| 1.1 (L1) Host hardware must have auditable, authentic, and up to date system & device firmware | SYSTEM AND SERVICES ACQUISITION |
| 1.2 (L1) Host hardware must enable UEFI Secure Boot | SYSTEM AND SERVICES ACQUISITION |
| 1.3 (L1) Host hardware must enable Intel TXT, if available | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 1.4 (L1) Host hardware must enable and configure a TPM 2.0 | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 1.5 (L1) Host integrated hardware management controller must be secure | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 1.6 (L1) Host integrated hardware management controller must enable time synchronization | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 1.7 (L1) Host integrated hardware management controller must enable remote logging of events | AUDIT AND ACCOUNTABILITY |
| 2.1 (L1) Host must run software that has not reached End of General Support status | SYSTEM AND SERVICES ACQUISITION |
| 2.2 (L1) Host must have all software updates installed | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.3 (L1) Host must enable Secure Boot enforcement | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.5 (L1) Host must only run binaries delivered via signed VIB | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.6 (L1) Host must have reliable time synchronization sources | AUDIT AND ACCOUNTABILITY |
| 2.7 (L1) Host must have time synchronization services enabled and running | AUDIT AND ACCOUNTABILITY |
| 2.8 (L1) Host must require TPM-based configuration encryption | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.9 (L1) Host must not suppress warnings about unmitigated hyperthreading vulnerabilities | AUDIT AND ACCOUNTABILITY |
| 2.10 (L1) Host must restrict inter-VM transparent page sharing | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 3.1 (L1) Host should deactivate SSH | CONFIGURATION MANAGEMENT |
| 3.2 (L1) Host must deactivate the ESXi shell | CONFIGURATION MANAGEMENT |
| 3.3 (L1) Host must deactivate the ESXi Managed Object Browser (MOB) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.4 (L1) Host must deactivate SLP | CONFIGURATION MANAGEMENT |
| 3.5 (L1) Host must deactivate CIM | CONFIGURATION MANAGEMENT |
| 3.6 (L1) Host should deactivate SNMP | CONFIGURATION MANAGEMENT |
| 3.7 (L1) Host must automatically terminate idle DCUI sessions | ACCESS CONTROL |
| 3.8 (L1) Host must automatically terminate idle shells | ACCESS CONTROL |
| 3.9 (L1) Host must automatically deactivate shell services | ACCESS CONTROL |
| 3.10 (L1) Host must not suppress warnings that the shell is enabled | SYSTEM AND INFORMATION INTEGRITY |
| 3.11 (L1) Host must enforce password complexity | IDENTIFICATION AND AUTHENTICATION |
| 3.12 (L1) Host must lock an account after a specified number of failed login attempts | ACCESS CONTROL |
| 3.13 (L1) Host must unlock accounts after a specified timeout period | ACCESS CONTROL |
| 3.14 (L1) Host must configure the password history setting to restrict the reuse of passwords | IDENTIFICATION AND AUTHENTICATION |
| 3.15 (L1) Host must be configured with an appropriate maximum password age | IDENTIFICATION AND AUTHENTICATION |
| 3.16 (L1) Host must configure a session timeout for the API | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.17 (L1) Host must automatically terminate idle host client sessions | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.18 (L1) Host must have an accurate DCUI.Access list | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.19 (L1) Host must have an accurate Exception Users list | ACCESS CONTROL, MEDIA PROTECTION |
| 3.20 (L1) Host must enable normal lockdown mode | ACCESS CONTROL |
| 3.22 (L1) Host must deny shell access for the dcui account | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.24 (L1) Host must display a login banner for the DCUI and Host Client | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 3.25 (L1) Host must display a login banner for SSH connections | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 3.26 (L1) Host must enable the highest version of TLS supported | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1 (L1) Host must configure a persistent log location for all locally stored system logs | AUDIT AND ACCOUNTABILITY |
| 4.2 (L1) Host must transmit system logs to a remote log collector | AUDIT AND ACCOUNTABILITY |
| 4.3 (L1) Host must log sufficient information for events | AUDIT AND ACCOUNTABILITY |
| 4.4 (L1) Host must set the logging informational level to info | AUDIT AND ACCOUNTABILITY |
| 4.5 (L1) Host must deactivate log filtering | AUDIT AND ACCOUNTABILITY |
| 4.6 (L1) Host must enable audit record logging | AUDIT AND ACCOUNTABILITY |
| 4.7 (L1) Host must configure a persistent log location for all locally stored audit records | AUDIT AND ACCOUNTABILITY |
| 4.8 (L1) Host must store one week of audit records | AUDIT AND ACCOUNTABILITY |
| 4.9 (L1) Host must transmit audit records to a remote log collector | AUDIT AND ACCOUNTABILITY |
| 4.10 (L1) Host must verify certificates for TLS remote logging endpoints | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
