Home > Docs > Compliance > NIST 800-53
🛡️ NIST 800-53 Control Mapping for Microsoft Fabric
Federal Information Security Controls Mapped to Fabric Implementations
Last Updated: 2026-05-05 | Version: 1.0.0
📑 Table of Contents
🎯 Overview
NIST Special Publication 800-53 Revision 5 defines security and privacy controls for federal information systems. It is the foundational control catalog for FedRAMP, FISMA, and most US federal compliance programs. This guide maps the six most critical control families to Microsoft Fabric capabilities.
Applicability to Fabric
NIST 800-53 applies to any Microsoft Fabric deployment that:
- Processes federal agency data (FISMA requirement)
- Operates within a FedRAMP-authorized boundary
- Is subject to agency-specific security requirements (DoD, IC, civilian)
- Handles Controlled Unclassified Information (CUI) under NIST 800-171
Control Baseline Selection
| Impact Level | Typical Use Case | Controls Required |
| Low | Public data analytics, non-sensitive BI | ~156 controls |
| Moderate | Most federal workloads, CUI processing | ~325 controls |
| High | National security, law enforcement, PII at scale | ~421 controls |
Most Fabric deployments targeting federal use will operate at the Moderate baseline.
📊 Control Family Mappings
AC — Access Control
| Control ID | Control Name | Fabric Implementation | Evidence |
| AC-2 | Account Management | Entra ID user/group management; Fabric workspace roles (Admin, Member, Contributor, Viewer) | Entra ID audit logs, workspace role assignments |
| AC-3 | Access Enforcement | Workspace RBAC, item-level permissions, row-level security (RLS) in semantic models, OneLake data access roles | RBAC export, RLS policy definitions |
| AC-4 | Information Flow Enforcement | Sensitivity labels (MIP), DLP policies, Outbound Access Protection, managed private endpoints | DLP policy reports, OAP configuration, label audit |
| AC-5 | Separation of Duties | Distinct workspace roles; separate Admin/Member/Contributor tiers; Purview policy separation | Role assignment matrix, workspace membership list |
| AC-6 | Least Privilege | OneLake data access roles with granular folder/table permissions; item-level sharing controls | Data access role definitions, sharing reports |
| AC-7 | Unsuccessful Logon Attempts | Entra ID Smart Lockout (configurable threshold and duration) | Entra ID sign-in logs, lockout configuration |
| AC-11 | Device Lock | Conditional Access policies requiring compliant/managed devices | Conditional Access policy export |
| AC-17 | Remote Access | Entra ID Conditional Access; private endpoints for Fabric; VPN/ExpressRoute for on-premises gateways | Conditional Access policies, network configuration |
AU — Audit and Accountability
| Control ID | Control Name | Fabric Implementation | Evidence |
| AU-2 | Event Logging | Fabric Admin audit logs (user activity, admin operations); SQL audit logs; Entra ID sign-in/audit logs | Audit log configuration, log retention settings |
| AU-3 | Content of Audit Records | Fabric audit events include: user identity, timestamp, operation type, item name, workspace, result status | Sample audit log entries showing required fields |
| AU-4 | Audit Log Storage Capacity | Azure Monitor Log Analytics workspace with configurable retention (30–730 days); archive to Storage Account | Log Analytics retention config, archive policy |
| AU-6 | Audit Record Review | Power BI monitoring workspace; custom KQL dashboards in Eventhouse; SIEM integration (Microsoft Sentinel) | Monitoring dashboard screenshots, Sentinel rules |
| AU-8 | Time Stamps | All Fabric audit events use UTC timestamps synchronized to Microsoft's NTP infrastructure | Sample log entries with UTC timestamps |
| AU-9 | Protection of Audit Information | Audit logs stored in Microsoft-managed infrastructure; customer copies protected via Storage Account RBAC and immutability policies | Storage immutability policy, RBAC on log storage |
| AU-11 | Audit Record Retention | Configurable retention in Log Analytics (up to 730 days); long-term archive to immutable blob storage | Retention policy settings documentation |
| AU-12 | Audit Record Generation | Automatic audit event generation for all Fabric operations; SQL Database audit logging; Entra sign-in events | Audit log sources configuration |
CM — Configuration Management
| Control ID | Control Name | Fabric Implementation | Evidence |
| CM-2 | Baseline Configuration | Bicep/ARM templates for infrastructure deployment; fabric-cicd for Fabric item deployment; tenant settings baseline | IaC templates in source control, tenant settings export |
| CM-3 | Configuration Change Control | GitHub Actions CI/CD pipeline with PR review gates; fabric-cicd deployment with approvals | Git history, PR approval records, deployment logs |
| CM-5 | Access Restrictions for Change | Branch protection rules; deployment service principal with scoped permissions; admin-only tenant settings | Branch protection config, SP role assignments |
| CM-6 | Configuration Settings | Tenant admin settings documented and version-controlled; workspace settings via API; Bicep parameter files | Tenant settings export, parameter files in Git |
| CM-7 | Least Functionality | Disable unused Fabric experiences per workspace; restrict export formats; block external sharing unless required | Tenant settings showing disabled features |
| CM-8 | System Component Inventory | Fabric Admin API for workspace/item inventory; OneLake Catalog for data asset discovery; Purview data map | Admin API inventory export, Catalog screenshots |
IA — Identification and Authentication
| Control ID | Control Name | Fabric Implementation | Evidence |
| IA-2 | Identification and Authentication | Entra ID authentication required for all Fabric access; MFA enforcement via Conditional Access | Conditional Access policies requiring MFA |
| IA-2(1) | MFA to Privileged Accounts | Conditional Access policy requiring MFA for Fabric Admin and workspace Admin roles | CA policy targeting privileged roles |
| IA-2(2) | MFA to Non-Privileged Accounts | Conditional Access policy requiring MFA for all Fabric users | CA policy targeting all users |
| IA-4 | Identifier Management | Entra ID manages all user identifiers; service principals for automation; managed identities for Fabric workspaces | Entra ID user/SP inventory |
| IA-5 | Authenticator Management | Entra ID password policies, FIDO2/passkey support, certificate-based auth, Authenticator app | Authentication methods policy |
| IA-8 | Identification and Authentication (Non-Org Users) | Entra ID B2B guest access with MFA; external sharing controls in tenant settings | B2B configuration, guest access policies |
SC — System and Communications Protection
| Control ID | Control Name | Fabric Implementation | Evidence |
| SC-7 | Boundary Protection | Managed VNet for Fabric; private endpoints; Outbound Access Protection; IP firewall rules | Network config, OAP settings, firewall rules |
| SC-8 | Transmission Confidentiality | TLS 1.2+ enforced for all Fabric communications; HTTPS-only access | TLS configuration, network trace showing TLS version |
| SC-8(1) | Cryptographic Protection | TLS 1.2+ with strong cipher suites for data in transit | SSL/TLS configuration audit |
| SC-12 | Cryptographic Key Management | Azure Key Vault for CMK; Microsoft-managed keys for platform encryption; automatic key rotation | Key Vault audit logs, rotation policy |
| SC-13 | Cryptographic Protection | AES-256 encryption at rest (OneLake, SQL Database); TLS 1.2+ in transit; CMK option for SQL Database | Encryption configuration, CMK status |
| SC-28 | Protection of Information at Rest | OneLake encryption at rest (Microsoft-managed); SQL Database TDE with CMK option; Storage Account SSE | Encryption status reports |
| SC-28(1) | Cryptographic Protection of Stored Information | AES-256 for all data at rest; CMK via Azure Key Vault for SQL Database and Storage Account | CMK configuration, Key Vault audit |
| Control ID | Control Name | Fabric Implementation | Evidence |
| SI-2 | Flaw Remediation | Microsoft manages platform patching; Spark Runtime updates (customer-initiated migration); dependency scanning in CI/CD | Spark runtime version, CI scan results |
| SI-3 | Malicious Code Protection | Microsoft Defender for Cloud integration; Fabric platform-level scanning; no customer-uploaded executables | Defender for Cloud status |
| SI-4 | System Monitoring | Fabric Admin monitoring workspace; Azure Monitor integration; Microsoft Sentinel SIEM; KQL dashboards in Eventhouse | Monitoring dashboard, Sentinel workbook |
| SI-5 | Security Alerts and Advisories | Microsoft Service Health notifications; Fabric release notes; Azure Advisor security recommendations | Service Health subscription, Advisor findings |
| SI-7 | Software and Information Integrity | Git-based source control for notebooks/pipelines; fabric-cicd deployment with hash verification; Delta Lake ACID transactions | Git commit history, Delta transaction logs |
| SI-12 | Information Management and Retention | Fabric retention policies; Data Lifecycle Management in Purview; configurable audit log retention | Retention policy settings, Purview DLM config |
🤝 Shared Responsibility Model
| Control Area | Microsoft Responsibility | Customer Responsibility |
| Physical Security (PE) | Full datacenter physical security, environmental controls | N/A |
| Access Control (AC) | Entra ID platform, MFA infrastructure, platform RBAC engine | User provisioning, role assignments, RLS policies, least privilege enforcement |
| Audit (AU) | Audit event generation, platform log infrastructure | Log collection configuration, retention settings, SIEM integration, log review |
| Configuration (CM) | Platform updates, runtime patching, infrastructure baseline | Tenant settings configuration, IaC templates, CI/CD pipeline, change management |
| Authentication (IA) | Entra ID infrastructure, MFA services, identity platform | MFA policy enforcement, authentication method selection, guest access policies |
| Communications (SC) | TLS enforcement, platform encryption, network backbone | Private endpoint configuration, CMK setup, firewall rules, VNet integration |
| Integrity (SI) | Platform patching, malware scanning, service health | Runtime version management, CI/CD scanning, monitoring dashboard setup |
⚠️ Gap Analysis and Limitations
| Gap | NIST Control | Impact | Compensating Control |
| OneLake does not support CMK | SC-12, SC-28(1) | Data at rest uses Microsoft-managed keys only for Lakehouse data | Document MMK as acceptable per ATO; use CMK for SQL Database tier |
| No native SIEM in Fabric | AU-6, SI-4 | Audit log review requires external tooling | Integrate with Microsoft Sentinel or third-party SIEM |
| Limited network segmentation within Fabric | SC-7 | Workspaces share tenant network boundary | Use managed VNet, private endpoints, and OAP for isolation |
| Spark runtime patching is customer-initiated | SI-2 | Requires customer action to migrate to patched runtimes | Establish runtime migration SOP; monitor for deprecation notices |
| No FIPS 140-2 validated encryption modules documented for Fabric | SC-13 | May not satisfy High baseline crypto requirements | Request Microsoft attestation; use Azure Government for High workloads |
| Fabric not yet FedRAMP High authorized | Multiple | Limits use for High-impact federal systems | Use Fabric in Azure Government when available; apply compensating controls |
| Audit log retention max 730 days in Log Analytics | AU-11 | Some agencies require longer retention | Archive to immutable blob storage with lifecycle policies |
✅ Implementation Checklist
📚 References
Internal Best-Practices
| Guide | Relevant Controls |
| Customer-Managed Keys | SC-12, SC-13, SC-28 |
| SQL Audit Logs Compliance | AU-2, AU-3, AU-4, AU-6, AU-11 |
| Identity & RBAC Patterns | AC-2, AC-3, AC-5, AC-6, IA-2, IA-4 |
| Network Security | SC-7, SC-8, AC-17 |
| Outbound Access Protection | SC-7, AC-4 |
| Monitoring & Observability | AU-6, SI-4, SI-5 |
| fabric-cicd Deployment | CM-2, CM-3, CM-5, SI-7 |
| Spark Runtime Migration | SI-2 |
| Data Governance Deep Dive | AC-4, CM-8, SI-12 |
External References
This mapping is based on NIST 800-53 Rev. 5 and Microsoft Fabric capabilities as of May 2026. Validate against your agency's specific System Security Plan (SSP) requirements.