| 1.1.3.7 Ensure require encryption for 3rd party endpoints (SIP/H.323) is set to enabled | CIS Zoom L1 v1.0.0 | Zoom | CONFIGURATION MANAGEMENT |
| 1.2.9 Ensure IP address access control is set to organization approved ranges | CIS Zoom L2 v1.0.0 | Zoom | CONFIGURATION MANAGEMENT |
| 1.3 Ensure that Security Key Enforcement is Enabled for All Admin Accounts | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 1.6 Ensure That IAM Users Are Not Assigned the Service Account User or Service Account Token Creator Roles at Project Level | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 1.7 Ensure User-Managed/External Keys for Service Accounts Are Rotated Every 90 Days or Fewer | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 1.14 Ensure API Keys Are Restricted to Only APIs That Application Needs Access | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 2.1.1.2 Audit iCloud Drive | CIS Apple macOS 14.0 Sonoma v2.1.0 L2 | Unix | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.1.1.2 Audit iCloud Drive | CIS Apple macOS 15.0 Sequoia v1.1.0 L2 | Unix | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.1.1.2 Audit iCloud Drive | CIS Apple macOS 13.0 Ventura v3.1.0 L2 | Unix | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.3.22.2 Ensure 'Block signing into Office' is set to 'Enabled: Org ID only' | CIS Microsoft Office Enterprise v1.2.0 L1 | Windows | ACCESS CONTROL |
| 2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.6.1 iCloud configuration | CIS Apple macOS 10.13 L2 v1.1.0 | Unix | ACCESS CONTROL |
| 2.7 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.8 Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.15 Ensure 'Access Approval' is 'Enabled' | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 3.4 Ensure That RSASHA1 Is Not Used for the Key-Signing Key in Cloud DNS DNSSEC | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 3.8 Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages. | CIS Microsoft SharePoint 2019 OS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| 3.8 Ensure that On-Premise SharePoint servers is configured without OneDrive redirection linkages. | CIS Microsoft SharePoint 2016 OS v1.1.0 | Windows | CONFIGURATION MANAGEMENT |
| 3.9 Ensure No HTTPS or SSL Proxy Load Balancers Permit SSL Policies With Weak Cipher Suites | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.10 Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed' | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | ACCESS CONTROL |
| 4.1 Ensure That Instances Are Not Configured To Use the Default Service Account | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 4.6 Ensure That IP Forwarding Is Not Enabled on Instances | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.7 Ensure VM Disks for Critical VMs Are Encrypted With Customer-Supplied Encryption Keys (CSEK) | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2.1 Ensure 'Log_error_verbosity' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'DEFAULT' or Stricter | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.2.2 Ensure That the 'Log_connections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.2.3 Ensure That the 'Log_disconnections' Database Flag for Cloud SQL PostgreSQL Instance Is Set to 'On' | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.2.4 Ensure 'Log_statement' Database Flag for Cloud SQL PostgreSQL Instance Is Set Appropriately | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 6.3.1 Ensure 'external scripts enabled' Database Flag for Cloud SQL SQL Server Instance Is Set to 'off' | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 6.3.3 Ensure 'user Connections' Database Flag for Cloud SQL SQL Server Instance Is Set to a Non-limiting Value | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 7.2 Ensure That All BigQuery Tables Are Encrypted With Customer-Managed Encryption Key (CMEK) | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure all data in BigQuery has been classified | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY, RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 9.1.13 Ensure 'Additional email addresses' is Configured with a Security Contact Email | CIS Microsoft Azure Foundations v4.0.0 L1 | microsoft_azure | INCIDENT RESPONSE |
| 18.9.47.4.1 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | CIS Azure Compute Microsoft Windows Server 2022 v1.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.9.52.2 Ensure 'Prevent the usage of OneDrive for file storage on Windows 8.1' is set to 'Enabled' | CIS Microsoft Windows 8.1 v2.4.1 L1 | Windows | ACCESS CONTROL |
| 18.10.12.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' | CIS Microsoft Windows 10 EMS Gateway v3.0.0 L1 | Windows | ACCESS CONTROL |
| 18.10.13.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' | CIS Microsoft Windows 10 Enterprise v4.0.0 L1 NG | Windows | ACCESS CONTROL |
| 18.10.13.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' | CIS Microsoft Windows 11 Enterprise v4.0.0 L1 | Windows | ACCESS CONTROL |
| 18.10.13.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' | CIS Microsoft Windows 11 Stand-alone v4.0.0 L1 BL | Windows | ACCESS CONTROL |
| 18.10.13.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' | CIS Microsoft Windows 10 Stand-alone v4.0.0 L1 BL | Windows | ACCESS CONTROL |
| 18.10.41.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows Server 2022 v4.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.41.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows Server 2022 Stand-alone v1.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.41.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | CIS Microsoft Windows Server 2019 v4.0.0 L2 MS | Windows | CONFIGURATION MANAGEMENT |
| 22.31 (L2) Ensure 'Remote Encryption Protection Aggressiveness' is set to 'Medium' or higher | CIS Microsoft Intune for Windows 10 v4.0.0 L2 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| AIOS-12-004300 - Apple iOS must not allow backup to remote systems (iCloud Keychain). | AirWatch - DISA Apple iOS 12 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-13-004300 - Apple iOS/iPadOS must not allow backup to remote systems (iCloud Keychain). | AirWatch - DISA Apple iOS/iPadOS 13 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-15-007400 - Apple iOS/iPadOS 15 allowlist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. | MobileIron - DISA Apple iOS/iPadOS 14 v1r4 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-15-007400 - Apple iOS/iPadOS 15 allowlist must be configured to not include applications with the following characteristics: - back up MD data to non-DoD cloud servers (including user and application access to cloud backup services);- transmit MD diagnostic data to non-DoD servers; - allows synchronization of data or applications between devices associated with user; and - allows unencrypted (or encrypted but not FIPS 140-2 validated) data sharing with other MDs or printers. | AirWatch - DISA Apple iOS/iPadOS 14 v1r4 | MDM | CONFIGURATION MANAGEMENT |
| AOSX-14-002049 - The macOS system must disable Cloud Document Sync. | DISA STIG Apple Mac OSX 10.14 v2r6 | Unix | CONFIGURATION MANAGEMENT |
| MS.AAD.3.7v1 - Managed devices SHOULD be required for authentication. | CISA SCuBA Microsoft 365 Entra ID v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| WN10-CC-000390 - Windows 10 should be configured to prevent users from receiving suggestions for third-party or additional applications. | DISA Microsoft Windows 10 STIG v3r4 | Windows | CONFIGURATION MANAGEMENT |
