Live scan executed 2026-05-09 against Azure subscription 4f29d094-1079-44c9-acb0-4d73a7a2dd34 | GOVERNMENT tier | 13 agents | All findings auto-pushed to
Detector:fedramp_cmmc.cui_encryption_at_rest Storage account holding CUI-marked blobs is configured with Microsoft-managed keys (MMK) instead of FIPS 140-2 Level 2 validated customer-managed keys (CMK). Federal data handling mandates that all CUI at rest must use validated cryptographic modules. MMK does not satisfy the FedRAMP High baseline SC-28 requirement for key custody.
Enable customer-managed keys (CMK) backed by an Azure Key Vault HSM (FIPS 140-2 Level 2 validated). Rotate the CMK on a 90-day schedule. Ensure the Key Vault access policy grants only the storage account identity wrapKey and unwrapKey permissions.
FORGE Auto-Fix Applied playbook: fedramp_cmmc/cui_encrypt_cmk_hsm.yml Created Key Vault govtier-cmk-kv01 with HSM-backed RSA-3072 key. Configured storage account encryption to use CMK via Key Vault. Set key rotation policy to 90 days. Verified FIPS 140-2 Level 2 compliance on the HSM module. Removed legacy MMK configuration.
Detector:comply.fisma_poam_overdue Resource group serving as the system authorization boundary has no associated System Security Plan (SSP) or boundary diagram tagged in metadata. FISMA requires all federal systems to maintain a current authorization boundary document. The POA&M tracker shows this item is 47 days past the scheduled remediation date.
Document the authorization boundary in the SSP. Tag the resource group with boundary metadata including system name, FISMA level, authorizing official, and ATO expiration date. Upload the boundary diagram to the POA&M tracking system and close the overdue item.
Change Request Filed CHG20260509001402 Justification: FISMA authorization boundary documentation requires organizational review, ISSO sign-off, and AO approval. optional remediation (opt-in) would bypass the required SSP update workflow and POA&M closure approval chain. Status: Pending CAB review
Detector:sentinel.piv_cac_enforcement Administrative identity used for privileged operations is not configured with certificate-based authentication (PIV/CAC). HSPD-12 mandates PIV credentials for all logical access to federal systems. Password-only authentication on admin accounts violates the IA-2 control family and creates a direct path for credential theft attacks against government workloads.
Configure Azure AD Conditional Access policies requiring certificate-based authentication (CBA) for all accounts with administrative role assignments. Map PIV certificates to Azure AD user accounts via the CBA configuration. Block password-only authentication for Global Admin, Security Admin, and Privileged Role Admin roles.
FORGE Auto-Fix Applied playbook: sentinel/enforce_piv_cba.yml Created Conditional Access policy GOV-REQUIRE-PIV-ADMIN targeting all directory roles with administrative privileges. Enabled certificate-based authentication in Azure AD tenant settings. Configured certificate trust store with DoD Root CA 3 and DoD Intermediate CA chains. Set authentication strength to require phishing-resistant MFA.
Detector:bastion.govcloud_boundary_egress Network security group permits outbound traffic to IP ranges belonging to commercial Azure regions (non-GovCloud). Federal workloads handling CUI must remain within the FedRAMP-authorized boundary. Unrestricted egress to commercial endpoints allows data to traverse non-accredited infrastructure, violating boundary protection requirements.
Restrict all outbound NSG rules to Azure Government IP ranges only. Implement Azure Firewall with explicit allow-list for approved government endpoints. Deploy network flow logs to Log Analytics for continuous egress monitoring. Create alerts for any traffic destined for commercial Azure service tags.
Change Request Filed CHG20260509001404 Justification: Modifying the GovCloud network boundary egress rules requires coordination with the network operations center, validation that no authorized cross-boundary flows exist, and ISSO approval. Incorrect rule changes could sever connectivity to approved government shared services. Status: Pending CAB review
Detector:shadow.itar_public_blob_exposure Storage account containing containers tagged classification:itar has anonymous public read access enabled at the account level. ITAR (22 CFR 120-130) strictly prohibits unauthorized disclosure of defense articles and technical data to non-US persons. Public blob access makes ITAR-controlled data available to any internet user regardless of nationality, constituting a potential export control violation.
Immediately disable public blob access at the storage account level. Implement Azure AD authentication for all container access. Deploy Azure Private Endpoints to restrict access to the government VNET only. Enable Defender for Storage to detect future exposure attempts. Conduct an access log review to determine if any unauthorized downloads occurred.
FORGE Auto-Fix Applied playbook: shadow/itar_lock_blob_access.yml Set allowBlobPublicAccess: false on storage account. Revoked all active SAS tokens. Configured Private Endpoint govtier-itar-pe linked to government VNET subnet. Enabled Defender for Storage with anomalous access alerts. Applied resource lock CanNotDelete to prevent accidental exposure.
Detector:ai_guard.cui_model_fedramp_auth Azure OpenAI endpoint is deployed in a commercial region and configured to receive prompts from government workloads containing CUI. The commercial Azure OpenAI service does not hold FedRAMP High authorization. Processing CUI through non-authorized AI services violates the boundary protection and data handling requirements for federal information systems.
Migrate the AI inference endpoint to Azure Government regions where the Azure OpenAI service holds FedRAMP High P-ATO. Configure content filtering policies to block CUI markers in prompts until migration is complete. Implement network restrictions to prevent government VNETs from reaching commercial cognitive services endpoints.
Change Request Filed CHG20260509001406 Justification: Migrating AI model endpoints to GovCloud requires redeployment of model configurations, prompt engineering assets, and fine-tuned weights. This change impacts downstream application availability and requires ISSO review of the new deployment boundary before CUI processing is authorized. Status: Pending CAB review
Detector:fedramp_cmmc.audit_retention_gap Log Analytics workspace retention period is set to 90 days. CMMC Level 2 practice AU.2.042 and FedRAMP AU-11 require audit records to be retained for a minimum of one year (365 days) with at least 90 days immediately available for analysis. Current configuration would cause loss of audit evidence required for incident investigations and compliance assessments.
Increase Log Analytics workspace retention to 365 days for the interactive tier. Configure archive tier for long-term retention up to 7 years to satisfy NARA records schedules. Implement data export rules to Azure Government storage for offline backup of audit records.
Change Request Filed CHG20260509001407 Justification: Extending audit log retention from 90 to 365 days increases monthly Log Analytics costs. Budget approval from the program office is required before modifying the retention policy. Additionally, the archive tier configuration requires coordination with the records management officer. Status: Pending CAB review
Detector:scout.stig_baseline_missing Windows Server 2022 VM does not have the DISA STIG security baseline applied via Azure Guest Configuration. DISA STIGs are mandatory for all DoD information systems and strongly recommended for civilian agency systems operating at FedRAMP High. The VM is missing 34 required configuration items including audit policy settings, password complexity rules, and service hardening parameters.
Apply the Windows Server 2022 DISA STIG baseline using Azure Guest Configuration. Deploy the Azure Policy initiative for STIG compliance monitoring. Remediate all Category I (critical) findings first, followed by Category II and III. Generate a STIG Viewer checklist (.ckl) file for the system security plan.
FORGE Auto-Fix Applied playbook: scout/apply_disa_stig_baseline.yml Deployed Azure Guest Configuration assignment WindowsServer2022STIG to the VM. Applied all Category I STIG items (14 settings). Applied Category II items (16 settings). Set audit policy for logon events, object access, and privilege use. Configured password policy: 15-char minimum, 60-day max age, 24-history. Disabled unnecessary services per STIG requirements.
Detector:audit.fedramp_conmon_gap Subscription security contacts and automated vulnerability scanning schedules are not configured to meet FedRAMP Continuous Monitoring (ConMon) requirements. FedRAMP mandates monthly vulnerability scans, annual penetration testing, and quarterly POA&M reporting. No ConMon automation is in place, which means the ATO could be revoked for non-compliance with ongoing authorization requirements.
Configure Defender for Cloud security contacts with the ISSO and system owner email addresses. Enable automated vulnerability assessment on all VMs using the Qualys or MDVM agent. Set up monthly scan schedules and automated ConMon report generation. Configure weekly POA&M status email digests to the authorizing official.
Change Request Filed CHG20260509001409 Justification: Configuring ConMon contacts and scan schedules requires ISSO designation, AO approval of scanning scope, and coordination with the security operations center. Scan agent deployment may impact system availability during initial assessment windows. Status: Pending CAB review
Detector:bastion.dns_resolver_boundary Virtual network is configured with custom DNS servers pointing to 8.8.8.8 and 1.1.1.1, both commercial public resolvers. DNS queries from government workloads traversing commercial resolvers expose query metadata (hostnames, timing, source IPs) to non-government entities. This violates GovCloud boundary isolation requirements and enables passive DNS surveillance of federal network activity.
Replace custom DNS servers with Azure Government DNS Private Resolver or agency-approved MTIPS DNS infrastructure. Configure DNS Private Zones for all internal resolution. Block outbound UDP/TCP port 53 to any destination outside the government network boundary. Enable DNS query logging to the Log Analytics workspace for monitoring.
FORGE Auto-Fix Applied playbook: bastion/gov_dns_resolver_fix.yml Removed commercial DNS resolver entries (8.8.8.8, 1.1.1.1) from VNET configuration. Deployed Azure DNS Private Resolver govtier-dns-resolver in the core VNET. Created inbound endpoint on subnet dns-inbound-snet. Configured forwarding ruleset for agency-specific domains. Updated VNET DNS settings to use the private resolver IP. Added NSG rule blocking outbound port 53 to non-government destinations.
Detector:pulse.fed_threat_intel_gap Microsoft Sentinel workspace has no connections to CISA AIS (Automated Indicator Sharing), STIX/TAXII federal threat feeds, or the DHS CDM threat intelligence platform. Federal agencies are required to participate in government-wide threat sharing programs. Without these feeds, the SIEM cannot correlate local events against known federal adversary TTPs, leaving government-specific threats undetected.
Enable the CISA AIS TAXII connector in Microsoft Sentinel. Configure STIX 2.1 feed ingestion from the agency threat intelligence platform. Deploy Sentinel Threat Intelligence workbook for federal indicator visualization. Create analytics rules that match against federal IOCs for priority alerting.
Change Request Filed CHG20260509001411 Justification: Integrating federal threat intelligence feeds requires a CISA AIS participation agreement, API credentials from the agency CDM program, and validation of data handling markings (TLP). Configuration of TAXII connectors with government endpoints requires approval from the threat intel team lead. Status: Pending CAB review
Detector:predict.paw_policy_missing Administrative jump box VM accepts RDP connections from any source IP without device compliance checks. NIST 800-53 AC-17 requires remote access to be controlled through managed access control points. Without Privileged Access Workstation (PAW) policy enforcement, administrative sessions can originate from unmanaged devices that may be compromised, allowing adversaries to pivot into the government environment.
Deploy Azure AD Conditional Access policy requiring compliant/hybrid-joined devices for administrative access. Restrict the jump box NSG to allow RDP only from the PAW subnet CIDR range. Enable Azure Bastion for browser-based administrative access without exposing RDP ports. Implement just-in-time VM access to limit the attack window.
FORGE Auto-Fix Applied playbook: predict/enforce_paw_policy.yml Configured Conditional Access policy GOV-PAW-REQUIRED requiring device compliance for admin role assignments. Enabled Azure Bastion govtier-bastion-host on the core VNET. Removed direct RDP (3389) inbound rule from the jump box NSG. Enabled JIT VM access with 3-hour maximum window and approval required. Configured session recording via Azure Monitor agent.
Detector:fedramp_cmmc.fips_sql_validation Azure SQL Database is using TLS 1.2 with non-FIPS validated cipher suites for data in transit. While TLS 1.2 is enabled, the specific cipher negotiation does not restrict to FIPS 140-2 approved algorithms only. Federal systems must use FIPS-validated cryptographic modules for all encryption operations. Non-FIPS cipher suites allow algorithms that have not undergone CMVP validation.
Configure the Azure SQL Server to enforce minimum TLS 1.2 with FIPS-compliant cipher suites only. Set the connection policy to Proxy mode in Azure Government to ensure traffic routes through the FIPS-validated gateway. Enable Transparent Data Encryption (TDE) with a CMK stored in a FIPS 140-2 Level 2 Key Vault HSM.
Change Request Filed CHG20260509001413 Justification: Changing the SQL connection policy and cipher suite restrictions requires a maintenance window to avoid dropping active database connections. Application teams must verify that their connection strings and drivers support the restricted cipher set. DBA team approval is required. Status: Pending CAB review
Detector:comply.fedramp_policy_exemption A policy exemption temp-exemption-cm6 is actively bypassing the FedRAMP High baseline CM-6 configuration management control. The exemption was created 62 days ago with a category of Mitigated but has no associated POA&M item or expiration date. Permanent policy exemptions against baseline controls undermine the security posture and may trigger ATO revocation during 3PAO assessment.
Review the exemption justification and either remove it or convert it to a time-bound waiver with an associated POA&M entry. Set an exemption expiration date no more than 90 days from creation. Require ISSO approval for all policy exemptions against FedRAMP baseline controls. Implement an Azure Policy alert for any new exemptions created.
FORGE Auto-Fix Applied playbook: comply/remove_stale_exemption.yml Removed expired policy exemption temp-exemption-cm6. Reactivated the CM-6 baseline policy assignment. Deployed Azure Policy definition deny-exemption-without-expiry that blocks creation of policy exemptions without an expiration date. Created monitoring alert for new exemption creation events targeting FedRAMP baseline initiative assignments.
Detector:sentinel.irp_documentation_gap Key Vault resource containing government secrets does not have incident response plan (IRP) reference tags. FedRAMP IR-8 requires all system components to be mapped to an incident response plan. Without IRP tags, the SOC cannot quickly identify the correct response procedures when Key Vault alerts fire, delaying containment of cryptographic key compromise scenarios.
Add resource tags mapping the Key Vault to the appropriate IRP document: irp-ref, irp-owner, irp-contact, and irp-classification. Ensure the IRP covers key compromise scenarios including emergency key rotation, certificate revocation, and notification procedures for dependent systems.
Change Request Filed CHG20260509001415 Justification: IRP mapping tags require coordination with the incident response team to obtain the correct IRP document reference numbers and escalation contacts. The IRP itself may need updating to include Key Vault-specific scenarios before tags can accurately reference it. Status: Pending CAB review
Detector:scout.linux_kernel_stig RHEL 9 VM has 8 kernel parameters that deviate from the DISA STIG baseline. Findings include: net.ipv4.ip_forward=1 (should be 0), kernel.randomize_va_space=0 (should be 2), net.ipv4.conf.all.accept_redirects=1 (should be 0), and 5 additional sysctl misconfigurations. These settings weaken network stack protections and memory safety controls required for federal information systems.
Apply the RHEL 9 STIG kernel hardening profile via the SCAP Security Guide. Set all identified sysctl parameters to STIG-compliant values in /etc/sysctl.d/99-stig.conf. Enable FIPS mode at the kernel level. Deploy Azure Guest Configuration to continuously monitor kernel parameter compliance.
FORGE Auto-Fix Applied playbook: scout/linux_kernel_stig_harden.yml Deployed sysctl configuration file /etc/sysctl.d/99-stig.conf with all 8 corrected parameters. Set net.ipv4.ip_forward=0, kernel.randomize_va_space=2, net.ipv4.conf.all.accept_redirects=0. Applied settings via sysctl --system. Enabled FIPS mode with fips-mode-setup --enable. Configured Azure Guest Configuration STIG assignment for ongoing compliance monitoring.
Detector:shadow.sp_credential_expiry Service principal used for automation has a client secret with no expiration date and Contributor role at the resource group scope. NIST 800-53 IA-5 requires authenticators to have defined lifetimes. A non-expiring credential on a privileged service principal creates a persistent access vector that cannot be detected through normal credential rotation audits, enabling long-term unauthorized access if the secret is compromised.
Replace the client secret with a certificate-based credential that has a maximum 1-year validity. Migrate to managed identity where possible to eliminate credential management overhead. If a client secret must be used, set a 90-day expiration and configure Key Vault to automate rotation. Enable Azure AD sign-in logs monitoring for service principal authentication anomalies.
Change Request Filed CHG20260509001417 Justification: Replacing the service principal credential requires updating all automation runbooks and CI/CD pipelines that use this identity. Credential rotation during active automation windows could cause pipeline failures. Application team coordination is needed to schedule the migration to managed identity. Status: Pending CAB review
Detector:audit.activity_log_export Subscription-level Activity Log has no diagnostic settings configured to export logs to a Log Analytics workspace or storage account. FedRAMP AU-6 requires audit records to be centrally collected and analyzed. Without Activity Log export, control plane operations (resource creation, RBAC changes, policy modifications) are only available in the default 90-day Activity Log retention and are not searchable via Sentinel or available for long-term forensic investigation.
Create a diagnostic setting on the subscription that exports all Activity Log categories (Administrative, Security, ServiceHealth, Alert, Recommendation, Policy, Autoscale, ResourceHealth) to the central Log Analytics workspace. Additionally configure export to a storage account for long-term archival beyond the workspace retention period.
FORGE Auto-Fix Applied playbook: audit/activity_log_diagnostic.yml Created diagnostic setting govtier-actlog-export on the subscription. Configured export of all 8 Activity Log categories to Log Analytics workspace govtier-sentinel-ws. Added secondary export to storage account govtierauditarchive with 7-year retention policy. Verified log flow by checking for recent Administrative events in the workspace.
Detector:pulse.breakglass_monitoring Emergency access identity exists but has no associated Azure Monitor alert rules for sign-in activity. FedRAMP AC-2(4) requires automated notification when emergency or temporary accounts are activated. Break-glass accounts are high-value targets for attackers because they typically bypass Conditional Access policies and MFA. Without monitoring, unauthorized use of these accounts would go undetected during the critical initial compromise window.
Create a Sentinel analytics rule that triggers on any sign-in event from the break-glass account. Configure immediate email and SMS notification to the ISSO and SOC team. Set up an Azure Monitor action group with priority P1 severity. Implement a quarterly test of the break-glass account with documented procedures and SOC acknowledgment.
Change Request Filed CHG20260509001419 Justification: Configuring break-glass account monitoring requires access to the Azure AD sign-in logs, which needs Directory Reader permissions for the Sentinel service principal. The SOC team must provide the correct notification distribution list and acknowledge the new alert rule before it goes live to prevent alert fatigue. Status: Pending CAB review
Detector:fedramp_cmmc.cui_dlp_enforcement Storage account used for government document sharing has no Data Loss Prevention policy applied. Files uploaded to this account are not scanned for CUI markings (CONTROLLED, CUI, FOUO banners) and are not automatically classified. CMMC practice MP.2.120 and NIST 800-171 3.8.1 require organizations to protect CUI in storage by implementing media handling controls. Without DLP enforcement, unmarked CUI can be stored without proper access restrictions and exfiltrated without detection.
Deploy Microsoft Purview DLP policy targeting the storage account with rules for CUI banner detection (CONTROLLED, CUI//SP-CTI, CUI//SP-EXPT patterns). Configure automatic sensitivity labeling for detected CUI content. Block external sharing of files classified as CUI. Enable audit logging for all DLP policy matches and send alerts to the data governance team.
Change Request Filed CHG20260509001420 Justification: Deploying DLP policies on government document storage requires coordination with the records management office to define CUI category-specific rules. Purview licensing and the DLP scanner service must be provisioned in the GovCloud tenant. False positive testing with sample CUI documents is needed before enforcement mode activation. Status: Pending CAB review