkspaceResourceId string = mlzDeploymentVariables.logAnalyticsWorkspaceResourceId.Value param logAnalyticsWorkspaceName string = mlzDeploymentVariables.logAnalyticsWorkspaceName.Value param firewallPrivateIPAddress string = mlzDeploymentVariables.firewallPrivateIPAddress.Value -@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.') +@description('[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NISTRev4". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.') param policy string = mlzDeploymentVariables.policyName.Value @description('When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false".') param deployPolicy bool = mlzDeploymentVariables.deployPolicy.Value diff --git a/src/bicep/form/mlz.portal.json b/src/bicep/form/mlz.portal.json index 7b21410c5..afbeb1d93 100644 --- a/src/bicep/form/mlz.portal.json +++ b/src/bicep/form/mlz.portal.json @@ -663,7 +663,7 @@ "label": "Policy Assignment", "placeholder": "", "defaultValue": "NIST SP 800-53", - "toolTip": "DoD IL5 is only available in AzureUsGovernment and will switch to NIST if tried in AzureCloud.", + "toolTip": "DoD IL5 is only available in AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.", "multiselect": false, "selectAll": false, "filter": true, @@ -673,13 +673,18 @@ "constraints": { "allowedValues": [ { - "label": "NIST SP 800-53", + "label": "NIST SP 800-53 Rev4", "description": "The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security).", - "value": "NIST" + "value": "NISTRev4" + }, + { + "label": "NIST SP 800-53 Rev5", + "description": "The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security).", + "value": "NISTRev5" }, { "label": "DoD IL5", - "description": "The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). These policies are only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.", + "description": "The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). These policies are only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.", "value": "IL5" }, { diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 6aa1db9ea..0ff493352 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -505,12 +505,13 @@ param windowsNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic' param deployPolicy bool = false @allowed([ - 'NIST' - 'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NIST + 'NISTRev4' + 'NISTRev5' + 'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NISTRev4 'CMMC' ]) -@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.') -param policy string = 'NIST' +@description('[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NISTRev4". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.') +param policy string = 'NISTRev4' // MICROSOFT DEFENDER PARAMETERS diff --git a/src/bicep/modules/policies/NIST-policyAssignmentParameters.json b/src/bicep/modules/policies/NISTRev4-policyAssignmentParameters.json similarity index 100% rename from src/bicep/modules/policies/NIST-policyAssignmentParameters.json rename to src/bicep/modules/policies/NISTRev4-policyAssignmentParameters.json diff --git a/src/bicep/modules/policies/NISTRev5-policyAssignmentParameters.json b/src/bicep/modules/policies/NISTRev5-policyAssignmentParameters.json new file mode 100644 index 000000000..a39ffb861 --- /dev/null +++ b/src/bicep/modules/policies/NISTRev5-policyAssignmentParameters.json @@ -0,0 +1,22 @@ + { + "IncludeArcMachines": + { + "value": "true" + }, + "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": + { + "value": "1.2" + }, + "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40": + { + "value": "Compliant" + }, + "requiredRetentionDays": + { + "value": "365" + }, + "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": + { + "value": "NetworkWatcherRG" + } + } \ No newline at end of file diff --git a/src/bicep/modules/policy-assignment.bicep b/src/bicep/modules/policy-assignment.bicep index ef902fdfe..e2f0999c6 100644 --- a/src/bicep/modules/policy-assignment.bicep +++ b/src/bicep/modules/policy-assignment.bicep @@ -4,12 +4,13 @@ Licensed under the MIT License. */ @allowed([ - 'NIST' - 'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NIST + 'NISTRev4' + 'NISTRev5' + 'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NISTRev4 'CMMC' ]) -@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, default is NIST. IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.') -param builtInAssignment string = 'NIST' +@description('[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.') +param builtInAssignment string = 'NISTRev4' param logAnalyticsWorkspaceName string param logAnalyticsWorkspaceResourceGroupName string param operationsSubscriptionId string @@ -26,9 +27,13 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06 } var policyDefinitionID = { - NIST: { + NISTRev4: { id: '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f' - parameters: json(replace(loadTextContent('policies/NIST-policyAssignmentParameters.json'),'', logAnalyticsWorkspace.id)) + parameters: json(replace(loadTextContent('policies/NISTRev4-policyAssignmentParameters.json'),'', logAnalyticsWorkspace.id)) + } + NISTRev5: { + id: '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f' + parameters: json(loadTextContent('policies/NISTRev5-policyAssignmentParameters.json')) } IL5: { id: '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197' @@ -40,7 +45,7 @@ var policyDefinitionID = { } } -var modifiedAssignment = ( environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NIST' : builtInAssignment ) +var modifiedAssignment = ( environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NISTRev4' : builtInAssignment ) var assignmentName = '${modifiedAssignment} ${resourceGroup().name}' var agentVmssAssignmentName = 'Deploy VMSS Agents ${resourceGroup().name}' var agentVmAssignmentName = 'Deploy VM Agents ${resourceGroup().name}' From 58904946ca70fda0535bce4fdba73af4d749fcdd Mon Sep 17 00:00:00 2001 From: LManning-Dev <54150471+LManning-Dev@users.noreply.github.com> Date: Tue, 13 Sep 2022 08:46:49 -0400 Subject: [PATCH 2/2] Updating NISTRev4 NISTRev5 comment Updating NISTRev4 NISTRev5 comment --- docs/deployment-guide-bicep.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deployment-guide-bicep.md b/docs/deployment-guide-bicep.md index 6f2c51c44..978c99db5 100644 --- a/docs/deployment-guide-bicep.md +++ b/docs/deployment-guide-bicep.md @@ -74,7 +74,7 @@ Parameter name | Default Value | Description MLZ has optional features that can be enabled by setting parameters on the deployment. -#### Azure Policy Initiatives: NIST, IL5, CMMC +#### Azure Policy Initiatives: NISTRev4, NISTRev5, IL5, CMMC To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the `deployPolicy=true` parameter with `policy` assigned to one of the following: `NISTRev4`, `NISTRev5`, `IL5`, or `CMMC`.