| 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 1.2.5.2 Ensure only the host can download cloud recordings is set to enabled | CIS Zoom L2 v1.0.0 | Zoom | CONFIGURATION MANAGEMENT |
| 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 1.16 Ensure Essential Contacts is Configured for Organization | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | INCIDENT RESPONSE |
| 2.7.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud identity providers' Is Enabled | CIS Google Chrome Group Policy v1.0.0 L1 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 2.10.1 (L1) Ensure 'Allow automatic sign-in to Microsoft cloud identity providers' Is Enabled | CIS Google Chrome L1 v3.0.0 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| 4.1.1.1 Ensure correct container image is set for stackdriver logging agent | CIS Google Container-Optimized OS v1.2.0 L2 Server | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 4.2.6 Ensure inline scanning with FortiGuard AI-Based Sandbox Service is enabled | CIS Fortigate 7.0.x v1.4.0 L1 | FortiGate | SYSTEM AND INFORMATION INTEGRITY |
| 4.2.6 Ensure inline scanning with FortiGuard AI-Based Sandbox Service is enabled | CIS FortiGate 7.4.x v1.0.1 L1 | FortiGate | SYSTEM AND INFORMATION INTEGRITY |
| 5.6.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) | CIS Google Kubernetes Engine GKE Autopilot v1.3.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7 Choosing Wildfire public cloud region | CIS Palo Alto Firewall 10 v1.3.0 L2 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 5.7 Choosing Wildfire public cloud region | CIS Palo Alto Firewall 11 v1.2.0 L2 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled | CIS Palo Alto Firewall 10 v1.3.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) | CIS Google Kubernetes Engine GKE v1.9.0 L2 GCP | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.9.2 Enable Customer-Managed Encryption Keys (CMEK) for Boot Disks | CIS Google Kubernetes Engine GKE v1.9.0 L2 GCP | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1.1 Ensure That a MySQL Instance Does Not Allow Anyone To Connect With Administrative Privileges | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 6.22 Ensure that 'Inline Cloud Analysis' on Vulnerability Protection profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | RISK ASSESSMENT |
| 6.22 Ensure that 'Inline Cloud Analysis' on Vulnerability Protection profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 10 v1.3.0 L1 | Palo_Alto | RISK ASSESSMENT |
| 6.24 Ensure that 'Inline Cloud Analysis' on Anti-Spyware profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 10 v1.3.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.24 Ensure that 'Inline Cloud Analysis' on Anti-Spyware profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 11 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 8.1 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.42.5.2 Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced' | CIS Microsoft Windows 11 Enterprise v5.0.1 L1 | Windows | CONFIGURATION MANAGEMENT |
| 18.10.42.5.2 Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced' | CIS Microsoft Windows Server 2022 v5.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 18.10.42.5.2 Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced' | CIS Microsoft Windows Server 2022 v5.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.42.5.2 Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced' | CIS Microsoft Windows Server 2025 v2.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.42.5.2 Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced' | CIS Microsoft Windows 11 Enterprise v5.0.1 L1 BL | Windows | CONFIGURATION MANAGEMENT |
| 18.10.42.5.2 Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced' | CIS Microsoft Windows Server 2025 v2.0.0 L1 DC | Windows | CONFIGURATION MANAGEMENT |
| 72.1 (L2) Ensure 'Allow Cloud Search' is set to 'Not allowed' | CIS Microsoft Intune for Windows 11 v4.0.0 L2 | Windows | CONFIGURATION MANAGEMENT |
| AADC-CL-001315 - Adobe Acrobat Pro DC Classic SharePoint and Office365 access must be disabled. | DISA STIG Adobe Acrobat Pro DC Classic Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| AIOS-02-080003 - Apple iOS must not allow backup to remote systems (iCloud document and data synchronization). | AirWatch - DISA Apple iOS 10 v1r3 | MDM | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| AIOS-02-080003 - Apple iOS must not allow backup to remote systems (iCloud document and data synchronization). | MobileIron - DISA Apple iOS 10 v1r3 | MDM | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| AIOS-02-080103 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | AirWatch - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-02-080103 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | MobileIron - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-02-090101 - Apple iOS must implement the management setting: Disable Allow iCloud Photo Library. | AirWatch - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-02-090101 - Apple iOS must implement the management setting: Disable Allow iCloud Photo Library. | MobileIron - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-12-004600 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | AirWatch - DISA Apple iOS 12 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-12-004600 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | MobileIron - DISA Apple iOS 12 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-13-004600 - Apple iOS/iPadOS must not allow backup to remote systems (managed applications data stored in iCloud). | AirWatch - DISA Apple iOS/iPadOS 13 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| ARDC-CN-000060 - Adobe Reader DC must disable all service access to Document Cloud Services. | DISA STIG Adobe Acrobat Reader DC Continuous Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| ARDC-CN-000085 - Adobe Reader DC must disable Adobe Send for Signature. | DISA STIG Adobe Acrobat Reader DC Continuous Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| iOS Device Management - Managed apps sync to cloud | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| KNOX-07-001600 - The Samsung whitelist must be configured to not include applications that Back up MD data to non-DoD cloud servers. | AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1 | MDM | CONFIGURATION MANAGEMENT |
| KNOX-07-001600 - The Samsung whitelist must be configured to not include applications that Back up MD data to non-DoD cloud servers. | MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1 | MDM | CONFIGURATION MANAGEMENT |
| Windows Device Configuration - Cloud-delivered protection | Tenable Best Practices for Microsoft Intune Windows v1.0 | microsoft_azure | CONFIGURATION MANAGEMENT |
| WNDF-AV-000058 - Microsoft Defender AV must enable extended cloud check. | DISA Microsoft Defender Antivirus STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| WNDF-AV-000073 - Microsoft Defender AV must set cloud protection level to High. | DISA Microsoft Defender Antivirus STIG v2r7 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
