| 1.1 Ensure Minimum Password Length is set to 14 or higher | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | IDENTIFICATION AND AUTHENTICATION |
| 1.2 Ensure Disallow Palindromes is selected | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | IDENTIFICATION AND AUTHENTICATION |
| 1.4.2 Enable 'service password-encryption' | CIS Cisco IOS XE 17.x v2.2.1 L1 | Cisco | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.7 Ensure Lockout users after password expiration is set to 1 | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | ACCESS CONTROL |
| 1.8 Ensure Deny access to unused accounts is selected | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | ACCESS CONTROL |
| 1.12 Ensure Maximum number of failed attempts allowed is set to 5 or fewer | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | ACCESS CONTROL |
| 2.1.7 Ensure IPv6 is disabled if not used | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | CONFIGURATION MANAGEMENT |
| 2.2.1 Ensure SNMP agent is disabled | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | CONFIGURATION MANAGEMENT |
| 2.2.2 Ensure SNMP version is set to v3-Only | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | CONFIGURATION MANAGEMENT |
| 2.2.3 Ensure SNMP traps is enabled - configurationSave | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | AUDIT AND ACCOUNTABILITY |
| 2.3.2 Ensure timezone is properly configured | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | CONFIGURATION MANAGEMENT |
| 2.5.3 Ensure Client Authentication is secured. | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | CONFIGURATION MANAGEMENT |
| 2.6.1 Ensure mgmtauditlogs is set to on | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | AUDIT AND ACCOUNTABILITY |
| 2.6.2 Ensure auditlog is set to permanent | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | AUDIT AND ACCOUNTABILITY |
| 3.4.2.4 Ensure nftables established connections are configured | CIS Oracle Linux 8 Workstation L1 v3.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.2.4 Ensure nftables established connections are configured | CIS Red Hat EL8 Workstation L1 v3.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.2.4 Ensure nftables established connections are configured | CIS AlmaLinux OS 8 Server L1 v3.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.2.6 Ensure nftables established connections are configured | CIS Amazon Linux 2023 Server L2 v1.0.0 | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4.4.3.2 Ensure ip6tables outbound and established connections are configured | CIS Red Hat Enterprise Linux 7 v4.0.0 L1 Workstation | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.3 Ensure iptables is installed | CIS Distribution Independent Linux Workstation L1 v2.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.3.2.3 Ensure outbound and established connections are configured | CIS Fedora 19 Family Linux Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured | CIS Fedora 19 Family Linux Server L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.3.3.3 Ensure IPv6 outbound and established connections are configured | CIS Fedora 19 Family Linux Workstation L1 v1.0.0 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.13 Ensure Disk Space Alert is set | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | AUDIT AND ACCOUNTABILITY |
| 3.14 Ensure Accept RIP is not enabled | CIS Check Point Firewall L2 v1.1.0 | CheckPoint | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.15 Ensure Accept Domain Name over TCP (Zone Transfer) is not enabled | CIS Check Point Firewall L2 v1.1.0 | CheckPoint | CONFIGURATION MANAGEMENT |
| 9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL | Windows | AUDIT AND ACCOUNTABILITY |
| 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 | Windows | AUDIT AND ACCOUNTABILITY |
| 9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL | Windows | AUDIT AND ACCOUNTABILITY |
| 9.3.5 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows 11 Stand-alone v4.0.0 L1 | Windows | AUDIT AND ACCOUNTABILITY |
| 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 BL | Windows | AUDIT AND ACCOUNTABILITY |
| 9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 NG | Windows | AUDIT AND ACCOUNTABILITY |
| 20.10 Ensure 'Active Directory SYSVOL directory must have the proper access control permissions' (STIG DC only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | ACCESS CONTROL |
| 20.20 Ensure 'DoD Interoperability Root CA cross-certificates' are installed in the 'Untrusted Certificates Store' on unclassified systems | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 20.51 Ensure 'Permissions for the system drive root directory must conform to minimum requirements' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 20.51 Ensure 'Permissions for the system drive root directory must conform to minimum requirements' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS | Windows | ACCESS CONTROL |
| 38.8 (L1) Ensure 'Enable Public Network Firewall: Allow Local Ipsec Policy Merge' is set to 'False' | CIS Microsoft Intune for Windows 10 v4.0.0 L1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-ND-000610 - The Cisco router must be configured to require that when a password is changed, the characters are changed in at least eight of the positions within the password. | DISA Cisco IOS XE Router NDM STIG v3r4 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CISC-RT-000120 - The Cisco switch must be configured to protect against or limit the effects of denial-of-service (DoS) attacks by employing control plane protection. | DISA STIG Cisco IOS Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000150 - The Cisco switch must be configured to have gratuitous ARP disabled on all external interfaces. | DISA STIG Cisco IOS Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000160 - The Cisco switch must be configured to have IP directed broadcast disabled on all interfaces. | DISA STIG Cisco IOS Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000240 - The Cisco perimeter switch must be configured to deny network traffic by default and allow network traffic by exception. | DISA STIG Cisco IOS Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000250 - The Cisco perimeter switch must be configured to enforce approved authorizations for controlling the flow of information between interconnected networks in accordance with applicable policy. | DISA STIG Cisco IOS Switch RTR v3r1 | Cisco | ACCESS CONTROL |
| CISC-RT-000310 - The Cisco perimeter switch must be configured to restrict it from accepting outbound IP packets that contain an illegitimate address in the source address field via egress filter or by enabling Unicast Reverse Path Forwarding (uRPF). | DISA STIG Cisco IOS Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000380 - The Cisco perimeter switch must be configured to have Proxy ARP disabled on all external interfaces. | DISA STIG Cisco IOS Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000391 - The Cisco perimeter switch must be configured to suppress Router Advertisements on all external IPv6-enabled interfaces. | DISA STIG Cisco IOS Switch RTR v3r1 | Cisco | CONFIGURATION MANAGEMENT |
| CISC-RT-000392 - The Cisco perimeter switch must be configured to drop IPv6 undetermined transport packets. | DISA STIG Cisco IOS Switch RTR v3r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| DG0127-ORACLE11 - DBMS account passwords should not be set to easily guessed words or values - 'name' | DISA STIG Oracle 11 Instance v9r1 Database | OracleDB | IDENTIFICATION AND AUTHENTICATION |
| DG0127-ORACLE11 - DBMS account passwords should not be set to easily guessed words or values - 'profile' | DISA STIG Oracle 11 Instance v9r1 Database | OracleDB | |
| ESXI-80-000214 - The ESXi host must configure the firewall to block network traffic by default. | DISA VMware vSphere 8.0 ESXi STIG v2r3 | VMware | CONFIGURATION MANAGEMENT |
