| 1.1.1.9 Ensure usb-storage kernel module is not available | CIS Linux Mint 22 v1.0.0 L2 Workstation | Unix | MEDIA PROTECTION |
| 1.1.1.10 Ensure usb-storage kernel module is not available | CIS AlmaLinux OS 8 v4.0.0 L2 Workstation | Unix | MEDIA PROTECTION |
| 1.1.1.10 Ensure usb-storage kernel module is not available | CIS AlmaLinux OS 10 v1.0.0 L2 Workstation | Unix | MEDIA PROTECTION |
| 1.1.1.10 Ensure usb-storage kernel module is not available | CIS Red Hat Enterprise Linux 8 v4.0.0 L1 Server | Unix | MEDIA PROTECTION |
| 1.1.1.10 Ensure usb-storage kernel module is not available | CIS AlmaLinux OS 10 v1.0.0 L1 Server | Unix | MEDIA PROTECTION |
| 1.1.1.10 Ensure usb-storage kernel module is not available | CIS Debian Linux 13 v1.0.0 L1 Server | Unix | IDENTIFICATION AND AUTHENTICATION |
| 1.4 Enable system data files and security update installs - ConfigDataInstall | CIS Apple OSX 10.9 L1 v1.3.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 1.4 Enable system data files and security update installs - CriticalUpdateInstall | CIS Apple OSX 10.9 L1 v1.3.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 1.4 Enable system data files and security updates install - 'ConfigDataInstall' | CIS Apple macOS 10.13 L1 v1.1.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 1.4 Enable system data files and security updates install - 'CriticalUpdateInstall' | CIS Apple macOS 10.13 L1 v1.1.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 1.5 Ensure System Data Files and Security Updates Are Downloaded Automatically Is Enabled - 'CriticalUpdateInstall' | CIS Apple macOS 10.14 v2.0.0 L1 | Unix | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 1.6.1.13 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is set to 'e6db77e5-3df2-4cf1-b95a-636979351e5b:1' | CIS Microsoft Defender Antivirus v1.0.0 L1 Server | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 1.13.6 Ensure 'Configure Add-In Trust Level' is set to Enabled:Trust all loaded and installed COM addins | CIS Microsoft Office Outlook 2013 v1.1.0 Level 1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3.1 Ensure AIDE is installed | CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.1 Set 'Configure Add-In Trust Level' to 'Enabled:Trust all loaded and installed COM addins' | CIS MS Office Outlook 2010 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1.1 Ensure AIDE is installed | CIS AlmaLinux OS 9 v2.0.0 L1 Workstation | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.1.1 Ensure AIDE is installed | CIS Red Hat Enterprise Linux 10 v1.0.1 L1 Server | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 6.1.1 Ensure AIDE is installed | CIS AlmaLinux OS 10 v1.0.0 L1 Server | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 6.1.1 Ensure AIDE is installed | CIS Red Hat Enterprise Linux 9 v2.0.0 L1 Workstation | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.1.1 Ensure AIDE is installed | CIS SUSE Linux Enterprise 15 v2.0.1 L1 Workstation | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 6.3.1 Ensure AIDE is installed | CIS Amazon Linux 2 v4.0.0 L1 Server | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 7.1 (L2) Virtual machines must enable Secure Boot | CIS VMware ESXi 8.0 v1.3.0 L2 | VMware | CONFIGURATION MANAGEMENT, MAINTENANCE |
| 18.9.30.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| Big Sur - Disable Accounts after 35 Days of Inactivity | NIST macOS Big Sur v1.4.0 - 800-53r5 High | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| Big Sur - Disable Accounts after 35 Days of Inactivity | NIST macOS Big Sur v1.4.0 - 800-53r4 High | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| Catalina - Disable Accounts after 35 Days of Inactivity | NIST macOS Catalina v1.5.0 - 800-171 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| Catalina - Disable Accounts after 35 Days of Inactivity | NIST macOS Catalina v1.5.0 - 800-53r5 Moderate | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| DTAM021 - McAfee VirusScan On Delivery Email Scanner Properties must be configured to enable on-delivery email scanning. | DISA McAfee VirusScan 8.8 Local Client STIG v6r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| DTAM021 - McAfee VirusScan On-Delivery Email Scan Policies must be configured to enable on-delivery email scanning. | DISA McAfee VirusScan 8.8 Managed Client STIG v6r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| DTAM022 - McAfee VirusScan On-Delivery Email Scan Policies must be configured to find unknown program threats and Trojans. | DISA McAfee VirusScan 8.8 Managed Client STIG v6r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| DTAM027 - McAfee VirusScan On Delivery Email Scan Policies must be configured to decode MIME encoded files. | DISA McAfee VirusScan 8.8 Managed Client STIG v6r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| DTAM029 - McAfee VirusScan On Delivery Email Scan Policies, when a threat is found, must be configured to clean attachments as the first action. | DISA McAfee VirusScan 8.8 Managed Client STIG v6r1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DTAM029 - McAfee VirusScan On Delivery Email Scanner Properties, When a threat is found, must be configured to clean attachments as the first action. | DISA McAfee VirusScan 8.8 Local Client STIG v6r1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DTAM039 - McAfee VirusScan On Delivery Email Scan Policies must be configured to clean attachments as the first action for when an unwanted program is found. | DISA McAfee VirusScan 8.8 Managed Client STIG v6r1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DTAM039 - McAfee VirusScan On Delivery Email Scanner Properties must be configured to clean attachments as the first action for When an unwanted program is found. | DISA McAfee VirusScan 8.8 Local Client STIG v6r1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DTAM158 - McAfee VirusScan On-Delivery Email Scanner must be configured to send a notification email to the IAO, IAM and/or ePO administrator when a threatening email message is detected. | DISA McAfee VirusScan 8.8 Local Client STIG v6r1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DTAM162 - McAfee VirusScan On Delivery Email Scanner Properties, when a threat is found, must be configured to delete attachments if the first action fails. | DISA McAfee VirusScan 8.8 Local Client STIG v6r1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| DTAM163 - McAfee VirusScan On Delivery Email Scan Policies must be configured to delete attachments if the first action fails for when an unwanted program is found. | DISA McAfee VirusScan 8.8 Managed Client STIG v6r1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| EX13-EG-000175 - Exchange filtered messages must be archived. | DISA Microsoft Exchange 2013 Edge Transport Server STIG v1r6 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| EX16-ED-000350 - Exchange filtered messages must be archived. | DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r6 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| EX16-ED-000570 - Exchange must render hyperlinks from email sources from non-.mil domains as unclickable. | DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r6 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Monterey - Disable Accounts after 35 Days of Inactivity | NIST macOS Monterey v1.0.0 - 800-171 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| Monterey - Disable Accounts after 35 Days of Inactivity | NIST macOS Monterey v1.0.0 - 800-53r5 Moderate | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| SYMP-AG-000240 - The reverse proxy Symantec ProxySG providing intermediary services for FTP must inspect inbound FTP communications traffic for protocol compliance and protocol anomalies - Review Proxies | DISA Symantec ProxySG Benchmark ALG v1r3 | BlueCoat | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| SYMP-AG-000660 - Symantec ProxySG providing content filtering must send an alert to, at a minimum, the ISSO and ISSM when detection events occur. | DISA Symantec ProxySG Benchmark ALG v1r3 | BlueCoat | SYSTEM AND INFORMATION INTEGRITY |
| Turn off real-time protection | MSCT Windows Server 2025 DC v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Turn off real-time protection | MSCT Windows 11 v25H2 v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Turn off real-time protection | MSCT Windows Server 2025 MS v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Turn off real-time protection | MSCT Windows Server 2025 MS v2506 v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| Turn off real-time protection | MSCT Windows 11 v24H2 v1.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
