| 1.1 Ensure packages are obtained from authorized repositories | CIS PostgreSQL 9.6 OS v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 1.7 Audit docker daemon | CIS Docker 1.11.0 v1.0.0 L1 Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 2.1.6 - AirWatch - Limit the 'Number of failed attempts allowed' | AirWatch - CIS Google Android 4 v1.0.0 L1 | MDM | ACCESS CONTROL |
| 2.2.5 Set 'logging trap informational' | CIS Cisco IOS XE 16.x v2.1.0 L1 | Cisco | AUDIT AND ACCOUNTABILITY |
| 2.2.5 Set 'logging trap informational' | CIS Cisco IOS XE 17.x v2.2.0 L1 | Cisco | AUDIT AND ACCOUNTABILITY |
| 2.2.32 Ensure 'Deny log on locally' to include 'Guests' (STIG DC only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | ACCESS CONTROL |
| 2.2.46 Ensure 'Increase scheduling priority' is set to 'Administrators' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.3.2 Ensure Screen Saver Corners Are Secure | CIS Apple macOS 12.0 Monterey v4.0.0 L2 | Unix | ACCESS CONTROL |
| 2.3.17.4 Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop or Prompt for credentials on the secure desktop' (STIG only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.7.1 Ensure Screen Saver Corners Are Secure | CIS Apple macOS 13.0 Ventura v3.1.0 L2 | Unix | ACCESS CONTROL |
| 2.7.1 Ensure Screen Saver Corners Are Secure | CIS Apple macOS 15.0 Sequoia v1.1.0 L2 | Unix | ACCESS CONTROL |
| 6. OpenStack Identity - Policy.json - 'identity:create_trust' | TNS OpenStack Keystone/Identity Security Guide | Unix | ACCESS CONTROL |
| 6. OpenStack Networking - Policy.json - 'get_port:binding:host_id' | TNS OpenStack Neutron/Networking Security Guide | Unix | ACCESS CONTROL |
| 7 - SSL implementation - start.ini --module=deploy | TNS Best Practice Jetty 9 Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7 - SSL implementation - start.jar --module=deploy | TNS Best Practice Jetty 9 Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7 - SSL implementation - start.jar --module=https | TNS Best Practice Jetty 9 Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7 - SSL implementation - start.jar --module=ssl | TNS Best Practice Jetty 9 Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.2.1 Set 'Java permissions' to 'Enabled:High safety' | CIS IE 10 v1.1.0 | Windows | CONFIGURATION MANAGEMENT |
| 8.5.1 Set 'Java permissions' to 'Enabled:High safety' | CIS IE 10 v1.1.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.75.2.2 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn' or 'Enabled: Warn and prevent bypass' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 18.10.75.2.2 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn' or 'Enabled: Warn and prevent bypass' (STIG only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | SYSTEM AND INFORMATION INTEGRITY |
| APPNET0064 - .Net applications that invoke NetFx40_LegacySecurityPolicy must apply previous versions of .NET STIG guidance. | DISA STIG for Microsoft Dot Net Framework 4.0 v2r6 | Windows | CONFIGURATION MANAGEMENT |
| ESXI-70-000007 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI). | DISA STIG VMware vSphere 7.0 ESXi v1r4 | VMware | ACCESS CONTROL |
| ESXI-70-000032 - The ESXi host must prohibit the reuse of passwords within five iterations. | DISA STIG VMware vSphere 7.0 ESXi v1r4 | VMware | IDENTIFICATION AND AUTHENTICATION |
| ESXI-70-000036 - The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting. | DISA STIG VMware vSphere 7.0 ESXi v1r4 | VMware | CONFIGURATION MANAGEMENT |
| ESXI-70-000041 - The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes. | DISA STIG VMware vSphere 7.0 ESXi v1r4 | VMware | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-70-000046 - The ESXi host must configure NTP time synchronization. | DISA STIG VMware vSphere 7.0 ESXi v1r4 | VMware | AUDIT AND ACCOUNTABILITY |
| ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default - incoming | DISA STIG VMware vSphere 7.0 ESXi v1r4 | VMware | CONFIGURATION MANAGEMENT |
| ESXI-70-000058 - The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled. | DISA STIG VMware vSphere 7.0 ESXi v1r4 | VMware | CONFIGURATION MANAGEMENT |
| ESXI-70-000065 - All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches. | DISA STIG VMware vSphere 7.0 ESXi v1r4 | VMware | CONFIGURATION MANAGEMENT |
| ESXI-70-000072 - The ESXi host must have all security patches and updates installed. | DISA STIG VMware vSphere 7.0 ESXi v1r4 | VMware | CONFIGURATION MANAGEMENT |
| PHTN-40-000105 The Photon operating system must enable symlink access control protection in the kernel. | DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1 | Unix | ACCESS CONTROL |
| PHTN-40-000225 The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1 | Unix | CONFIGURATION MANAGEMENT |
| PHTN-40-000226 The Photon operating system must prevent IPv4 Internet Control Message Protocol (ICMP) secure redirect messages from being accepted. | DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1 | Unix | CONFIGURATION MANAGEMENT |
| PHTN-40-000227 The Photon operating system must not send IPv4 Internet Control Message Protocol (ICMP) redirects. | DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1 | Unix | CONFIGURATION MANAGEMENT |
| PHTN-40-000228 The Photon operating system must log IPv4 packets with impossible addresses. | DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1 | Unix | CONFIGURATION MANAGEMENT |
| PHTN-40-000229 The Photon operating system must use a reverse-path filter for IPv4 network traffic. | DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1 | Unix | CONFIGURATION MANAGEMENT |
| PHTN-40-000231 The Photon operating system must not perform IPv4 packet forwarding. | DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1 | Unix | CONFIGURATION MANAGEMENT |
| VCTR-67-000001 - The vCenter Server must prohibit password reuse for a minimum of five generations. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | IDENTIFICATION AND AUTHENTICATION |
| VCTR-67-000005 - The vCenter Server users must have the correct roles assigned. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCTR-67-000015 - The vCenter Server must set the distributed port group Promiscuous Mode policy to reject. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VCTR-67-000024 - The vCenter Server must configure the vpxuser password meets length policy. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VCTR-67-000045 - The vCenter Server must limit the maximum number of failed login attempts to three. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | ACCESS CONTROL |
| VCTR-67-000058 - The vCenter Server Machine SSL certificate must be issued by a DoD certificate authority. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VCTR-67-000060 - The vCenter Server must enable revocation checking for certificate-based authentication. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VCTR-67-000064 - The vCenter Server must restrict access to cryptographic permissions. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VCTR-67-000066 - The vCenter Server must have new Key Encryption Keys (KEKs) reissued at regular intervals for vSAN encrypted datastore(s). | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VCTR-67-000069 - The vCenter Server must use a limited privilege account when adding an LDAP identity source. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | CONFIGURATION MANAGEMENT |
| VCTR-67-000078 - The vCenter Server must disable Password and Windows integrated authentication. | DISA STIG VMware vSphere 6.7 vCenter v1r4 | VMware | CONFIGURATION MANAGEMENT |
| WG190 IIS6 - The web server must use a vendor-supported version of the web server software. | DISA STIG IIS 6.0 Server v6r16 | Windows | SYSTEM AND INFORMATION INTEGRITY |
