| 2.4 Ensure DHCP services are disabled for untrusted interfaces | CIS Cisco ASA 9.x Firewall L1 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure ICMP is restricted for untrusted interfaces | CIS Cisco ASA 9.x Firewall L1 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ensure DNS services are configured correctly | CIS Cisco ASA 9.x Firewall L1 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.2.1 Configure BGP to Log Neighbor Changes | CIS Cisco NX-OS L1 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Ensure packet fragments are restricted for untrusted interfaces | CIS Cisco ASA 9.x Firewall L1 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.8 Ensure 'security-level' is set to '0' for Internet-facing interface | CIS Cisco ASA 9.x Firewall L1 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.9 Ensure Botnet protection is enabled for untrusted interfaces | CIS Cisco ASA 9.x Firewall L2 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.9 Ensure Botnet protection is enabled for untrusted interfaces | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AOSX-14-001060 - The macOS system must accept and verify Personal Identity Verification (PIV) credentials, implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network, and only allow the use of DoD PKI-established certificate authorities for verification of the establishment of protected sessions. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| APPL-15-001060 - The macOS system must set smart card certificate trust to moderate. | DISA Apple macOS 15 (Sequoia) STIG v1r1 | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - ssl_module | DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions - SSLProtocol | DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000030 - The Apache web server must use cryptography to protect the integrity of remote sessions. | DISA STIG Apache Server 2.4 Unix Server v3r1 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. | DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000460 - The Apache web server must invalidate session identifiers upon hosted application user logout or other session termination. | DISA STIG Apache Server 2.4 Unix Server v3r1 | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000520 - The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force. | DISA STIG Apache Server 2.4 Unix Server v3r1 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-U1-000520 - The Apache web server must generate a session ID using as much of the character set as possible to reduce the risk of brute force. | DISA STIG Apache Server 2.4 Unix Server v3r1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000480 - The Apache web server must accept only system-generated session identifiers. | DISA STIG Apache Server 2.4 Windows Server v2r3 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| AS24-W1-000480 - The Apache web server must accept only system-generated session identifiers. | DISA STIG Apache Server 2.4 Windows Server v3r1 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| ESXI-67-000040 - The ESXi host must use multifactor authentication for local DCUI access to privileged accounts. | DISA STIG VMware vSphere 6.7 ESXi v1r3 | VMware | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| Monterey - Set Smartcard Certificate Trust to Moderate | NIST macOS Monterey v1.0.0 - CNSSI 1253 | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| Monterey - Set Smartcard Certificate Trust to Moderate | NIST macOS Monterey v1.0.0 - 800-53r4 Moderate | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| Monterey - Set Smartcard Certificate Trust to Moderate | NIST macOS Monterey v1.0.0 - 800-53r5 Moderate | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| Monterey - Set Smartcard Certificate Trust to Moderate | NIST macOS Monterey v1.0.0 - All Profiles | Unix | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| OH12-1X-000302 - OHS must have the SSLVerifyClient directive enabled to only accept client certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs). | DISA STIG Oracle HTTP Server 12.1.3 v2r2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| PGS9-00-010300 - PostgreSQL must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions. | DISA STIG PostgreSQL 9.x on RHEL DB v2r5 | PostgreSQLDB | SYSTEM AND COMMUNICATIONS PROTECTION |
| SPLK-CL-000040 - Splunk Enterprise must only allow the use of DOD-approved certificate authorities for cryptographic functions. | DISA STIG Splunk Enterprise 7.x for Windows v3r1 REST API | Splunk | SYSTEM AND COMMUNICATIONS PROTECTION |
| VCEM-70-000004 - ESX Agent Manager must protect cookies from cross-site scripting (XSS). | DISA STIG VMware vSphere 7.0 EAM Tomcat v1r2 | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCFL-67-000004 - vSphere Client must protect cookies from XSS. | DISA STIG VMware vSphere 6.7 Virgo Client v1r2 | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCLU-70-000004 - Lookup Service must protect cookies from cross-site scripting (XSS) - XSS. | DISA STIG VMware vSphere 7.0 Lookup Service v1r2 | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCST-67-000004 - The Security Token Service must protect cookies from XSS. | DISA STIG VMware vSphere 6.7 STS Tomcat v1r3 | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| VCST-70-000004 - The Security Token Service must protect cookies from cross-site scripting (XSS). | DISA STIG VMware vSphere 7.0 STS Tomcat v1r2 | Unix | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION |
| WBLC-08-000224 - Oracle WebLogic must terminate user sessions upon user logout or any other organization- or policy-defined session termination events such as idle time limit exceeded. | Oracle WebLogic Server 12c Linux v2r1 Middleware | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| WN10-PK-000005 - The DoD Root CA certificates must be installed in the Trusted Root Store. | DISA Windows 10 STIG v3r2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN10-PK-000015 - The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | DISA Windows 10 STIG v3r2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN10-PK-000020 - The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | DISA Windows 10 STIG v3r2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN12-PK-000001 - The DoD Root CA certificates must be installed in the Trusted Root Store | DISA Windows Server 2012 and 2012 R2 DC STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN12-PK-000001 - The DoD Root CA certificates must be installed in the Trusted Root Store | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN12-PK-000003 - The DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN12-PK-000003 - The DoD Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems. | DISA Windows Server 2012 and 2012 R2 DC STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN12-PK-000004 - The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems. | DISA Windows Server 2012 and 2012 R2 MS STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN12-PK-000004 - The US DoD CCEB Interoperability Root CA cross-certificates must be installed into the Untrusted Certificates Store on unclassified systems. | DISA Windows Server 2012 and 2012 R2 DC STIG v3r7 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN16-PK-000010 - The DoD Root CA certificates must be installed in the Trusted Root Store. | DISA Windows Server 2016 STIG v2r9 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN16-PK-000030 - The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | DISA Windows Server 2016 STIG v2r9 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN19-PK-000010 - Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | DISA Windows Server 2019 STIG v3r2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN19-PK-000020 - Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | DISA Windows Server 2019 STIG v3r2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN19-PK-000030 - Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | DISA Windows Server 2019 STIG v3r2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN22-PK-000010 - Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | DISA Windows Server 2022 STIG v2r2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN22-PK-000020 - Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | DISA Windows Server 2022 STIG v2r2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| WN22-PK-000030 - Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | DISA Windows Server 2022 STIG v2r2 | Windows | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
