| 1.2 Ensure that Multi-Factor Authentication is 'Enabled' for All Non-Service Accounts | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 1.2.5.2 Ensure only the host can download cloud recordings is set to enabled | CIS Zoom L2 v1.0.0 | Zoom | CONFIGURATION MANAGEMENT |
| 1.11 Ensure That Separation of Duties Is Enforced While Assigning KMS Related Roles to Users | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 1.16 Ensure Essential Contacts is Configured for Organization | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | INCIDENT RESPONSE |
| 2.1.4.1 Ensure cloud storage is set to enabled | CIS Zoom L2 v1.0.0 | Zoom | CONFIGURATION MANAGEMENT |
| 2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | AUDIT AND ACCOUNTABILITY |
| 4.1.1.1 Ensure correct container image is set for stackdriver logging agent | CIS Google Container-Optimized OS v1.2.0 L2 Server | Unix | AUDIT AND ACCOUNTABILITY |
| 4.2 Ensure That Instances Are Not Configured To Use the Default Service Account With Full Access to All Cloud APIs | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 4.2.6 Ensure inline scanning with FortiGuard AI-Based Sandbox Service is enabled | CIS Fortigate 7.0.x v1.3.0 L1 | FortiGate | SYSTEM AND INFORMATION INTEGRITY |
| 5.6.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) | CIS Google Kubernetes Engine (GKE) Autopilot v1.1.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7 Choosing Wildfire public cloud region | CIS Palo Alto Firewall 11 v1.1.0 L2 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 5.7 Choosing Wildfire public cloud region | CIS Palo Alto Firewall 10 v1.2.0 L2 | Palo_Alto | CONFIGURATION MANAGEMENT |
| 5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.8 Ensure that 'Inline Cloud Analysis' on Wildfire profiles is enabled | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 5.9.1 Enable Customer-Managed Encryption Keys (CMEK) for GKE Persistent Disks (PD) | CIS Google Kubernetes Engine (GKE) v1.7.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.9.2 Enable Customer-Managed Encryption Keys (CMEK) for Boot Disks | CIS Google Kubernetes Engine (GKE) v1.7.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1.1 Ensure That a MySQL Instance Does Not Allow Anyone To Connect With Administrative Privileges | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | IDENTIFICATION AND AUTHENTICATION |
| 6.5 Ensure That Cloud SQL Database Instances Do Not Implicitly Whitelist All Public IP Addresses | CIS Google Cloud Platform Foundation v4.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 6.22 Ensure that 'Inline Cloud Analysis' on Vulnerability Protection profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | RISK ASSESSMENT |
| 6.22 Ensure that 'Inline Cloud Analysis' on Vulnerability Protection profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | RISK ASSESSMENT |
| 6.24 Ensure that 'Inline Cloud Analysis' on Anti-Spyware profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 10 v1.2.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 6.24 Ensure that 'Inline Cloud Analysis' on Anti-Spyware profiles are enabled if 'Advanced Threat Prevention' is available | CIS Palo Alto Firewall 11 v1.1.0 L1 | Palo_Alto | SYSTEM AND INFORMATION INTEGRITY |
| 8.1 Ensure that Dataproc Cluster is encrypted using Customer-Managed Encryption Key | CIS Google Cloud Platform Foundation v4.0.0 L2 | GCP | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 18.10.43.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | CIS Microsoft Windows Server 2025 v1.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.43.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | CIS Microsoft Windows Server 2022 Stand-alone v1.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 18.10.43.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | CIS Microsoft Windows 11 Enterprise v4.0.0 L1 BitLocker | Windows | CONFIGURATION MANAGEMENT |
| 18.10.43.5.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | CIS Microsoft Windows Server 2019 Stand-alone v3.0.0 L1 MS | Windows | CONFIGURATION MANAGEMENT |
| 72.1 (L2) Ensure 'Allow Cloud Search' is set to 'Not allowed' | CIS Microsoft Intune for Windows 11 v4.0.0 L2 | Windows | CONFIGURATION MANAGEMENT |
| AADC-CL-001315 - Adobe Acrobat Pro DC Classic SharePoint and Office365 access must be disabled. | DISA STIG Adobe Acrobat Pro DC Classic Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| AADC-CN-001315 - Adobe Acrobat Pro DC Continuous SharePoint and Office365 access must be disabled. | DISA STIG Adobe Acrobat Pro DC Continuous Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| ADBP-XI-001315 - Adobe Acrobat Pro XI SharePoint and Office365 Access must be disabled. | DISA STIG ADOBE ACROBAT PROFESSIONAL (PRO) XI v1r2 | Windows | CONFIGURATION MANAGEMENT |
| AIOS-02-080003 - Apple iOS must not allow backup to remote systems (iCloud document and data synchronization). | AirWatch - DISA Apple iOS 10 v1r3 | MDM | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| AIOS-02-080003 - Apple iOS must not allow backup to remote systems (iCloud document and data synchronization). | MobileIron - DISA Apple iOS 10 v1r3 | MDM | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| AIOS-02-080103 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | AirWatch - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-02-080103 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | MobileIron - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-02-090101 - Apple iOS must implement the management setting: Disable Allow iCloud Photo Library. | AirWatch - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-02-090101 - Apple iOS must implement the management setting: Disable Allow iCloud Photo Library. | MobileIron - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-12-004600 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | AirWatch - DISA Apple iOS 12 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-12-004600 - Apple iOS must not allow backup to remote systems (managed applications data stored in iCloud). | MobileIron - DISA Apple iOS 12 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-13-004600 - Apple iOS/iPadOS must not allow backup to remote systems (managed applications data stored in iCloud). | AirWatch - DISA Apple iOS/iPadOS 13 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-13-004600 - Apple iOS/iPadOS must not allow backup to remote systems (managed applications data stored in iCloud). | MobileIron - DISA Apple iOS/iPadOS 13 v2r1 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-13-011200 - Apple iOS/iPadOS must implement the management setting: Disable Allow MailDrop. | AirWatch - DISA Apple iOS/iPadOS 13 v2r1 | MDM | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| ARDC-CL-000060 - Adobe Reader DC must disable all service access to Document Cloud Services. | DISA STIG Adobe Acrobat Reader DC Classic Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| ARDC-CN-000060 - Adobe Reader DC must disable all service access to Document Cloud Services. | DISA STIG Adobe Acrobat Reader DC Continuous Track v2r1 | Windows | CONFIGURATION MANAGEMENT |
| DTBC-0023 - Cloud print sharing must be disabled. | DISA Google Chrome Current Windows STIG v2r11 | Windows | ACCESS CONTROL |
| iOS Device Management - Managed apps sync to cloud | Tenable Best Practices for Microsoft Intune iOS v1.0 | microsoft_azure | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| KNOX-07-001600 - The Samsung whitelist must be configured to not include applications that Back up MD data to non-DoD cloud servers. | AirWatch - DISA Samsung Android 7 with Knox 2.x v1r1 | MDM | CONFIGURATION MANAGEMENT |
| KNOX-07-001600 - The Samsung whitelist must be configured to not include applications that Back up MD data to non-DoD cloud servers. | MobileIron - DISA Samsung Android 7 with Knox 2.x v1r1 | MDM | CONFIGURATION MANAGEMENT |
| MS.AAD.7.3v1 - Privileged users SHALL be provisioned cloud-only accounts separate from an on-premises directory or other federated identity providers. | CISA SCuBA Microsoft 365 Entra ID v1.5.0 | microsoft_azure | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| Windows Device Configuration - Cloud-delivered protection | Tenable Best Practices for Microsoft Intune Windows v1.0 | microsoft_azure | CONFIGURATION MANAGEMENT |
