| 1.12 Set 'Disable the Office client from polling the SharePoint Server for published links' to 'Enabled' | CIS MS Office Outlook 2010 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 2.3.1.3 Ensure 'Accounts: Guest account status' is set to 'Disabled' (STIG only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC | Windows | IDENTIFICATION AND AUTHENTICATION |
| 2.3.6.2 (L1) Ensure 'Disable UI extending from documents and templates' is set to 'Enabled' | CIS Microsoft Intune for Office v1.1.0 L1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.7.10 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or 'Force Logoff' (STIG DC & MS only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.18.5 Ensure 'Prevent users from changing permissions on rights managed content' is set to 'Disabled' | CIS Microsoft Office Enterprise v1.2.0 L1 | Windows | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.27.11 (L1) Ensure 'Disable password to open UI' is set to 'Disabled' | CIS Microsoft Intune for Office v1.1.0 L1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.27.18 Ensure 'Protect document metadata for rights managed Office Open XML Files' is set to 'Enabled' | CIS Microsoft Office Enterprise v1.2.0 L1 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.28.2 Ensure 'Disable the Office client from polling the SharePoint Server for published links' is set to 'Enabled' | CIS Microsoft Office Enterprise v1.2.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 2.26.2 Ensure 'Disable The Office Client From Polling The SharePoint Server For Published Links' is set to Enabled | CIS Microsoft Office 2016 v1.1.0 | Windows | CONFIGURATION MANAGEMENT |
| 2.34.2.1 Ensure 'Online Content Options' is set to Enabled (Allow Office to connect to the internet) | CIS Microsoft Office 2016 v1.1.0 | Windows | CONFIGURATION MANAGEMENT |
| 17.2.5 Ensure 'Audit Other Account Management Events' is set to include 'Success' (STIG Only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC | Windows | AUDIT AND ACCOUNTABILITY |
| 17.2.5 Ensure 'Audit Other Account Management Events' is set to include 'Success' (STIG Only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 20.30 Ensure 'FTP servers must be configured to prevent anonymous logons' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 20.30 Ensure 'FTP servers must be configured to prevent anonymous logons' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 20.30 Ensure 'FTP servers must be configured to prevent anonymous logons' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT |
| 20.30 Ensure 'FTP servers must be configured to prevent anonymous logons' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT |
| ALMA-09-018830 - AlmaLinux OS 9 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | DISA CloudLinux AlmaLinux OS 9 STIG v1r2 | Unix | CONFIGURATION MANAGEMENT |
| APPL-13-000005 - The macOS system must be configured to lock the user session when a smart token is removed. | DISA STIG Apple macOS 13 v1r5 | Unix | ACCESS CONTROL |
| Automatically activate Office with federated organization credentials | MSCT M365 Apps for enterprise 2312 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Automatically activate Office with federated organization credentials | MSCT Microsoft 365 Apps for Enterprise 2112 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Automatically activate Office with federated organization credentials | Microsoft 365 Apps for Enterprise 2306 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Automatically activate Office with federated organization credentials | MSCT M365 Apps for enterprise 2412 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Automatically activate Office with federated organization credentials | MSCT Microsoft 365 Apps for Enterprise 2206 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| DTOO199 - Changing permissions on rights managed content for users must be enforced. | DISA STIG Microsoft Office System 2013 v2r2 | Windows | ACCESS CONTROL |
| DTOO199 - Office System - Changing permissions on rights managed content for users must be enforced. | DISA STIG Office System 2010 v1r13 | Windows | ACCESS CONTROL |
| DTOO426 - Word must be configured to warn when opening a document with custom XML markup. | DISA STIG Microsoft Word 2013 v1r7 | Windows | CONFIGURATION MANAGEMENT |
| F5BI-AP-000147 - The BIG-IP APM module access policy profile must be configured to automatically terminate user sessions for users connected to virtual servers when organization-defined conditions or trigger events occur that require a session disconnect. | DISA F5 BIG-IP Access Policy Manager STIG v2r4 | F5 | ACCESS CONTROL |
| F5BI-AP-000242 - The F5 BIG-IP appliance must be configured to enable the 'Secure' cookie flag - Secure cookie flag. | DISA F5 BIG-IP Access Policy Manager STIG v2r4 | F5 | SYSTEM AND COMMUNICATIONS PROTECTION |
| O365-CO-000004 - Custom user interface (UI) code must be blocked from loading in all Office applications. | DISA STIG Microsoft Office 365 ProPlus v3r3 | Windows | CONFIGURATION MANAGEMENT |
| VCFL-67-000027 - Rsyslog must be configured to monitor and ship vSphere Client log files - access | DISA STIG VMware vSphere 6.7 Virgo Client v1r2 | Unix | AUDIT AND ACCOUNTABILITY |
| VCFL-67-000027 - Rsyslog must be configured to monitor and ship vSphere Client log files - runtime | DISA STIG VMware vSphere 6.7 Virgo Client v1r2 | Unix | AUDIT AND ACCOUNTABILITY |
| VCUI-67-000027 - vSphere UI log files must be moved to a permanent repository in accordance with site policy - access | DISA STIG VMware vSphere 6.7 UI Tomcat v1r3 | Unix | AUDIT AND ACCOUNTABILITY |
| VCUI-67-000027 - vSphere UI log files must be moved to a permanent repository in accordance with site policy - runtime | DISA STIG VMware vSphere 6.7 UI Tomcat v1r3 | Unix | AUDIT AND ACCOUNTABILITY |
| WPAW-00-000100 - Administrators of high-value IT resources must complete required training. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | AWARENESS AND TRAINING, CONFIGURATION MANAGEMENT |
| WPAW-00-000200 - Site IT resources designated as high value by the Authorizing Official (AO) must be remotely managed only via a Windows privileged access workstation (PAW) - AO must be remotely managed only via PAW | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-000400 - Administrative accounts of all high-value IT resources must be assigned to a specific administrative tier in Active Directory to separate highly privileged administrative accounts from less privileged administrative accounts. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WPAW-00-000500 - A Windows PAW must only be used to manage high-value IT resources assigned to the same tier. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-000600 - All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-000700 - The Windows PAW must be configured with a vendor-supported version of Windows 11 and applicable security patches that are DOD approved. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-000800 - A Windows update service must be available to provide software updates for the PAW platform. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-001060 - Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard User Mode Code Integrity). | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-001100 - Windows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-001500 - In a Windows PAW, administrator accounts used for maintaining the PAW must be separate from administrative accounts used to manage high-value IT resources. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WPAW-00-001600 - The Windows PAW must be configured to enforce two-factor authentication and use Active Directory for authentication management. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | IDENTIFICATION AND AUTHENTICATION |
| WPAW-00-001700 - The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| WPAW-00-001800 - If several Windows PAWs are set up in virtual machines (VMs) on a host server, the host server must only contain PAW VMs. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-002200 - The Windows PAW must be configured so that all outbound connections to the Internet from a PAW are blocked. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| WPAW-00-002400 - Local privileged groups (excluding Administrators) on the Windows PAW must be restricted to include no members - excluding Administrators on the Windows PAW must be restricted to include no members | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-002500 - Restricted remote administration must be enabled for high-value systems. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-002600 - If several PAWs are set up in virtual machines (VMs) on a host server, domain administrative accounts used to manage high-value IT resources must not have access to the VM host operating system (OS) (only domain administrative accounts designated to manage PAWs should be able to access the VM host OS). | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
