Azure · lisamurphy-msft · Sep 13, 2022 · Sep 8, 2022 · Sep 12, 2022 · Sep 13, 2022
@@ -74,16 +74,16 @@ Parameter name | Default Value | Description
 
 MLZ has optional features that can be enabled by setting parameters on the deployment.
 
-#### Azure Policy Initiatives: NIST, IL5, CMMC
+#### Azure Policy Initiatives: NISTRev4, NISTRev5, IL5, CMMC
 
-To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the `deployPolicy=true` parameter with `policy` assigned to one of the following: `NIST`, `IL5`, or `CMMC`.
+To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the `deployPolicy=true` parameter with `policy` assigned to one of the following: `NISTRev4`, `NISTRev5`, `IL5`, or `CMMC`.
 
 The result will be a policy assignment created for each resource group deployed by MLZ that can be viewed in the 'Compliance' view of Azure Policy in the Azure Portal.
 
 Parameter name | Default Value | Description
 -------------- | ------------- | -----------
 `deployPolicy` | 'false' | When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false".
-`policy` | 'NIST' | [NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.
+`policy` | 'NISTRev4' | [NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NISTRev4". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.
 
 Under the [src/bicep/modules/policies](../src/bicep/modules/policies) directory are JSON files named for the initiatives with default parameters (except for a Log Analytics workspace ID value `<LAWORKSPACE>` that we substitute at deployment time -- any other parameter can be modified as needed).
 

@@ -40,14 +40,14 @@ Deploying policy assignments for NIST along with a standard deployment of MLZ is
 
 ### Deploying with Bicep
 
-To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the parameter with one of the following, NIST, IL5 or CMMC. For example:
+To include one of the built in Azure policy initiatives for NIST 800-53, CMMC Level 3 or DoD IL5 compliance add the parameter with one of the following, NISTRev4, NISTRev5, IL5 or CMMC. For example:
 
 ```plaintext
 az deployment sub create \
   --location eastus \
   --template-file mlz.bicep \
   --parameters deployPolicy=true \
-  --parameters policy=<one of 'CMMC', 'IL5', or 'NIST'>
+  --parameters policy=<one of 'CMMC', 'IL5', 'NISTRev4', or 'NISTRev5'>
 ```
 
 Or, you can apply policy after deploying MLZ:
@@ -57,7 +57,7 @@ az deployment group create \
   --resource-group <Resource Group to assign> \
   --name <original deployment name + descriptor> \
   --template-file ./src/bicep/modules/policy-assignment.bicep \
-  --parameters builtInAssignment=<one of 'CMMC', 'IL5', or 'NIST'> logAnalyticsWorkspaceName=<Log analytics workspace name> \
+  --parameters builtInAssignment=<one of 'CMMC', 'IL5', 'NISTRev4', or 'NISTRev5'> logAnalyticsWorkspaceName=<Log analytics workspace name> \
   --parameters logAnalyticsWorkspaceName=<Log Analytics Workspace Name> \
   --parameters logAnalyticsWorkspaceResourceGroupName=<Log Analytics Workspace Resource Group Name>
 ```

@@ -42,7 +42,7 @@ param hubVirtualNetworkResourceId string = mlzDeploymentVariables.hub.Value.virt
 param logAnalyticsWorkspaceResourceId string = mlzDeploymentVariables.logAnalyticsWorkspaceResourceId.Value
 param logAnalyticsWorkspaceName string = mlzDeploymentVariables.logAnalyticsWorkspaceName.Value
 param firewallPrivateIPAddress string = mlzDeploymentVariables.firewallPrivateIPAddress.Value
-@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.')
+@description('[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NISTRev4". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.')
 param policy string = mlzDeploymentVariables.policyName.Value
 @description('When set to "true", deploys the Azure Policy set defined at by the parameter "policy" to the resource groups generated in the deployment. It defaults to "false".')
 param deployPolicy bool = mlzDeploymentVariables.deployPolicy.Value

@@ -663,7 +663,7 @@
                   "label": "Policy Assignment",
                   "placeholder": "",
                   "defaultValue": "NIST SP 800-53",
-                  "toolTip": "DoD IL5 is only available in AzureUsGovernment and will switch to NIST if tried in AzureCloud.",
+                  "toolTip": "DoD IL5 is only available in AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.",
                   "multiselect": false,
                   "selectAll": false,
                   "filter": true,
@@ -673,13 +673,18 @@
                   "constraints": {
                     "allowedValues": [
                       {
-                        "label": "NIST SP 800-53",
+                        "label": "NIST SP 800-53 Rev4",
                         "description": "The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security).",
-                        "value": "NIST"
+                        "value": "NISTRev4"
+                      },
+                      {
+                        "label": "NIST SP 800-53 Rev5",
+                        "description": "The US National Institute of Standards and Technology (NIST) publishes a catalog of security and privacy controls, Special Publication (SP) 800-53, for all federal information systems in the United States (except those related to national security).",
+                        "value": "NISTRev5"
                       },
                       {
                         "label": "DoD IL5",
-                        "description": "The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). These policies are only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.",
+                        "description": "The Defense Information Systems Agency (DISA) is an agency of the US Department of Defense (DoD) that is responsible for developing and maintaining the DoD Cloud Computing Security Requirements Guide (SRG). These policies are only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.",
                         "value": "IL5"
                       },
                       {

@@ -505,12 +505,13 @@ param windowsNetworkInterfacePrivateIPAddressAllocationMethod string = 'Dynamic'
 param deployPolicy bool = false
 
 @allowed([
-  'NIST'
-  'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NIST
+  'NISTRev4'
+  'NISTRev5'
+  'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NISTRev4
   'CMMC'
 ])
-@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NIST". IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.')
-param policy string = 'NIST'
+@description('[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, it defaults to "NISTRev4". IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.')
+param policy string = 'NISTRev4'
 
 // MICROSOFT DEFENDER PARAMETERS
 

@@ -0,0 +1,22 @@
+    {
+        "IncludeArcMachines": 
+        {
+            "value": "true"
+        },
+        "MinimumTLSVersion-5752e6d6-1206-46d8-8ab1-ecc2f71a8112": 
+        {
+            "value": "1.2"
+        },
+        "NotAvailableMachineState-bed48b13-6647-468e-aa2f-1af1d3f4dd40": 
+        {
+            "value": "Compliant"
+        },
+        "requiredRetentionDays": 
+        {
+            "value": "365"
+        },
+        "resourceGroupName-b6e2945c-0b7b-40f5-9233-7a5323b5cdc6": 
+        {
+            "value": "NetworkWatcherRG"
+        }
+    }
@@ -4,12 +4,13 @@ Licensed under the MIT License.
 */
 
 @allowed([
-  'NIST'
-  'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NIST
+  'NISTRev4'
+  'NISTRev5'
+  'IL5' // AzureUsGoverment only, trying to deploy IL5 in AzureCloud will switch to NISTRev4
   'CMMC'
 ])
-@description('[NIST/IL5/CMMC] Built-in policy assignments to assign, default is NIST. IL5 is only available for AzureUsGovernment and will switch to NIST if tried in AzureCloud.')
-param builtInAssignment string = 'NIST'
+@description('[NISTRev4/NISTRev5/IL5/CMMC] Built-in policy assignments to assign, default is NISTRev4. IL5 is only available for AzureUsGovernment and will switch to NISTRev4 if tried in AzureCloud.')
+param builtInAssignment string = 'NISTRev4'
 param logAnalyticsWorkspaceName string
 param logAnalyticsWorkspaceResourceGroupName string
 param operationsSubscriptionId string
@@ -26,9 +27,13 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06
 }
 
 var policyDefinitionID = {
-  NIST: {
+  NISTRev4: {
     id: '/providers/Microsoft.Authorization/policySetDefinitions/cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f'
-    parameters: json(replace(loadTextContent('policies/NIST-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.id))
+    parameters: json(replace(loadTextContent('policies/NISTRev4-policyAssignmentParameters.json'),'<LAWORKSPACE>', logAnalyticsWorkspace.id))
+  }
+  NISTRev5: {
+    id: '/providers/Microsoft.Authorization/policySetDefinitions/179d1daa-458f-4e47-8086-2a68d0d6c38f'
+    parameters: json(loadTextContent('policies/NISTRev5-policyAssignmentParameters.json'))
   }
   IL5: {
     id: '/providers/Microsoft.Authorization/policySetDefinitions/f9a961fa-3241-4b20-adc4-bbf8ad9d7197'
@@ -40,7 +45,7 @@ var policyDefinitionID = {
   }
 }
 
-var modifiedAssignment = ( environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NIST' : builtInAssignment )
+var modifiedAssignment = ( environment().name =~ 'AzureCloud' && builtInAssignment =~ 'IL5' ? 'NISTRev4' : builtInAssignment )
 var assignmentName = '${modifiedAssignment} ${resourceGroup().name}'
 var agentVmssAssignmentName = 'Deploy VMSS Agents ${resourceGroup().name}'
 var agentVmAssignmentName = 'Deploy VM Agents ${resourceGroup().name}'