| ESXI-70-000001 - Access to the ESXi host must be limited by enabling lockdown mode. | ACCESS CONTROL |
| ESXI-70-000002 - The ESXi host must verify the DCUI.Access list. | CONFIGURATION MANAGEMENT |
| ESXI-70-000003 - The ESXi host must verify the exception users list for lockdown mode. | CONFIGURATION MANAGEMENT |
| ESXI-70-000004 - Remote logging for ESXi hosts must be configured. | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| ESXI-70-000005 - The ESXi host must enforce the limit of three consecutive invalid logon attempts by a user. | ACCESS CONTROL |
| ESXI-70-000006 - The ESXi host must enforce an unlock timeout of 15 minutes after a user account is locked out. | ACCESS CONTROL |
| ESXI-70-000007 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via the Direct Console User Interface (DCUI). | ACCESS CONTROL |
| ESXI-70-000008 - The ESXi host must display the Standard Mandatory DOD Notice and Consent Banner before granting access to the system via Secure Shell (SSH). | ACCESS CONTROL |
| ESXI-70-000030 - The ESXi host must produce audit records containing information to establish what type of events occurred. | AUDIT AND ACCOUNTABILITY |
| ESXI-70-000031 - The ESXi host must be configured with a sufficiently complex password policy. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-70-000032 - The ESXi host must prohibit the reuse of passwords within five iterations. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-70-000034 - The ESXi host must disable the Managed Object Browser (MOB). | CONFIGURATION MANAGEMENT |
| ESXI-70-000035 - The ESXi host must be configured to disable nonessential capabilities by disabling Secure Shell (SSH). | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| ESXI-70-000036 - The ESXi host must disable ESXi Shell unless needed for diagnostics or troubleshooting. | CONFIGURATION MANAGEMENT |
| ESXI-70-000037 - The ESXi host must use Active Directory for local user authentication. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-70-000038 - ESXi hosts using Host Profiles and/or Auto Deploy must use the vSphere Authentication Proxy to protect passwords when adding themselves to Active Directory. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-70-000039 - Active Directory ESX Admin group membership must not be used when adding ESXi hosts to Active Directory. | IDENTIFICATION AND AUTHENTICATION |
| ESXI-70-000041 - The ESXi host must set a timeout to automatically disable idle shell sessions after two minutes. | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-70-000042 - The ESXi host must terminate shell services after 10 minutes. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-70-000043 - The ESXi host must log out of the console UI after two minutes. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-70-000045 - The ESXi host must enable a persistent log location for all locally stored logs. | AUDIT AND ACCOUNTABILITY |
| ESXI-70-000046 - The ESXi host must configure NTP time synchronization. | AUDIT AND ACCOUNTABILITY |
| ESXI-70-000048 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating vMotion traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-70-000049 - The ESXi host must protect the confidentiality and integrity of transmitted information by protecting ESXi management traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-70-000050 - The ESXi host must protect the confidentiality and integrity of transmitted information by isolating IP-based storage traffic. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-70-000053 - Simple Network Management Protocol (SNMP) must be configured properly on the ESXi host. | CONFIGURATION MANAGEMENT |
| ESXI-70-000054 - The ESXi host must enable bidirectional Challenge-Handshake Authentication Protocol (CHAP) authentication for Internet Small Computer Systems Interface (iSCSI) traffic. | CONFIGURATION MANAGEMENT |
| ESXI-70-000055 - The ESXi host must disable Inter-Virtual Machine (VM) Transparent Page Sharing. | CONFIGURATION MANAGEMENT |
| ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default - incoming | CONFIGURATION MANAGEMENT |
| ESXI-70-000057 - The ESXi host must configure the firewall to block network traffic by default - outgoing | CONFIGURATION MANAGEMENT |
| ESXI-70-000058 - The ESXi host must enable Bridge Protocol Data Units (BPDU) filter on the host to prevent being locked out of physical switch ports with Portfast and BPDU Guard enabled. | CONFIGURATION MANAGEMENT |
| ESXI-70-000059 - All port groups on standard switches must be configured to reject forged transmits. | CONFIGURATION MANAGEMENT |
| ESXI-70-000060 - All port groups on standard switches must be configured to reject guest Media Access Control (MAC) address changes. | CONFIGURATION MANAGEMENT |
| ESXI-70-000061 - All port groups on standard switches must be configured to reject guest promiscuous mode requests. | CONFIGURATION MANAGEMENT |
| ESXI-70-000062 - Use of the dvFilter network application programming interfaces (APIs) must be restricted. | CONFIGURATION MANAGEMENT |
| ESXI-70-000063 - All port groups on standard switches must be configured to a value other than that of the native virtual local area network (VLAN). | CONFIGURATION MANAGEMENT |
| ESXI-70-000064 - All port groups on standard switches must not be configured to virtual local area network (VLAN) 4095 unless Virtual Guest Tagging (VGT) is required - VGT is required. | CONFIGURATION MANAGEMENT |
| ESXI-70-000065 - All port groups on standard switches must not be configured to virtual local area network (VLAN) values reserved by upstream physical switches. | CONFIGURATION MANAGEMENT |
| ESXI-70-000070 - The ESXi host must not provide root/administrator-level access to Common Information Model (CIM)-based hardware monitoring tools or other third-party applications. | CONFIGURATION MANAGEMENT |
| ESXI-70-000072 - The ESXi host must have all security patches and updates installed. | CONFIGURATION MANAGEMENT |
| ESXI-70-000074 - The ESXi host must exclusively enable Transport Layer Security (TLS) 1.2 for all endpoints. | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-70-000079 - The ESXi host must not suppress warnings that the local or remote shell sessions are enabled. | CONFIGURATION MANAGEMENT |
| ESXI-70-000081 - The ESXi host must not suppress warnings about unmitigated hyperthreading vulnerabilities. | CONFIGURATION MANAGEMENT |
| ESXI-70-000086 - The ESXi host must verify certificates for SSL syslog endpoints. | CONFIGURATION MANAGEMENT |
| ESXI-70-000087 - The ESXi host must enable volatile key destruction. | CONFIGURATION MANAGEMENT |
| ESXI-70-000088 - The ESXi host must configure a session timeout for the vSphere API. | CONFIGURATION MANAGEMENT |
| ESXI-70-000089 - The ESXi Host Client must be configured with a session timeout. | CONFIGURATION MANAGEMENT |
| ESXI-70-000091 - The ESXi host must be configured with an appropriate maximum password age. | CONFIGURATION MANAGEMENT |
| ESXI-70-000097 - The ESXi Common Information Model (CIM) service must be disabled. | CONFIGURATION MANAGEMENT |
