| 1.1.5.2 Ensure 'Hide option to enable or disable updates' is set to 'Enabled' | CIS Microsoft Office Enterprise v1.2.0 L1 | Windows | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.2.26 Ensure 'Deny log on as a service' to include 'No one' (STIG DC only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 2.2.29 Ensure 'Deny log on as a service' to include 'No one' (STIG DC only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 2.2.29 Ensure 'Deny log on as a service' to include 'No one' (STIG DC only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | ACCESS CONTROL |
| 2.2.30 Ensure 'Deny log on as a service' to include 'Enterprise Admins Group and Domain Admins Group' (STIG MS only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.2.30 Ensure 'Deny log on as a service' to include 'Enterprise Admins Group and Domain Admins Group' (STIG MS only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User must enter a password each time they use a key' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User must enter a password each time they use a key' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User must enter a password each time they use a key' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User must enter a password each time they use a key' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.14.1 Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User must enter a password each time they use a key' (STIG only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3.19.5 (L1) Ensure 'Prevent users from changing permissions on rights managed content' is set to 'Disabled' | CIS Microsoft Intune for Office v1.1.0 L1 | Windows | ACCESS CONTROL, MEDIA PROTECTION |
| 2.3.25.1.5 Ensure 'Send personal information' is set to 'Disabled' | CIS Microsoft Office Enterprise v1.2.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 2.3.31.1 Ensure 'Legacy format signatures' is set to 'Disabled' | CIS Microsoft Office Enterprise v1.2.0 L1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 2.17.1 Ensure 'Prevent Users From Changing Permissions on Rights Managed Content' is set to Disabled | CIS Microsoft Office 2016 v1.1.0 | Windows | ACCESS CONTROL |
| 2.24.1.6 Ensure Set 'Automatically Receive Small Updates to Improve Reliability' is set to Disabled | CIS Microsoft Office 2016 v1.1.0 | Windows | CONFIGURATION MANAGEMENT |
| 2.25.5 Ensure 'Protect Document Metadata for Rights Managed Office Open XML Files' is set to Enabled | CIS Microsoft Office 2016 v1.1.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.6 Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' | CIS Windows 7 Workstation Level 1 v3.2.0 | Windows | CONFIGURATION MANAGEMENT |
| 5.9 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL | Windows | CONFIGURATION MANAGEMENT |
| 5.9 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 5.9 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L1 BL NG | Windows | CONFIGURATION MANAGEMENT |
| 20.7 Ensure 'Active Directory Group Policy objects have proper access control permissions' (STIG DC only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.7 Ensure 'Active Directory Group Policy objects have proper access control permissions' (STIG DC only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.7 Ensure 'Active Directory Group Policy objects have proper access control permissions' (STIG DC only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.29 Ensure 'FTP servers are configured to prevent access to the system drive' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.29 Ensure 'FTP servers are configured to prevent access to the system drive' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL |
| 22.9 (L1) Ensure 'ASR: Block all Office applications from creating child processes' is set to 'Audit' or higher | CIS Microsoft Intune for Windows 10 v4.0.0 L1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 22.9 (L1) Ensure 'ASR: Block all Office applications from creating child processes' is set to 'Audit' or higher | CIS Microsoft Intune for Windows 11 v4.0.0 L1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 22.13 (L1) Ensure 'ASR: Block execution of potentially obfuscated scripts' is set to 'Audit' or higher | CIS Microsoft Intune for Windows 10 v4.0.0 L1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 22.13 (L1) Ensure 'ASR: Block execution of potentially obfuscated scripts' is set to 'Audit' or higher | CIS Microsoft Intune for Windows 11 v4.0.0 L1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| APPL-13-000005 - The macOS system must be configured to lock the user session when a smart token is removed. | DISA STIG Apple macOS 13 v1r5 | Unix | ACCESS CONTROL |
| DTOO119 - Configuration for file validation must be enforced. | DISA STIG Microsoft Excel 2013 v1r8 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| DTOO190 - Office System - The encryption type for password protected Office 97 thru Office 2003 must be set. | DISA STIG Office System 2010 v1r13 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| DTOO203 - Office System - Legacy format signatures must be enabled. | DISA STIG Office System 2010 v1r13 | Windows | CONFIGURATION MANAGEMENT |
| DTOO204 - External Signature Services Menu for Office must be suppressed. | DISA STIG Microsoft Office System 2013 v2r2 | Windows | CONFIGURATION MANAGEMENT |
| DTOO208 - Office client polling of SharePoint servers published links must be disabled. | DISA STIG Microsoft Office System 2013 v2r2 | Windows | ACCESS CONTROL |
| DTOO307 - Office System - Office Live Workspace Integration must be off. | DISA STIG Office System 2010 v1r13 | Windows | CONFIGURATION MANAGEMENT |
| VCFL-67-000027 - Rsyslog must be configured to monitor and ship vSphere Client log files - access | DISA STIG VMware vSphere 6.7 Virgo Client v1r2 | Unix | AUDIT AND ACCOUNTABILITY |
| VCUI-67-000027 - vSphere UI log files must be moved to a permanent repository in accordance with site policy - runtime | DISA STIG VMware vSphere 6.7 UI Tomcat v1r3 | Unix | AUDIT AND ACCOUNTABILITY |
| WPAW-00-000100 - Administrators of high-value IT resources must complete required training. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | AWARENESS AND TRAINING, CONFIGURATION MANAGEMENT |
| WPAW-00-000600 - All high-value IT resources must be assigned to a specific administrative tier to separate highly sensitive resources from less sensitive resources. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-000800 - A Windows update service must be available to provide software updates for the PAW platform. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-001000 - The Windows PAW must be configured so that all non-administrative-related applications and functions are blocked or removed from the PAW platform, including but not limited to email, Internet browsing, and line-of-business applications. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-001050 - Device Guard Code Integrity Policy must be used on the Windows PAW to restrict applications that can run on the system (Device Guard Code Integrity Policy). | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-001100 - Windows PAWs must be restricted to only allow groups used to manage high-value IT resources and members of the local Administrators group to log on locally. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-001200 - The domain must be configured to restrict privileged administrator accounts from logging on to lower-tier hosts. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-001300 - A Windows PAW used to manage domain controllers and directory services must not be used to manage any other type of high-value IT resource. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WPAW-00-001400 - PAWs used to manage Active Directory must only allow groups specifically designated to manage Active Directory, such as Enterprise and Domain Admins and members of the local Administrators group, to log on locally. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT |
| WPAW-00-001500 - In a Windows PAW, administrator accounts used for maintaining the PAW must be separate from administrative accounts used to manage high-value IT resources. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WPAW-00-001700 - The Windows PAW must use a trusted channel for all connections between a PAW and IT resources managed from the PAW. | DISA MS Windows Privileged Access Workstation v3r1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
