SC-100 Question #130: Real Exam Question with Answer & Explanation

Question

Your company has an Azure subscription that has enhanced security enabled for Microsoft Defender for Cloud. The company signs a contract with the United States government. You need to review the current subscription for NIST 800-53 compliance. What should you do first?

Options

• AFrom Defender for Cloud, enable Defender for Cloud plans.
• BFrom Azure Policy, assign a built-in initiative that has a scope of the subscription.
• CFrom Microsoft Defender for Cloud Apps, create an access policy for cloud applications.
• DFrom Azure Policy, assign a built-in policy definition that has a scope of the subscription.

Explanation

To review NIST 800-53 compliance, you must first assign the built-in NIST SP 800-53 policy initiative at the subscription scope via Azure Policy. An initiative groups related policies together to evaluate compliance against the full regulatory standard.

Common mistakes.

• A. Defender for Cloud enhanced security plans are already enabled per the scenario, so enabling plans again is redundant and is not the required first step for compliance review.
• C. Microsoft Defender for Cloud Apps access policies govern access to SaaS cloud applications and do not assess or enforce NIST 800-53 compliance on Azure subscription resources.
• D. A single built-in policy definition covers only one specific control, whereas NIST 800-53 requires an initiative (a collection of many policies) to assess the full regulatory control set.

Concept tested. Assigning regulatory compliance initiatives in Azure Policy

Reference. https://learn.microsoft.com/en-us/azure/governance/policy/samples/nist-sp-800-53-r5

No community discussion yet for this question.