| 2.2.32 Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account, Enterprise Admins Group, and Domain Admins Group' (STIG MS only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.2.36 Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account, Enterprise Admins Group, and Domain Admins Group' (STIG MS only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | ACCESS CONTROL |
| 2.2.36 Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account, Enterprise Admins Group, and Domain Admins Group' (STIG MS only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 3.2 Ensure intrusion prevention is enabled for untrusted interfaces | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT |
| 3.4.1 Ensure DCCP is disabled - lsmod | CIS Distribution Independent Linux Server L2 v2.0.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 3.4.1 Ensure DCCP is disabled - modprobe | CIS Debian 8 Workstation L1 v2.0.2 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.1 Ensure DCCP is disabled - modprobe | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 3.4.1 Ensure DCCP is disabled - modprobe | CIS Ubuntu Linux 16.04 LTS Server L2 v2.0.0 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.1 Ensure swarm mode is not Enabled, if not needed | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
| 6.5 Ensure Audit Logging Is Enabled | CIS MySQL 5.6 Community Database L2 v2.0.0 | MySQLDB | AUDIT AND ACCOUNTABILITY |
| 6.5 Ensure Audit Logging Is Enabled - audit_log_filter | CIS MySQL 5.7 Community Database L2 v2.0.0 | MySQLDB | AUDIT AND ACCOUNTABILITY |
| 7.5.1 Disable DCCP | CIS Debian Linux 7 L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 18.10.18.7 (L2) Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled' | CIS Microsoft Windows 11 Stand-alone v4.0.0 L2 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.18.7 (L2) Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled' | CIS Microsoft Windows 10 Enterprise v4.0.0 L2 BL | Windows | CONFIGURATION MANAGEMENT |
| 18.10.18.7 (L2) Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L2 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.18.7 (L2) Ensure 'Enable Windows Package Manager command line interfaces' is set to 'Disabled' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L2 NG | Windows | CONFIGURATION MANAGEMENT |
| 20.7 Ensure 'Active Directory Group Policy objects have proper access control permissions' (STIG DC only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.7 Ensure 'Active Directory Group Policy objects have proper access control permissions' (STIG DC only) | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG DC | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows 10 v21H1 v1.0.0 | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows 10 v21H2 v1.0.0 | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows 10 1903 v1.19.9 | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows 10 1909 v1.0.0 | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows 10 v2004 v1.0.0 | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows Server 2025 DC v1.0.0 | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows 10 v20H2 v1.0.0 | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows 11 v1.0.0 | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows 11 v23H2 v1.0.0 | Windows | ACCESS CONTROL |
| Allow Basic authentication - Client - AllowBasic | MSCT Windows 11 v24H2 v1.0.0 | Windows | ACCESS CONTROL |
| Allow Basic authentication - WinRM Client | MSCT Windows Server 2019 DC v1.0.0 | Windows | ACCESS CONTROL |
| CISC-RT-000600 - The Cisco MPLS router must be configured to synchronize IGP and LDP to minimize packet loss when an IGP adjacency is established prior to LDP peers completing label exchange. | DISA Cisco IOS Router RTR STIG v3r3 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000730 - The Cisco PE switch must be configured to block any traffic that is destined to the IP core infrastructure. | DISA STIG Cisco IOS XE Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| EX16-MB-000160 - Exchange Audit data must be on separate partitions. | DISA Microsoft Exchange 2016 Mailbox Server STIG v2r6 | Windows | AUDIT AND ACCOUNTABILITY |
| EX16-MB-000320 - Exchange Mail Quota settings must not restrict receiving mail. | DISA Microsoft Exchange 2016 Mailbox Server STIG v2r6 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| EX19-MB-000054 - Exchange must protect audit data against unauthorized deletion. | DISA Microsoft Exchange 2019 Mailbox Server STIG v2r2 | Windows | AUDIT AND ACCOUNTABILITY |
| GEN003540 - The system must implement non-executable program stacks - 'kernel.randomize_va_space' | DISA STIG for Oracle Linux 5 v2r1 | Unix | CONFIGURATION MANAGEMENT |
| HONW-09-008700 - Honeywell Mobility Edge Android Pie devices users must complete required training. | AirWatch - DISA Honeywell Android 9.x COPE v1r2 | MDM | CONFIGURATION MANAGEMENT |
| MS.EXO.4.4v1 - An agency point of contact SHOULD be included for aggregate and failure reports. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.6.2v1 - Calendar details SHALL NOT be shared with all domains. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.9.2v1 - The attachment filter SHOULD attempt to determine the true file type and assess the file extension. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.9.3v2 - Disallowed file types SHALL be determined and enforced. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.9.4v1 - Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| O121-C2-019600 - The system must verify there have not been unauthorized changes to the DBMS software and information. | DISA STIG Oracle 12c v3r2 Database | OracleDB | SYSTEM AND INFORMATION INTEGRITY |
| SQL2-00-022600 - SQL Server must employ cryptographic mechanisms preventing the unauthorized disclosure of information during transmission. | DISA STIG SQL Server 2012 DB Instance Security v1r20 | MS_SQLDB | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCRP-70-000003 - Envoy must be configured to operate in FIPS mode. | DISA STIG VMware vSphere 7.0 RhttpProxy v1r1 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN11-UR-000070 - The 'Deny access to this computer from the network' user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | DISA Microsoft Windows 11 STIG v2r3 | Windows | ACCESS CONTROL |
| WN12-UR-000020-MS - The Deny log on locally user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems, and from unauthenticated access on all systems. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | ACCESS CONTROL |
| WN16-DC-000090 - Active Directory Group Policy objects must have proper access control permissions. | DISA Microsoft Windows Server 2016 STIG v2r10 | Windows | ACCESS CONTROL |
| WN16-MS-000400 - The 'Deny log on locally' user right on member servers must be configured to prevent access from highly privileged domain accounts on domain systems and from unauthenticated access on all systems. | DISA Microsoft Windows Server 2016 STIG v2r10 | Windows | ACCESS CONTROL |
| WN19-PK-000010 - Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | DISA Microsoft Windows Server 2019 STIG v3r4 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN22-MS-000110 - Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems. | DISA Microsoft Windows Server 2022 STIG v2r4 | Windows | ACCESS CONTROL |
