| 1.2 Set 'Allow Active X One Off Forms' to 'Enabled:Load only Outlook Controls' | CIS MS Office Outlook 2010 v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3 Ensure device is physically secured | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | ACCESS CONTROL |
| 1.7 Ensure logging data is monitored | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | AUDIT AND ACCOUNTABILITY |
| 1.13.5 Ensure 'Allow Active X One Off Forms' is set to Enabled:Load only Outlook Controls | CIS Microsoft Office Outlook 2016 v1.1.0 Level 1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.13.5 Ensure 'Allow Active X One Off Forms' is set to Enabled:Load only Outlook Controls | CIS Microsoft Office Outlook 2013 v1.1.0 Level 1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.181 WN10-EP-000310 | CIS Microsoft Windows 10 STIG v1.0.0 CAT II | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5.14.3.5 (L1) Ensure 'Allow Active X One Off Forms' is set to 'Enabled: Load only Outlook Controls' | CIS Microsoft Intune for Office v1.1.0 L1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5.14.5 Ensure 'Allow Active X One Off Forms' is set to 'Enabled: Load only Outlook Controls' | CIS Microsoft Office Enterprise v1.2.0 L1 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.1 Retain system.log for 90 or more days | CIS Apple OSX 10.9 L1 v1.3.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 3.1.2 Retain appfirewall.log for 90 or more days | CIS Apple OSX 10.9 L1 v1.3.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 3.1.3 Retain authd.log for 90 or more days | CIS Apple OSX 10.9 L1 v1.3.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 3.5 Retain install.log for 365 or more days | CIS Apple OSX 10.9 L1 v1.3.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.4 Ensure only modern TLS protocols are used | CIS NGINX v3.0.0 L1 Proxy | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.4 Ensure only modern TLS protocols are used | CIS NGINX v3.0.0 L1 Loadbalancer | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.1.4 Ensure only modern TLS protocols are used | CIS NGINX v3.0.0 L1 Webserver | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.10 Ensure 'accessTokenEncoding' is set to a strong hash algorithm in OAuth 2.0 | CIS IBM WebSphere Liberty v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.11 Ensure 'allowPublicClients' is set to 'false' in OAuth 2.0 | CIS IBM WebSphere Liberty v1.0.0 L1 | Unix | ACCESS CONTROL |
| 4.3.12 Ensure 'clientSecretEncoding' is set to a strong encoding type in OAuth 2.0 | CIS IBM WebSphere Liberty v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.13 Ensure 'httpsRequired' is set to 'true' in OAuth 2.0 | CIS IBM WebSphere Liberty v1.0.0 L1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.3.14 Ensure 'skipResourceOwnerValidation' is set to 'false' in OAuth 2.0 | CIS IBM WebSphere Liberty v1.0.0 L1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 4.10.9.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Intune for Windows 10 v4.0.0 BL | Windows | MEDIA PROTECTION |
| 5.1 Set 'Turn off Encryption Support' to 'Use TLS 1.1 and TLS 1.2' | CIS IE 10 v1.1.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 CIFS - 'cifs.smb2.durable_handle.enable = on' | TNS NetApp Data ONTAP 7G | NetApp | CONFIGURATION MANAGEMENT |
| 5.4 CIFS - 'cifs.smb2.durable_handle.timeout' | TNS NetApp Data ONTAP 7G | NetApp | ACCESS CONTROL |
| 6.13 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled | CIS Palo Alto Firewall 10 v1.3.0 L1 | Palo_Alto | AUDIT AND ACCOUNTABILITY |
| 6.14 Ensure alerting after a threshold of credit card or Social Security numbers is detected is enabled - Data Filtering Profile | CIS Palo Alto Firewall 9 v1.1.0 L1 | Palo_Alto | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| 6.15 Ensure a secure Data Filtering profile is applied to all security policies allowing traffic to or from the Internet | CIS Palo Alto Firewall 6 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 7.4 Ensure TLS 1.0 is disabled | CIS IIS 8.0 v1.5.1 Level 2 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Windows 10 Enterprise v4.0.0 BL | Windows | MEDIA PROTECTION |
| 18.9.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL | Windows | MEDIA PROTECTION |
| 18.9.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L1 BL | Windows | MEDIA PROTECTION |
| 18.9.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL NG | Windows | MEDIA PROTECTION |
| 18.9.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Windows 10 Stand-alone v4.0.0 BL | Windows | MEDIA PROTECTION |
| 18.9.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L1 BL NG | Windows | MEDIA PROTECTION |
| 18.9.7.1.6 (L1) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | MEDIA PROTECTION |
| Apple OSX 10.11 El Capitan Level 1, version 1.1.0 | CIS Apple OSX 10.11 El Capitan L1 v1.1.0 | Unix | |
| CASA-VN-000560 - The Cisco ASA remote access VPN server must be configured to use a FIPS-validated algorithm and hash function to protect the integrity of TLS remote access sessions. | DISA STIG Cisco ASA VPN v2r2 | Cisco | ACCESS CONTROL |
| IBMW-LS-000020 - The WebSphere Liberty Server Quality of Protection (QoP) must be set to use TLSv1.2 or higher. | DISA IBM WebSphere Liberty Server STIG v2r2 | Unix | ACCESS CONTROL |
| IBMW-LS-000380 - The WebSphere Liberty Server must use an LDAP user registry. | DISA IBM WebSphere Liberty Server STIG v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| IBMW-LS-000381 - Basic Authentication must be disabled. | DISA IBM WebSphere Liberty Server STIG v2r2 | Unix | IDENTIFICATION AND AUTHENTICATION |
| MYS8-00-011500 - The MySQL Database Server 8.0 must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements. | DISA Oracle MySQL 8.0 v2r2 DB | MySQLDB | SYSTEM AND COMMUNICATIONS PROTECTION |
| MYS8-00-011500 - The MySQL Database Server 8.0 must use NSA-approved cryptography to protect classified information in accordance with the data owner's requirements. | DISA Oracle MySQL 8.0 v2r2 OS Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| Overview of BIG-IP administrative access controls | Tenable F5 BIG-IP Best Practice Audit | F5 | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| WDNS-CM-000015 - Digital signature algorithm used for DNSSEC-enabled zones must be FIPS-compatible. | DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7 | Windows | CONFIGURATION MANAGEMENT |
| WDNS-SC-000031 - The Windows 2012 DNS Server must implement NIST FIPS-validated cryptography for provisioning digital signatures, generating cryptographic hashes, and protecting unclassified information requiring confidentiality. | DISA Microsoft Windows 2012 Server Domain Name System STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG340 IIS6 - A private web server must utilize an approved TLS version. - 'TLS 1.0\Server' | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WG342 IIS6 - Public web servers must use TLS if authentication is required. - 'SSL 2.0 Server' | DISA STIG IIS 6.0 Site Checklist v6r16 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN10-EP-000310 - Windows 10 Kernel (Direct Memory Access) DMA Protection must be enabled. | DISA Microsoft Windows 10 STIG v3r6 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN11-EP-000310 - Windows 11 Kernel (Direct Memory Access) DMA Protection must be enabled. | DISA Microsoft Windows 11 STIG v2r7 | Windows | AUDIT AND ACCOUNTABILITY |
| WN16-00-000100 - Windows Server 2016 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | DISA Microsoft Windows Server 2016 STIG v2r10 | Windows | CONFIGURATION MANAGEMENT |
