| 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts | CIS Google Cloud Platform v3.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 1.2.5.2 Ensure only the host can download cloud recordings is set to enabled | CIS Zoom L2 v1.0.0 | Zoom | CONFIGURATION MANAGEMENT |
| 1.8 Ensure That Separation of Duties Is Enforced While Assigning Service Account Related Roles to Users | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs Access | CIS Google Cloud Platform v3.0.0 L2 | GCP | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.10.1 Ensure 'Allow automatic sign-in to Microsoft cloud identity providers' Is Enabled | CIS Google Chrome L1 v3.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 2.14 Ensure 'Access Transparency' is 'Enabled' | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.15 Ensure 'Access Approval' is 'Enabled' | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | CIS Google Cloud Platform v3.0.0 L1 | GCP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.5 Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | CIS Google Cloud Platform v3.0.0 L1 | GCP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.6 Ensure That SSH Access Is Restricted From the Internet | CIS Google Cloud Platform v3.0.0 L2 | GCP | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7 Ensure That RDP Access Is Restricted From the Internet | CIS Google Cloud Platform v3.0.0 L2 | GCP | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.8 Ensure that VPC Flow Logs is Enabled for Every Subnet in a VPC Network | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY |
| 4.1 Ensure That Instances Are Not Configured To Use the Default Service Account | CIS Google Cloud Platform v3.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | CIS Google Cloud Platform v3.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.8 Ensure Compute Instances Are Launched With Shielded VM Enabled | CIS Google Cloud Platform v3.0.0 L2 | GCP | CONFIGURATION MANAGEMENT |
| 4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | CIS Google Cloud Platform v3.0.0 L2 | GCP | SYSTEM AND SERVICES ACQUISITION |
| 5.7 Choosing Wildfire public cloud region | CIS Palo Alto Firewall 11 v1.0.0 L2 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 6.1.1 Ensure That a MySQL Database Instance Does Not Allow Anyone To Connect With Administrative Privileges | CIS Google Cloud Platform v3.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 6.2.4 Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | CIS Google Cloud Platform v3.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses | CIS Google Cloud Platform v3.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 6.6 Ensure That Cloud SQL Database Instances Do Not Have Public IPs | CIS Google Cloud Platform v3.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 6.7 Ensure That Cloud SQL Database Instances Are Configured With Automated Backups | CIS Google Cloud Platform v3.0.0 L1 | GCP | CONTINGENCY PLANNING |
| 7.3 Ensure That a Default Customer-Managed Encryption Key (CMEK) Is Specified for All BigQuery Data Sets | CIS Google Cloud Platform v3.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | CIS Google Cloud Platform v3.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.9.13.1 Ensure 'Turn off cloud optimized content' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG MS L2 v1.0.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.9.13.1 Ensure 'Turn off cloud optimized content' is set to 'Enabled' | CIS Microsoft Windows Server 2019 STIG DC L2 v1.0.1 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.12.2 Ensure 'Turn off cloud optimized content' is set to 'Enabled' | CIS Microsoft Windows 10 EMS Gateway v2.0.0 L1 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.12.2 Ensure 'Turn off cloud optimized content' is set to 'Enabled' - Enabled | CIS Microsoft Windows 11 Stand-alone v2.0.0 L2 + BL | Windows | CONFIGURATION MANAGEMENT |
| 18.10.12.2 Ensure 'Turn off cloud optimized content' is set to 'Enabled' - Enabled | CIS Microsoft Windows 11 Stand-alone v2.0.0 L2 | Windows | CONFIGURATION MANAGEMENT |
| 60.1 (L2) Ensure 'Allow Cloud Search' is set to 'Not allowed' | CIS Microsoft Intune for Windows 11 v3.0.1 L2 | Windows | CONFIGURATION MANAGEMENT |
| 60.1 (L2) Ensure 'Allow Cloud Search' is set to 'Not allowed' | CIS Microsoft Intune for Windows 10 v3.0.1 L2 | Windows | CONFIGURATION MANAGEMENT |
| AIOS-02-080103 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | AirWatch - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-02-090101 - Apple iOS must implement the management setting: Disable Allow iCloud Photo Library. | AirWatch - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-12-004600 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | AirWatch - DISA Apple iOS 12 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-13-004600 - Apple iOS/iPadOS must not allow backup to remote systems (managed applications data stored in iCloud). | AirWatch - DISA Apple iOS/iPadOS 13 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| alert | CIS Google Cloud Platform v3.0.0 L2 | GCP | |
| ARDC-CL-000085 - Adobe Reader DC must disable Adobe Send for Signature. | DISA STIG Adobe Acrobat Reader DC Classic Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| ARDC-CN-000085 - Adobe Reader DC must disable Adobe Send for Signature. | DISA STIG Adobe Acrobat Reader DC Continuous Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| Decrypter | CIS Google Cloud Platform v3.0.0 L2 | GCP | |
| Encrypter | CIS Google Cloud Platform v3.0.0 L2 | GCP | |
| Encrypter/Decrypter | CIS Google Cloud Platform v3.0.0 L2 | GCP | |
| KNOX-07-001600 - The Samsung whitelist must be configured to not include applications that Back up MD data to non-DoD cloud servers. | AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1 | MDM | CONFIGURATION MANAGEMENT |
| KNOX-07-001600 - The Samsung whitelist must be configured to not include applications that Back up MD data to non-DoD cloud servers. | MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1 | MDM | CONFIGURATION MANAGEMENT |
| metric | CIS Google Cloud Platform v3.0.0 L2 | GCP | |
| project | CIS Google Cloud Platform v3.0.0 L1 | GCP | |
| WDNS-CM-000025 - The Windows 2012 DNS Servers zone files must not include CNAME records pointing to a zone with lesser security for more than six months. | DISA Microsoft Windows 2012 Server DNS STIG v2r5 | Windows | CONFIGURATION MANAGEMENT |
| Windows Device Configuration - Cloud-delivered protection | Tenable Best Practices for Microsoft Intune Windows v1.0 | microsoft_azure | CONFIGURATION MANAGEMENT |
