| 1.1.1 Enable 'aaa new-model' | ACCESS CONTROL |
| 1.1.2 Enable 'aaa authentication login' | ACCESS CONTROL |
| 1.1.3 Enable 'aaa authentication enable default' | ACCESS CONTROL |
| 1.1.4 Set 'login authentication for 'line vty' | ACCESS CONTROL |
| 1.1.5 Set 'login authentication for 'ip http' | ACCESS CONTROL |
| 1.2.1 Set 'privilege 1' for local users | IDENTIFICATION AND AUTHENTICATION |
| 1.2.2 Set 'transport input ssh' for 'line vty' connections | IDENTIFICATION AND AUTHENTICATION |
| 1.2.3 Set 'no exec' for 'line aux 0' | CONFIGURATION MANAGEMENT |
| 1.2.4 Create 'access-list' for use with 'line vty' | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.5 Set 'access-class' for 'line vty' | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.6 Set 'exec-timeout' to less than or equal to 10 minutes for 'line aux 0' | ACCESS CONTROL |
| 1.2.7 Set 'exec-timeout' to less than or equal to 10 minutes 'line console 0' | ACCESS CONTROL |
| 1.2.8 Set 'exec-timeout' to less than or equal to 10 minutes 'line vty' | ACCESS CONTROL |
| 1.2.9 Set 'http Secure-server' limit | ACCESS CONTROL |
| 1.2.10 Set 'exec-timeout' to less than or equal to 10 min on 'ip http' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.3.1 Set the 'banner-text' for 'banner exec' | AWARENESS AND TRAINING, PROGRAM MANAGEMENT |
| 1.3.2 Set the 'banner-text' for 'banner login' | AWARENESS AND TRAINING, PROGRAM MANAGEMENT |
| 1.3.3 Set the 'banner-text' for 'banner motd' | AWARENESS AND TRAINING, PROGRAM MANAGEMENT |
| 1.3.4 Set the 'banner-text' for 'webauth banner' | AWARENESS AND TRAINING, PROGRAM MANAGEMENT |
| 1.4.1 Set 'password' for 'enable secret' | ACCESS CONTROL |
| 1.4.2 Enable 'service password-encryption' | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.4.3 Set 'username secret' for all local users | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.1 Set 'no snmp-server' to disable SNMP when unused | CONFIGURATION MANAGEMENT |
| 1.5.2 Unset 'private' for 'snmp-server community' | CONFIGURATION MANAGEMENT |
| 1.5.3 Unset 'public' for 'snmp-server community' | CONFIGURATION MANAGEMENT |
| 1.5.4 Do not set 'RW' for any 'snmp-server community' | CONFIGURATION MANAGEMENT |
| 1.5.5 Set the ACL for each 'snmp-server community' | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 1.5.6 Create an 'access-list' for use with SNMP | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 1.5.7 Set 'snmp-server host' when using SNMP | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 1.5.8 Set 'snmp-server enable traps snmp' | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 1.5.9 Set 'priv' for each 'snmp-server group' using SNMPv3 | IDENTIFICATION AND AUTHENTICATION |
| 1.5.10 Require 'aes 128' as minimum for 'snmp-server user' when using SNMPv3 | IDENTIFICATION AND AUTHENTICATION |
| 2.1.1.1.1 Set the 'hostname' | CONFIGURATION MANAGEMENT |
| 2.1.1.1.2 Set the 'ip domain-name' | CONFIGURATION MANAGEMENT |
| 2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa' | SYSTEM AND SERVICES ACQUISITION |
| 2.1.1.1.4 Set 'seconds' for 'ip ssh timeout' for 60 seconds or less | ACCESS CONTROL |
| 2.1.1.1.5 Set maximum value for 'ip ssh authentication-retries' | IDENTIFICATION AND AUTHENTICATION |
| 2.1.1.2 Set version 2 for 'ip ssh version' | CONFIGURATION MANAGEMENT |
| 2.1.2 Set 'no cdp run' | CONFIGURATION MANAGEMENT |
| 2.1.3 Set 'no ip bootp server' | CONFIGURATION MANAGEMENT |
| 2.1.4 Set 'no service dhcp' | CONFIGURATION MANAGEMENT |
| 2.1.5 Set 'service tcp-keepalives-in' | CONFIGURATION MANAGEMENT |
| 2.1.6 Set 'service tcp-keepalives-out' | CONFIGURATION MANAGEMENT |
| 2.1.7 Set 'no service pad' | CONFIGURATION MANAGEMENT |
| 2.2.1 Set 'logging enable' | AUDIT AND ACCOUNTABILITY |
| 2.2.2 Set 'buffer size' for 'logging buffered' | AUDIT AND ACCOUNTABILITY |
| 2.2.3 Set 'logging console critical' | AUDIT AND ACCOUNTABILITY |
| 2.2.7 Set 'logging source interface' | AUDIT AND ACCOUNTABILITY |
| 2.2.8 Set 'login success/failure logging' | AUDIT AND ACCOUNTABILITY |
| 2.3.1.1 Set 'ntp authenticate' | AUDIT AND ACCOUNTABILITY |
