| 1.1.1 Enable 'aaa new-model' | CIS Cisco IOS XE 16.x v2.1.0 L1 | Cisco | ACCESS CONTROL |
| 1.1.1 Enable 'aaa new-model' | CIS Cisco IOS XE 17.x v2.1.1 L1 | Cisco | ACCESS CONTROL |
| 1.1.1 Ensure 'Logon Password' is set | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| 1.1.1.3 Configure AAA Authentication - RADIUS if applicable | CIS Cisco NX-OS L1 v1.1.0 | Cisco | ACCESS CONTROL |
| 1.1.2 Enable 'aaa authentication login' | CIS Cisco IOS XE 16.x v2.1.0 L1 | Cisco | ACCESS CONTROL |
| 1.1.2 Enable 'aaa authentication login' | CIS Cisco IOS XE 17.x v2.1.1 L1 | Cisco | ACCESS CONTROL |
| 1.1.12 - AirWatch - Turn off VPN when not needed | AirWatch - CIS Apple iOS 9 v1.0.0 L1 | MDM | ACCESS CONTROL |
| 1.1.13 - AirWatch - Turn off VPN when not needed | AirWatch - CIS Apple iOS 8 v1.0.0 L1 | MDM | ACCESS CONTROL |
| 1.2.2 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa' | CIS Cisco IOS XR 7.x v1.0.0 L1 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| 1.2.5 Set 'access-class' for 'line vty' | CIS Cisco IOS XE 16.x v2.1.0 L1 | Cisco | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 1.2.5 Set 'access-class' for 'line vty' | CIS Cisco IOS XE 17.x v2.1.1 L1 | Cisco | ACCESS CONTROL, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.1.1.3 Set 'modulus' to greater than or equal to 2048 for 'crypto key generate rsa' | CIS Cisco IOS 12 L1 v4.0.0 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| 2.9 (L2) Ensure VDS health check is disabled | CIS VMware ESXi 7.0 v1.4.0 L2 | VMware | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 2.9 Ensure VDS health check is disabled | CIS VMware ESXi 6.7 v1.3.0 Level 1 | VMware | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 3.1.2.1 Configure BGP to Log Neighbor Changes | CIS Cisco NX-OS L1 v1.1.0 | Cisco | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5.1 Basic Fiber Channel Configuration | CIS Cisco NX-OS L2 v1.1.0 | Cisco | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| 7.1 (L1) Ensure the vSwitch Forged Transmits policy is set to reject | CIS VMware ESXi 7.0 v1.4.0 L1 | VMware | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject | CIS VMware ESXi 6.7 v1.3.0 Level 1 | VMware | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure the vSwitch Promiscuous Mode policy is set to reject | CIS VMware ESXi 6.5 v1.0.0 Level 1 | VMware | SYSTEM AND COMMUNICATIONS PROTECTION |
| AMLS-L3-000210 - The Arista Multilayer Switch must enforce information flow control using explicit security attributes (for example, IP addresses, port numbers, protocol, Autonomous System, or interface) on information, source, and destination objects. | DISA STIG Arista MLS DCS-7000 Series RTR v1r4 | Arista | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| AMLS-L3-000330 - The Arista MLS RTR must be using a version supported by the vendor. | DISA STIG Arista MLS DCS-7000 Series RTR v1r4 | Arista | CONFIGURATION MANAGEMENT |
| ARST-L2-000110 - The Arista MLS layer 2 switch must have Dynamic Address Resolution Protocol (ARP) Inspection (DAI) enabled on all user VLANs. | DISA STIG Arista MLS EOS 4.2x L2S v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARST-ND-000840 - The Arista network device must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | DISA STIG Arista MLS EOS 4.2x NDM v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| ARST-RT-000330 - The Arista perimeter router must be configured to deny network traffic by default and allow network traffic by exception. | DISA STIG Arista MLS EOS 4.2x Router v2r1 | Arista | SYSTEM AND COMMUNICATIONS PROTECTION |
| Auditing and logging - server | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | AUDIT AND ACCOUNTABILITY |
| Auditing and logging - severity | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | AUDIT AND ACCOUNTABILITY |
| Authorized IP managers | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000340 - The Cisco perimeter router must be configured to filter egress traffic at the internal interface on an inbound direction. | DISA STIG Cisco IOS-XR Router RTR v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| Enhanced secure mode | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | CONFIGURATION MANAGEMENT |
| ESXI-06-000061 - The virtual switch Promiscuous Mode policy must be set to reject. | DISA STIG VMware vSphere 6.x ESXi v1r5 | VMware | CONFIGURATION MANAGEMENT |
| ESXI-65-000061 - The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host. | DISA STIG VMware vSphere ESXi 6.5 v2r4 | VMware | CONFIGURATION MANAGEMENT |
| ESXI-67-000061 - The virtual switch Promiscuous Mode policy must be set to reject on the ESXi host. | DISA STIG VMware vSphere 6.7 ESXi v1r3 | VMware | CONFIGURATION MANAGEMENT |
| ESXI-70-000061 - All port groups on standard switches must be configured to reject guest promiscuous mode requests. | DISA STIG VMware vSphere 7.0 ESXi v1r3 | VMware | CONFIGURATION MANAGEMENT |
| ESXI-80-000218 - The ESXi host must configure virtual switch security policies to reject promiscuous mode requests. | DISA VMware vSphere 8.0 ESXi STIG v2r2 | VMware | CONFIGURATION MANAGEMENT |
| Fabric Security - Policy - FIPS Mode | Tenable Cisco ACI | Cisco_ACI | SYSTEM AND COMMUNICATIONS PROTECTION |
| Front panel security | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | SYSTEM AND COMMUNICATIONS PROTECTION |
| Include Logout in Session Records | Tenable Cisco ACI | Cisco_ACI | AUDIT AND ACCOUNTABILITY |
| JUEX-L2-000080 - The Juniper EX switch must be configured to enable Root Protection on STP switch ports connecting to access layer switches. | DISA Juniper EX Series Layer 2 Switch v2r2 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUEX-L2-000110 - The Juniper EX switch must be configured not to forward unknown unicast traffic to access interfaces. | DISA Juniper EX Series Layer 2 Switch v2r2 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUEX-RT-000370 - The Juniper perimeter router must be configured to deny network traffic by default and allow network traffic by exception. | DISA Juniper EX Series Router v2r1 | Juniper | SYSTEM AND COMMUNICATIONS PROTECTION |
| JUNI-RT-000290 - The Juniper perimeter router must be configured to not be a Border Gateway Protocol (BGP) peer to an alternate gateway service provider - BGP peer to an alternate gateway service provider. | DISA STIG Juniper Router RTR v3r1 | Juniper | ACCESS CONTROL |
| Local password complexity - password configuration aging | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | IDENTIFICATION AND AUTHENTICATION |
| Local password complexity - password configuration history | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | IDENTIFICATION AND AUTHENTICATION |
| Management VLAN | ArubaOS Switch 16.x Hardening Guide v1.0.0 | ArubaOS | CONFIGURATION MANAGEMENT |
| Network Security - Configure LLDP only on required network ports - LLDP-MED | Juniper Hardening JunOS 12 Devices Checklist | Juniper | CONFIGURATION MANAGEMENT |
| PHTN-40-000244 The Photon operating system must enable hardlink access control protection in the kernel. | DISA VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 STIG v2r1 | Unix | CONFIGURATION MANAGEMENT |
| VCSA-80-000271 - The vCenter Server must only send NetFlow traffic to authorized collectors. | DISA VMware vSphere 8.0 vCenter STIG v2r2 | VMware | CONFIGURATION MANAGEMENT |
| VCWN-65-000016 - The vCenter Server for Windows must only send NetFlow traffic to authorized collectors. | DISA STIG VMware vSphere vCenter 6.5 v2r3 | VMware | CONFIGURATION MANAGEMENT |
| vNetwork : label-vswitches | VMWare vSphere 5.X Hardening Guide | VMware | |
| vNetwork : set-non-negotiate | VMWare vSphere 5.X Hardening Guide | VMware | |
