Regulatory compliance standards in Defender for Cloud
Microsoft Defender for Cloud simplifies the regulatory compliance process by helping you identify issues that prevent you from meeting a particular compliance standard or obtaining a compliance certification.
Industry standards, regulatory standards, and benchmarks are represented in Defender for Cloud as security standards, and appear in the regulatory compliance dashboard.
Compliance controls
Each security standard is composed of several compliance controls, which are logical groups of associated security recommendations.
Defender for Cloud continuously evaluates the relevant environment against all compliance controls that can be automatically assessed. Based on these evaluations, it indicates whether resources are compliant or non-compliant with the controls.
Note
If standards include compliance controls that cannot be automatically assessed, Defender for Cloud is unable to determine whether a resource is compliant with the control. In this case, the control appears in gray.
Viewing compliance standards
The regulatory compliance dashboard offers an interactive overview of the compliance status.
In the dashboard, you can:
- Get a summary of the controls from the standards that have been validated.
- Get a summary of the standards with the lowest success rate for resources.
- Review the standards applied to the selected scope.
- Review the compliance control assessments for each applied standard.
- Obtain a summary report for a specific standard.
- Manage compliance policies to see the standards assigned to a specific scope.
- Run a query to create a custom compliance report.
- Create a “compliance over time workbook” to track compliance status over time.
- Download audit reports.
- Review compliance offerings for Microsoft and third‑party audits.
Details of compliance standards
For each compliance standard, you can view:
- The scope of the standard.
- Each standard broken down into control groups and sub‑controls.
When you apply a standard to a scope, you can see a summary of the compliance assessment for the resources in that scope, for each control in the standard.
The assessment status reflects compliance with the standard. There are three states:
- A green circle indicates that the resources in the scope are compliant with the control.
- A red circle indicates that the resources are not compliant with the control.
- Controls that are not available cannot be automatically assessed; therefore, Defender for Cloud cannot determine whether the resources are compliant.
You can drill into the controls to obtain information about the resources that passed or failed the assessments, as well as remediation steps.
Default compliance standards
By default, when you enable Defender for Cloud, the following standards are enabled:
- For Azure: Microsoft Cloud Security Benchmark (MCSB).
- For AWS: Microsoft Cloud Security Benchmark (MCSB) and the AWS Foundational Security Best Practices standard.
- For GCP: Microsoft Cloud Security Benchmark (MCSB) and GCP Default.
Available compliance standards
The following standards are available in Defender for Cloud:
| Standards for Azure subscriptions | Standards for AWS accounts | Standards for GCP projects |
|---|---|---|
| Australian Government ISM Protected Standard | AWS Foundational Security Best Practices | Brazilian General Data Protection Law (LGPD) |
| Canada Federal PBMM | AWS Well‑Architected Framework | California Consumer Privacy Act (CCPA) |
| CIS Azure Foundations | Brazilian General Data Protection Law (LGPD) | CIS Controls |
| CMMC | California Consumer Privacy Act (CCPA) | CIS GCP Foundations |
| FedRAMP “H” & “M” | CIS AWS Foundations | CIS Google Cloud Platform Foundation Benchmark |
| HIPAA/HITRUST | CRI Profile | CIS Google Kubernetes Engine (GKE) Benchmark |
| ISO/IEC 27001 | Cloud Security Alliance Cloud Controls Matrix (CCM) | CRI Profile |
| New Zealand ISM Restricted | — | Cloud Security Alliance Cloud Controls Matrix (CCM) |
| NIST SP 800‑171 | ISO/IEC 27001 | Cybersecurity Maturity Model Certification (CMMC) |
| NIST SP 800‑53 | ISO/IEC 27002 | FFIEC Cybersecurity Assessment Tool (CAT) |
| PCI DSS | NIST Cybersecurity Framework (CSF) | — |
| RMIT Malaysia | NIST SP 800‑172 | ISO/IEC 27001 |
| SOC 2 | PCI DSS | ISO/IEC 27002 |
| SWIFT CSP CSCF | — | ISO/IEC 27017 |
| UK OFFICIAL and UK NHS | — | NIST Cybersecurity Framework (CSF) |
| Digital Operations Resilience Act (DORA) | — | NIST SP 800‑53 |
| European Union AI Act (EU AI Act) | — | NIST SP 800‑171 |
| Korea Public Cloud Information System (k‑ISMS‑P) | — | NIST SP 800‑172 |
| CIS Azure Foundation Benchmark v3.0 | — | PCI DSS |
| Sarbanes‑Oxley Act (SOX) | — | — |
| SOC 2 | — | — |
