| 1.1.6 Ensure nosuid option set on /var partition | CIS Google Container-Optimized OS v1.2.0 L2 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.1.7.1 Ensure separate partition exists for /home | CIS Fedora 28 Family Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 1.6.1.5 Ensure the SELinux mode is enforcing | CIS Fedora 28 Family Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.8 Ensure 'Allow documents from managed sources in unmanaged destinations' is set to 'Disabled' | AirWatch - CIS Apple iOS 17 Benchmark v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.8 Ensure 'Allow documents from managed sources in unmanaged destinations' is set to 'Disabled' | MobileIron - CIS Apple iOS 17 v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.10 Ensure 'Treat AirDrop as unmanaged destination' is set to 'Enabled' | AirWatch - CIS Apple iOS 17 Benchmark v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.10 Ensure 'Treat AirDrop as unmanaged destination' is set to 'Enabled' | MobileIron - CIS Apple iPadOS 17 v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.13 Ensure 'Force Apple Watch wrist detection' is set to 'Enabled' | AirWatch - CIS Apple iPadOS 17 v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.2.1.13 Ensure 'Force Apple Watch wrist detection' is set to 'Enabled' | MobileIron - CIS Apple iPadOS 17 v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 2.7.2 Ensure 'Allow Mail Drop' is set to 'Disabled' | AirWatch - CIS Apple iPadOS 17 v1.1.0 End User Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.2 Ensure that the proxy kubeconfig file ownership is set to root:root | CIS Google Kubernetes Engine (GKE) v1.6.1 L1 Node | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1.1 Ensure 'Allow screenshots and screen recording' is set to 'Disabled' | AirWatch - CIS Apple iOS 17 Institution Owned L2 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1.21 Ensure 'Allow documents from managed sources in unmanaged destinations' is set to 'Disabled' | AirWatch - CIS Apple iOS 17 Institution Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1.21 Ensure 'Allow documents from managed sources in unmanaged destinations' is set to 'Disabled' | MobileIron - CIS Apple iOS 17 Institution Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1.27 Ensure 'Force Apple Watch wrist detection' is set to 'Enabled' | MobileIron - CIS Apple iPadOS 17 Institutionally Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.3.1 Ensure 'Managed Safari Web Domains' is 'Configured' | AirWatch - CIS Apple iOS 17 Institution Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.3.1 Ensure 'Managed Safari Web Domains' is 'Configured' | MobileIron - CIS Apple iOS 17 Institution Owned L1 | MDM | ACCESS CONTROL, MEDIA PROTECTION |
| 3.5 Ensure Access to Audit Records Is Controlled - /var/audit | CIS Apple macOS 10.15 Catalina v3.0.0 L1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.7 Restrict Access to SYSCAT.CONTEXTATTRIBUTES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.11 Restrict Access to SYSCAT.DBAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.23 Restrict Access to SYSCAT.ROUTINES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.26 Restrict Access to SYSCAT.SECURITYLABELCOMPONENTS | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.29 Restrict Access to SYSCAT.SECURITYPOLICYCOMPONENTRULES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.40 Restrict Access to SYSCAT.USEROPTIONS | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.41 Restrict Access to SYSCAT.VARIABLEAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2.45 Restrict Access to SYSCAT.XSROBJECTAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.6 Restrict Access to SYSIBM.SYSCOLUMNS | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.8 Restrict Access to SYSIBM.SYSCONTEXTS | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.13 Restrict Access to SYSIBM.SYSEVENTTABLES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.14 Restrict Access to SYSIBM.SYSEXTTAB | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.15 Restrict Access to SYSIBM.SYSINDEXAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.16 Restrict Access to SYSIBM.SYSMODULEAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.18 Restrict Access to SYSIBM.SYSPLANAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.28 Restrict Access to SYSIBM.SYSSECURITYLABELCOMPONENTELEMENTS | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.31 Restrict Access to SYSIBM.SYSSECURITYPOLICIES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.35 Restrict Access to SYSIBM.SYSSEQUENCEAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.43 Restrict Access to SYSIBM.SYSVARIABLES | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 4.3.46 Restrict Access to SYSIBM.SYSXSROBJECTAUTH | CIS IBM DB2 11 v1.1.0 Database Level 1 | IBM_DB2DB | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.1 Ensure permissions on /etc/ssh/sshd_config are configured | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.2 Minimize user access to Container Image repositories | CIS Google Kubernetes Engine (GKE) v1.6.1 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1.3 Ensure permissions on SSH public host key files are configured | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.3.3 Ensure default group for the root account is GID 0 | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.6.3 Ensure Control Plane Authorized Networks is Enabled | CIS Google Kubernetes Engine (GKE) v1.6.1 L2 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.1 Audit system file permissions | CIS Fedora 28 Family Linux Workstation L2 v2.0.0 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.4 Ensure Guest Access to Shared Folders Is Disabled | CIS Apple macOS 11.0 Big Sur v4.0.0 L1 | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.5 Ensure permissions on /etc/passwd- are configured | CIS Google Container-Optimized OS v1.2.0 L2 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.7 Ensure permissions on /etc/group- are configured | CIS Google Container-Optimized OS v1.2.0 L1 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.8 Ensure permissions on /etc/gshadow- are configured | CIS Google Container-Optimized OS v1.2.0 L2 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.2.10 Ensure users' dot files are not group or world writable | CIS Google Container-Optimized OS v1.2.0 L2 Server | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 6.3.2 Ensure that the 'cross db ownership chaining' database flag for Cloud SQL SQL Server instance is set to 'off' | CIS Google Cloud Platform v3.0.0 L1 | GCP | ACCESS CONTROL, MEDIA PROTECTION |
