Microsoft Defender for Cloud helps streamline the process of meeting regulatory compliance requirements by using the regulatory compliance dashboard. Defender for Cloud continuously evaluates your hybrid cloud environment to analyze risk factors according to the controls and best practices of the standards you have applied to your subscriptions. The dashboard reflects the state of your compliance with these standards.

When you enable Defender for Cloud on an Azure subscription, the Microsoft Cloud Security Benchmark is automatically assigned to that subscription. This widely recognized benchmark is based on controls from the Center for Internet Security (CIS), PCI‑DSS, and the National Institute of Standards and Technology (NIST), with a particular focus on cloud‑centric security.

The regulatory compliance dashboard displays the status of all assessments in your environment for the standards and regulations you have selected. As you follow the recommendations and reduce risk factors in your environment, your compliance posture improves.

Assess your regulatory compliance

The regulatory compliance dashboard displays your selected compliance standards with all their requirements, when supported requirements are mapped to applicable security assessments. The status of these assessments reflects your compliance with the standard.

Use the regulatory compliance dashboard to focus your attention on compliance gaps relative to the standards and regulations you have selected. This targeted view also enables you to continuously monitor your compliance over time in dynamic cloud and hybrid environments.

The dashboard provides you with an overview of your compliance status and all supported regulations. You will see your overall compliance score, as well as the number of passed and failed assessments associated with each standard.

Example: Microsoft Defender for Cloud – Regulatory compliance dashboard

The following list contains a numbered item corresponding to each location in the image above, and describes what is found there:

1. Select a compliance standard to display the list of all controls associated with that standard.
2. View the subscription or subscriptions to which the compliance standard is applied.
3. Select a control to view more details. Expand the control to display the assessments associated with the selected control. Select an assessment to display the list of associated resources and the actions to correct compliance issues.
4. Select “Control details” to display the Overview, Your actions, and Microsoft actions tabs.
5. In the Your actions tab, you can see the automated assessments associated with the control.
6. Automated assessments indicate the number of resources that have failed and the types of resources, and they direct you straight to the remediation experience to address these recommendations.
7. Recommendations provide suggestions to better secure your resources. You implement a recommendation by following the remediation steps provided in the recommendation.

Remediation steps

After reviewing all recommendations, decide which one to fix first. We recommend prioritizing security controls with the greatest potential to improve your security score.

1. In the list, select a recommendation.
2. Follow the instructions in the Remediation steps section. Each recommendation has its own set of instructions.

The screenshot below shows remediation steps for configuring applications to allow only HTTPS traffic.

Remediate an automated assessment

Regulatory compliance includes both automated assessments and manual assessments that may require remediation. By using the information from the regulatory compliance dashboard, you can improve your compliance posture by resolving recommendations directly from the dashboard.

To remediate an automated assessment

1. Sign in to the Azure portal.
2. Go to Defender for Cloud, then click Regulatory compliance.
3. Select a regulatory compliance standard.
4. Select a compliance control to expand it.
5. Select one of the failed assessments that appear in the dashboard to view the details of the recommendation.
6. Each recommendation includes a set of remediation steps to resolve the issue.
7. Select a specific resource to view more details and resolve the recommendation for that resource.

For example, in the Azure CIS 1.1.0 standard, select the recommendation:
Disk encryption should be applied on virtual machines.

In this example, when you select Take action from the recommendation details page, you are taken to the Azure Virtual Machines pages in the Azure portal, where you can enable encryption from the Security tab.

For more information on how to apply recommendations, see Implementing security recommendations in Microsoft Defender for Cloud.

After taking action to resolve the recommendations, you will see the result in the compliance dashboard report, as your compliance score improves.
Assessments run approximately every 12 hours, so you will not see the impact on your compliance data until the next run of the relevant assessment.

Remediate a manual assessment

Regulatory compliance includes automated and manual assessments that may require remediation.
Manual assessments are those that require customer intervention to correct.

To remediate a manual assessment

1. Sign in to the Azure portal.
2. Go to Defender for Cloud, then click Regulatory compliance.
3. Select a regulatory compliance standard.
4. Select a compliance control to expand it.
5. Under the Manual attestation and evidence section, select an assessment.
6. Select the affected subscriptions.
7. Select Attest.
8. Enter the relevant information and attach compliance evidence.
9. Select Save.

Next unit: Module assessment