| 1.2.4.2 Ensure automatic recording is set to 'Record in the Cloud' | CIS Zoom L2 v1.0.0 | Zoom | CONFIGURATION MANAGEMENT |
| 1.2.12 Ensure allow recovery of deleted cloud recordings from trash is set to enabled | CIS Zoom L2 v1.0.0 | Zoom | CONFIGURATION MANAGEMENT |
| 1.3 Ensure that Security Key Enforcement is Enabled for All Admin Accounts | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 1.4 Ensure That There Are Only GCP-Managed Service Account Keys for Each Service Account | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 1.5 Ensure That Service Account Has No Admin Privileges | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL |
| 1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.14 Ensure 'Access Transparency' is 'Enabled' | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.5 Ensure That RSASHA1 Is Not Used for the Zone-Signing Key in Cloud DNS DNSSEC | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.6 Ensure That SSH Access Is Restricted From the Internet | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.7 Ensure That RDP Access Is Restricted From the Internet | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.8 Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages. | CIS Microsoft SharePoint 2019 OS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | ACCESS CONTROL |
| 4.1.1 Ensure only MFA enabled identities can access privileged Virtual Machine | CIS Microsoft Azure Foundations v4.0.0 L2 | microsoft_azure | IDENTIFICATION AND AUTHENTICATION |
| 4.3 Ensure "Block Project-Wide SSH Keys" Is Enabled for VM Instances | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.10 Ensure That App Engine Applications Enforce HTTPS Connections | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.12 Ensure the Latest Operating System Updates Are Installed On Your Virtual Machines in All Projects | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | SYSTEM AND SERVICES ACQUISITION |
| 5.1 Ensure That Cloud Storage Bucket Is Not Anonymously or Publicly Accessible | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.1 Ensure Image Vulnerability Scanning is enabled | CIS Google Kubernetes Engine (GKE) Autopilot v1.1.0 L2 | GCP | RISK ASSESSMENT |
| 5.1.1 Ensure Image Vulnerability Scanning is enabled | CIS Google Kubernetes Engine (GKE) v1.7.0 L2 | GCP | RISK ASSESSMENT |
| 5.3.1 Ensure Kubernetes Secrets are encrypted using keys managed in Cloud KMS | CIS Google Kubernetes Engine (GKE) Autopilot v1.1.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.2.5 Ensure that the 'Log_min_messages' Flag for a Cloud SQL PostgreSQL Instance is set at minimum to 'Warning' | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.2.6 Ensure 'Log_min_error_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'Error' or Stricter | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.2.7 Ensure That the 'Log_min_duration_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set to '-1' (Disabled) | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.2.8 Ensure That 'cloudsql.enable_pgaudit' Database Flag for each Cloud Sql Postgresql Instance Is Set to 'on' For Centralized Logging | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.3.5 Ensure 'remote access' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off' | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | CONFIGURATION MANAGEMENT |
| 6.3.7 Ensure 'contained database authentication' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off' | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.1.3.3 Ensure that 'Endpoint protection' component status is set to 'On' | CIS Microsoft Azure Foundations v4.0.0 L2 | microsoft_azure | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.9.52.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled' | CIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0 | Windows | ACCESS CONTROL |
| 18.9.77.3.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 18.10.41.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L2 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.41.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L2 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.41.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows 10 Enterprise v4.0.0 L2 BL | Windows | CONFIGURATION MANAGEMENT |
| 18.10.41.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L2 NG | Windows | CONFIGURATION MANAGEMENT |
| 18.10.43.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | CIS Windows Server 2012 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.43.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | CIS Windows Server 2012 R2 DC L1 v3.0.0 | Windows | CONFIGURATION MANAGEMENT |
| AIOS-12-004300 - Apple iOS must not allow backup to remote systems (iCloud Keychain). | AirWatch - DISA Apple iOS 12 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| FFOX-00-000038 - Pocket must be disabled. | DISA STIG Mozilla Firefox Linux v6r6 | Unix | CONFIGURATION MANAGEMENT |
| FFOX-00-000038 - Pocket must be disabled. | DISA STIG Mozilla Firefox MacOS v6r6 | Unix | CONFIGURATION MANAGEMENT |
| FFOX-00-000038 - Pocket must be disabled. | DISA STIG Mozilla Firefox Windows v6r6 | Windows | CONFIGURATION MANAGEMENT |
| iOS Device Management - Backup to iCloud | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| iOS Device Management - Encrypted backup | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL |
| iOS Device Management - iCloud Photo Library | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| MS.AAD.3.6v1 - Phishing-resistant MFA SHALL be required for highly privileged roles. | CISA SCuBA Microsoft 365 Entra ID v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
