| 1.2.1 Ensure 'Permitted IP Addresses' is set to those necessary for device management | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SNMP | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - SSH | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.2 Ensure 'Permitted IP Addresses' is set for all management profiles where SSH, HTTPS, or SNMP is enabled - HTTPS | CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0 | Palo_Alto | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured' | CIS Cisco IOS 12 L1 v4.0.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured' | CIS Cisco IOS 16 L1 v1.1.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.4 Create 'access-list' for use with 'line vty' - 'ACL deny is configured' | CIS Cisco IOS 15 L1 v4.0.1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.2.4 Create 'access-list' for use with 'line vty' - 'ACL permit tcp is configured' | CIS Cisco IOS 16 L1 v1.1.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL' | CIS Cisco IOS 12 L1 v4.0.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL' | CIS Cisco IOS 15 L1 v4.0.1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.6 Create an 'access-list' for use with SNMP - 'SNMP deny secured by ACL' | CIS Cisco IOS 16 L1 v1.1.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL' | CIS Cisco IOS 15 L1 v4.0.1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.6 Create an 'access-list' for use with SNMP - 'SNMP permit secured by ACL' | CIS Cisco IOS 16 L1 v1.1.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Ensure SharePoint implements an information system isolation boundary that minimizes the number of non-security functions included within the boundary containing security functions. | CIS Microsoft SharePoint 2019 OS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Ensure SharePoint implements security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers. | CIS Microsoft SharePoint 2019 OS v1.0.0 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.2.6 Ensure base chains exist - hook forward | CIS Red Hat EL7 Server L1 v3.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.2.7 Ensure loopback traffic is configured - iif lo | CIS Red Hat EL7 Server L1 v3.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.2.9 Ensure default deny firewall policy - output | CIS Red Hat EL7 Server L1 v3.0.1 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.3 Ensure a client list is set for SNMPv1/v2 communities | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 Ensure routing tables for VPC peering are 'least access' - least access | CIS Amazon Web Services Foundations L2 1.3.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.10.2.6 Ensure Web-Management Interface Restriction is Set | CIS Juniper OS Benchmark v2.1.0 L1 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0890 - The network element must only allow SNMP access from addresses belonging to the management network. | DISA STIG Cisco Firewall v8r25 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0988 - Traffic from the managed network will leak - 'OOBM Interface (ip access-list OOBM_EGRESS_ACL out)' | DISA STIG Cisco Infrastructure L3 Switch v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0991 - The OOBM interface not configured correctly | DISA STIG Cisco Infrastructure L3 Switch v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0991 - The OOBM interface not configured correctly | DISA STIG Cisco Perimeter L3 Switch v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0992 - The management interface does not have an ACL - 'Step 1 (Egress ACL)' | DISA STIG Cisco Infrastructure Router v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0992 - The management interface does not have an ACL - 'Step 1 (Ingress ACL)' | DISA STIG Cisco Infrastructure L3 Switch v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0992 - The management interface does not have an ACL - 'Step 1 (Ingress ACL)' | DISA STIG Cisco Infrastructure Router v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0992 - The management interface does not have an ACL - 'Step 1 (Ingress ACL)' | DISA STIG Cisco Perimeter L3 Switch v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0992 - The management interface does not have an ACL - 'Step 1 (Ingress ACL)' | DISA STIG Cisco Perimeter Router v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0992 - The management interface does not have an ACL - 'Step 3 (ip local policy route-map LOCAL_POLICY)' | DISA STIG Cisco Perimeter L3 Switch v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0993 - The network element's management interface is not configured as passive for the IGP instance - 'rip passive-interface' | DISA STIG Cisco Firewall v8r25 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET0994 - Management interface is assigned to a user VLAN - 'MGMT VLAN ID' | DISA STIG Cisco Infrastructure L3 Switch v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1000 - The gateway router for the managed network is not configured with an ACL or filter on the egress interface. | DISA STIG Juniper Perimeter Router V8R32 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1001 - A firewall located behind the premise router must be configured to block all outbound management traffic. - 'step 2 next-hop' | DISA STIG Cisco Firewall v8r25 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1003 - Mgmt VLAN does not have correct IP address | DISA STIG Cisco L2 Switch V8R27 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1004 - No ingress ACL on management VLAN interface | DISA STIG Cisco Infrastructure L3 Switch v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1004 - No ingress ACL on management VLAN interface | DISA STIG Cisco Perimeter L3 Switch v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1005 - No inbound ACL for mgmt network sub-interface - 'Sub-Interface Ingress ACL' | DISA STIG Cisco Perimeter L3 Switch v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1005 - No inbound ACL for mgmt network sub-interface - 'Sub-Interface Ingress ACL' | DISA STIG Cisco Perimeter Router v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1006 - Traffic entering the tunnels is not restricted to only the authorized management packets based on destination address. | DISA STIG Juniper Infrastructure Router V8R29 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1007 - Management traffic is not classified and marked - 'class-map match-all MANAGEMENT_TRAFFIC' | DISA STIG Cisco Infrastructure L3 Switch v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1007 - Management traffic is not classified and marked - 'class-map match-all MANAGEMENT_TRAFFIC' | DISA STIG Cisco Infrastructure Router v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1007 - Management traffic is not classified and marked - 'class-map match-all MANAGEMENT_TRAFFIC' | DISA STIG Cisco Perimeter L3 Switch v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1007 - Management traffic is not classified and marked - 'class-map match-all MANAGEMENT_TRAFFIC' | DISA STIG Cisco Perimeter Router v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1007 - Management traffic is not classified and marked - 'ip access-list extended MGMT_TRAFFIC_CLASSIFICATION_ACL permit' | DISA STIG Cisco Perimeter Router v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1007 - Management traffic is not classified and marked - 'policy-map DIST_LAYER_POLICY (set ip dscp DIST_LAYER_DSCP_VALUE)' | DISA STIG Cisco Infrastructure Router v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1007 - Management traffic is not classified and marked - 'policy-map DIST_LAYER_POLICY (set ip dscp DIST_LAYER_DSCP_VALUE)' | DISA STIG Cisco Perimeter L3 Switch v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1007 - Management traffic is not classified and marked - 'policy-map DIST_LAYER_POLICY' | DISA STIG Cisco Infrastructure L3 Switch v8r29 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| NET1007 - Management traffic is not classified and marked - 'policy-map DIST_LAYER_POLICY' | DISA STIG Cisco Perimeter Router v8r32 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
