Azure Stack HCI and security standards

This article provides information about security standards related to Azure Stack HCI. The resources detailed in this article, including certifications and evaluation reports, could be used as sources to help you in your compliance planning.

Azure Stack products, including Azure Stack HCI, Azure Stack Hub, and Azure Stack Edge, have a wide range of security features and services across the hybrid environment that can help meet stringent compliance requirements both in cloud and on premises. Each section in this article provides information on Azure Stack HCI and a particular security standard, together with any completed certifications.

Federal Information Processing Standard (FIPS) 140

The Federal Information Processing Standard (FIPS) 140 is a U.S. government security standard that specifies minimum-security requirements for cryptographic modules in information technology products and systems. Azure Stack is built on Windows Server Datacenter, which has a long history of FIPS 140 validation.

The following table lists the current status of Azure Stack FIPS 140 validations. For more information about the related FIPS 140 validation of Windows Server Datacenter's cryptographic modules and algorithms, see FIPS 140 validation.

Products Evaluation status Details
Azure Stack HCI version 22H2 (Evaluation also includes Azure Stack Hub and Azure Stack Edge) In process listed on NIST Modules in Process
Azure Stack HCI version 21H2 (Evaluation also includes Azure Stack Hub and Azure Stack Edge) In process Kernel Mode Cryptographic Primitives Library #4766
Azure Data Box Edge, version 1809 (Azure Stack Edge) Completed Cryptographic Primitives Library #3197,Kernel Mode Cryptographic Primitives Library #3196, Code Integrity #3644, Windows OS Loader #3615, Secure Kernel Code Integrity #3651, BitLocker Dump Filter #3092, and Boot Manager #3089.

Common Criteria for Information Technology Security Evaluation (CC)

Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria for Information Technology Security Evaluation program (CC), ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of several operating system products.

The following table lists the current status of Azure Stack Common Criteria certifications, together with relevant certification documentation. Learn more about Microsoft's approach to Common Criteria certifications at Common Criteria certifications.

Products Evaluation status Details
Azure Stack HCI version 22H2 (Evaluation also includes Azure Stack Hub and Azure Stack Edge) Completed January 17, 2024 Includes the Protection Profile for General Purpose Operating Systems, the PP-Module for VPN Client, the PP-Module for Wireless Local Area Network Client, and the PP-Module for Bluetooth. Certification documents: Security Target, Administrative Guide, Assurance Activity Report, and Certification Report
Azure Stack HCI version 21H2 (Evaluation also includes Azure Stack Hub and Azure Stack Edge.) Completed November 21, 2022 Includes the General Purpose Operating Systems Protection Profile, the Extended Package for WLAN Clients, and the PP Module for VPN Clients. Certification documents: Security Target, Administrative Guide, Assurance Activity Report, and Certification Report
Azure Stack Completed January 12, 2022 Includes the General Purpose Operating Systems Protection Profile, the Extended Package for WLAN Clients, and the PP Module for VPN Clients. Certification documents: Security Target, Administrative Guide, Assurance Activity Report, and Certification Report

International Organization for Standardization (ISO/IEC) 27001:2022

ISO/IEC 27001 is a standard that formally specifies an Information Security Management System (ISMS) that is intended to bring information security under explicit management control. This standard provides assurance that an organization manages and safeguards data according to global standards and mitigates the risk of data leaks. Certification to ISO/IEC 27001 helps organizations comply with numerous regulatory and legal requirements that relate to information security.

The following guidance provides more information about how the security capabilities of Azure Stack HCI can enable you to maintain compliance with ISO/IEC 27001:2022.

Payment Card Industry (PCI) Data Security Standards (DSS)

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. PCI DSS is required for organizations of any size if they store, process, or transmit cardholder data. These organizations include (but aren't limited to): merchants, payment processors, issuers, acquirers, and service providers.

Azure cloud services not only have PCI DSS validation for Azure Stack HCI but also offer an array of features across the hybrid environment to help you reduce the associated effort and costs of getting your own PCI DSS validation. For more information, see the following guidance.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of rules and regulations set forth by the U.S. Department of Health and Human Services (HHS) to protect the privacy, security, and integrity of patients' sensitive health information. HIPAA applies to any organization or individual that creates, receives, maintains, or transmits electronic protected health information (PHI), including (but not limited to) doctors' offices, hospitals, health insurers, and other healthcare companies.

Complying with HIPAA is essential but challenging work for healthcare solutions companies. If you choose Azure Stack HCI to develop your hybrid IT environment, you can utilize its built-in capabilities and the cloud-integrated services to automate many aspects of achieving and maintaining HIPAA compliance. For more information, see the following guidance.

US Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP offers a standardized process for evaluating, overseeing, and approving cloud computing products and services. It simplifies the adoption of secure cloud solutions for US federal agencies and enables providers like Microsoft to offer their services to these agencies. While obtaining FedRAMP authorization is crucial, it poses a significant challenge for cloud service providers seeking to work with federal agencies. To address this, we offer guidance that clarifies the relevant services and other pertinent information to support your accreditation efforts.