| 1.4.1.1.2 Ensure 'Load Pictures from Web Pages Not Created in Excel' is set to Disabled | CIS Microsoft Office Excel 2016 v1.0.1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.7 Ensure IAM password policy requires minimum length of 14 or greater | CIS Amazon Web Services Foundations v5.0.0 L1 | amazon_aws | IDENTIFICATION AND AUTHENTICATION |
| 1.13 Ensure access keys are rotated every 90 days or less | CIS Amazon Web Services Foundations v5.0.0 L1 | amazon_aws | ACCESS CONTROL |
| 1.16 Ensure a support role has been created to manage incidents with AWS Support | CIS Amazon Web Services Foundations v5.0.0 L1 | amazon_aws | INCIDENT RESPONSE |
| 2.1 Ensure 'Blocked File Types' is configured to match the enterprise blacklist | CIS Microsoft SharePoint 2019 OS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2.1 Ensure that encryption-at-rest is enabled for RDS instances | CIS Amazon Web Services Foundations v5.0.0 L1 | amazon_aws | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Turn off TRACE | CIS Apache Tomcat 9 L1 v1.2.0 Middleware | Unix | CONFIGURATION MANAGEMENT |
| 3.6 Ensure rotation for customer-created symmetric CMKs is enabled | CIS Amazon Web Services Foundations v5.0.0 L2 | amazon_aws | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1 Ensure SharePoint displays an approved system use notification message or banner before granting access to the system. | CIS Microsoft SharePoint 2019 OS v1.0.0 | Windows | ACCESS CONTROL |
| 4.4 Ensure IAM policy changes are monitored | CIS Amazon Web Services Foundations v5.0.0 L1 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 4.6 Ensure AWS Management Console authentication failures are monitored | CIS Amazon Web Services Foundations v5.0.0 L2 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 4.13 Ensure route table changes are monitored | CIS Amazon Web Services Foundations v5.0.0 L1 | amazon_aws | AUDIT AND ACCOUNTABILITY |
| 5.1 Ensure Options for the OS Root Directory Are Restricted | CIS Apache HTTP Server 2.4 v2.2.0 L1 | Unix | ACCESS CONTROL |
| 6.2 Ensure a Syslog Facility Is Configured for Error Logging - 'httpd.conf <VirtualHost> Syslog is configured' | CIS Apache HTTP Server 2.2 L2 v3.6.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 6.2 Ensure a Syslog Facility Is Configured for Error Logging - 'httpd.conf <VirtualHost> Syslog is configured' | CIS Apache HTTP Server 2.2 L2 v3.6.0 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| AS24-U1-000650 - The Apache web server must set an inactive timeout for sessions. | DISA STIG Apache Server 2.4 Unix Server v3r2 | Unix | ACCESS CONTROL |
| AS24-U1-000650 - The Apache web server must set an inactive timeout for sessions. | DISA STIG Apache Server 2.4 Unix Server v3r2 Middleware | Unix | ACCESS CONTROL |
| AS24-U2-000660 - The Apache web server must set an inactive timeout for sessions. | DISA STIG Apache Server 2.4 Unix Site v2r6 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U2-000660 - The Apache web server must set an inactive timeout for sessions. | DISA STIG Apache Server 2.4 Unix Site v2r6 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. | DISA STIG Apache Server 2.4 Windows Server v3r3 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| EX13-CA-000015 - Exchange must have Forms-based Authentication disabled. | DISA Microsoft Exchange 2013 Client Access Server STIG v2r2 | Windows | ACCESS CONTROL |
| EX16-MB-002920 - Exchange must have forms-based authentication disabled. | DISA Microsoft Exchange 2016 Mailbox Server STIG v2r6 | Windows | ACCESS CONTROL |
| EX19-MB-000008 - Exchange must have forms-based authentication enabled. | DISA Microsoft Exchange 2019 Mailbox Server STIG v2r2 | Windows | ACCESS CONTROL |
| EX19-MB-000283 - Exchange must be configured in accordance with the security configuration settings based on DOD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | DISA Microsoft Exchange 2019 Mailbox Server STIG v2r2 | Windows | CONFIGURATION MANAGEMENT |
| Load pictures from Web pages not created in Excel | MSCT M365 Apps for enterprise 2412 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| Load pictures from Web pages not created in Excel | Microsoft 365 Apps for Enterprise 2306 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| SHPT-00-000530 - The Central Administration Web Application must use Kerberos as the authentication provider. | DISA STIG SharePoint 2010 v1r9 | Windows | IDENTIFICATION AND AUTHENTICATION |
| SP13-00-000080 - SharePoint must uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users). | DISA STIG SharePoint 2013 v2r4 | Windows | IDENTIFICATION AND AUTHENTICATION |
| VCEM-70-000023 - ESX Agent Manager must not show directory listings. | DISA STIG VMware vSphere 7.0 EAM Tomcat v1r2 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| VCFL-67-000006 - vSphere Client must be configured to enable SSL/TLS. | DISA STIG VMware vSphere 6.7 Virgo Client v1r2 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCLD-67-000001 - VAMI must limit the number of simultaneous requests. | DISA STIG VMware vSphere 6.7 VAMI-lighttpd v1r3 | Unix | ACCESS CONTROL |
| VCLU-70-000022 - The Lookup Service must not show directory listings. | DISA STIG VMware vSphere 7.0 Lookup Service v1r2 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| VCLU-80-000137 The vCenter Lookup service directory listings parameter must be disabled. | DISA VMware vSphere 8.0 vCenter Appliance Lookup Service STIG v2r1 | Unix | CONFIGURATION MANAGEMENT |
| VCSA-70-000069 - The vCenter Server passwords must be at least 15 characters in length. | DISA STIG VMware vSphere 7.0 vCenter v1r3 | VMware | IDENTIFICATION AND AUTHENTICATION |
| VCSA-70-000110 - The vCenter Server must manage excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks by enabling Network I/O Control (NIOC). | DISA STIG VMware vSphere 7.0 vCenter v1r3 | VMware | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCSA-70-000150 - vCenter must provide an immediate real-time alert to the system administrator (SA) and information system security officer (ISSO), at a minimum, of all audit failure events requiring real-time alerts. | DISA STIG VMware vSphere 7.0 vCenter v1r3 | VMware | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| VCSA-70-000158 - The vCenter Server must compare internal information system clocks at least every 24 hours with an authoritative time server. | DISA STIG VMware vSphere 7.0 vCenter v1r3 | VMware | AUDIT AND ACCOUNTABILITY |
| VCSA-70-000268 - The vCenter Server must set the distributed port group Forged Transmits policy to 'Reject'. | DISA STIG VMware vSphere 7.0 vCenter v1r3 | VMware | CONFIGURATION MANAGEMENT |
| VCUI-80-000137 The vCenter UI service directory listings parameter must be disabled. | DISA VMware vSphere 8.0 vCenter Appliance User Interface (UI) STIG v2r1 | Unix | CONFIGURATION MANAGEMENT |
| WA00515 A22 - Automatic directory indexing must be disabled. | DISA STIG Apache Server 2.2 Unix v1r11 | Unix | CONFIGURATION MANAGEMENT |
| WBLC-02-000100 - Oracle WebLogic must protect audit tools from unauthorized deletion. | Oracle WebLogic Server 12c Linux v2r2 | Unix | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-000190 - The WebSphere Application Server security cookies must be set to HTTPOnly. | DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware | Unix | ACCESS CONTROL |
| WBSP-AS-000770 - The WebSphere Application Server wsadmin file must be protected from unauthorized access. | DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware | Unix | AUDIT AND ACCOUNTABILITY |
| WBSP-AS-001030 - The WebSphere Application Server multifactor authentication for network access to privileged accounts must be used. | DISA IBM WebSphere Traditional 9 STIG v1r1 | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WBSP-AS-001300 - The WebSphere Application Server must accept PIV credentials from other federal agencies to access management interface. | DISA IBM WebSphere Traditional 9 STIG v1r1 Middleware | Unix | IDENTIFICATION AND AUTHENTICATION |
| WG145 A22 - The private web server must use an approved DoD certificate validation process. | DISA STIG Apache Server 2.2 Unix v1r11 Middleware | Unix | |
| WG205 A22 - The web document (home) directory must be in a separate partition from the web server's system files. | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | CONFIGURATION MANAGEMENT |
| WG205 A22 - The web document (home) directory must be in a separate partition from the web server's system files. | DISA STIG Apache Site 2.2 Unix v1r11 Middleware | Unix | CONFIGURATION MANAGEMENT |
| WG240 A22 - Logs of web server access and errors must be established and maintained | DISA STIG Apache Site 2.2 Unix v1r11 | Unix | AUDIT AND ACCOUNTABILITY |
