| 1.8.1 Ensure 'console session timeout' is less than or equal to '5' minutes | CIS Cisco ASA 9.x Firewall L1 v1.1.0 | Cisco | ACCESS CONTROL |
| 1.8.1 Ensure 'console session timeout' is less than or equal to '5' minutes | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | CONFIGURATION MANAGEMENT |
| 2.1 Disable Local-only Graphical Login Environment | CIS Solaris 11.1 L1 v1.0.0 | Unix | CONFIGURATION MANAGEMENT |
| 3.1.3 - AirWatch - Set the 'minimum password length' | AirWatch - CIS Apple iOS 8 v1.0.0 L1 | MDM | IDENTIFICATION AND AUTHENTICATION |
| 4.3 (L1) Ensure the maximum failed login attempts is set to 5 | CIS VMware ESXi 7.0 v1.5.0 L1 | VMware | ACCESS CONTROL |
| 5.2.6 Ensure sudo authentication timeout is configured correctly | CIS Rocky Linux 9 v2.0.0 L1 Workstation | Unix | ACCESS CONTROL |
| 5.2.6 Ensure sudo timestamp_timeout is configured | CIS Oracle Linux 8 v4.0.0 L1 Server | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.2.6 Ensure sudo timestamp_timeout is configured | CIS Red Hat Enterprise Linux 10 v1.0.1 L1 Server | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.2.6 Ensure sudo timestamp_timeout is configured | CIS Rocky Linux 8 v3.0.0 L1 Workstation | Unix | IDENTIFICATION AND AUTHENTICATION |
| 5.3.2 Ensure that Content Security Policy (CSP) is enabled and configured properly | CIS NGINX v3.0.0 L2 Webserver | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.3.6 Ensure sudo authentication timeout is configured correctly | CIS Amazon Linux 2 v4.0.0 L1 Server | Unix | ACCESS CONTROL |
| 5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=always | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
| 5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failure | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.15 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failure | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.8 Extensible Firmware Interface (EFI) password | CIS Apple OSX 10.11 El Capitan L2 v1.1.0 | Unix | |
| 7.11 App Store Password Settings | CIS Apple OSX 10.11 El Capitan L2 v1.1.0 | Unix | |
| AIOS-02-090100 - Apple iOS must implement the management setting: Disable Allow MailDrop. | AirWatch - DISA Apple iOS 10 v1r3 | MDM | CONFIGURATION MANAGEMENT |
| AIOS-12-011200 - Apple iOS must implement the management setting: Disable Allow MailDrop. | AirWatch - DISA Apple iOS 12 v2r1 | MDM | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| AIOS-16-011000 - Apple iOS/iPadOS 16 must implement the management setting: Disable Allow MailDrop. | MobileIron - DISA Apple iOS-iPadOS 16 STIG v2r2 | MDM | ACCESS CONTROL, CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Internet Zone | MSCT Windows 10 v21H1 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Internet Zone | MSCT Windows 11 v24H2 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Internet Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Restricted Sites Zone | MSCT Windows 11 v24H2 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Restricted Sites Zone | MSCT Windows Server v2004 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Restricted Sites Zone | MSCT Windows Server 2016 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Restricted Sites Zone | MSCT Windows Server 2019 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Restricted Sites Zone | MSCT Windows Server 2025 DC v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Restricted Sites Zone | MSCT Windows Server 2025 DC v2506 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Restricted Sites Zone | MSCT Windows Server 2025 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Restricted Sites Zone | MSCT Windows Server 2025 MS v2506 v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| Allow only approved domains to use the TDC ActiveX control - Restricted Sites Zone | MSCT Windows Server v20H2 MS v1.0.0 | Windows | CONFIGURATION MANAGEMENT |
| APPNET0075 - Update and configure the .NET Framework to support TLS. | DISA Microsoft DotNet Framework 4.0 STIG v2r7 | Windows | CONFIGURATION MANAGEMENT |
| BIND-9X-001360 - The BIND 9.x server implementation must prohibit the forwarding of queries to servers controlled by organizations outside of the U.S. government. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| BIND-9X-001490 - On the BIND 9.x server, the platform on which the name server software is hosted must be configured to send outgoing DNS messages from a random port. | DISA BIND 9.x STIG v3r1 | Unix | CONFIGURATION MANAGEMENT |
| CISC-RT-000260 - The Cisco perimeter switch must be configured to only allow incoming communications from authorized sources to be routed to authorized destinations. | DISA Cisco IOS Switch RTR STIG v3r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000280 - The Cisco perimeter router must be configured to protect an enclave connected to an alternate gateway by using an inbound filter that only permits packets with destination addresses within the sites address space. | DISA Cisco IOS XR Router RTR STIG v3r3 | Cisco | ACCESS CONTROL |
| CISC-RT-000470 - The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM). | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000470 - The Cisco BGP router must be configured to enable the Generalized TTL Security Mechanism (GTSM). | DISA Cisco IOS XE Router RTR STIG v3r5 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CISC-RT-000820 - The Cisco multicast Rendezvous Point (RP) router must be configured to limit the multicast forwarding cache so that its resources are not saturated by managing an overwhelming number of Protocol Independent Multicast (PIM) and Multicast Source Discovery Protocol (MSDP) source-active entries. | DISA Cisco IOS Router RTR STIG v3r4 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| Ensure 'HTTP session timeout' is less than or equal to '5' minutes | Tenable Cisco Firepower Best Practices Audit | Cisco | CONFIGURATION MANAGEMENT |
| GEN000800 - The system must prohibit the reuse of passwords within five iterations. | DISA STIG Solaris 10 X86 v2r4 | Unix | IDENTIFICATION AND AUTHENTICATION |
| GEN000800 - The system must prohibit the reuse of passwords within five iterations. | DISA STIG Solaris 10 SPARC v2r4 | Unix | IDENTIFICATION AND AUTHENTICATION |
| OL6-00-000202 - The audit system must be configured to audit the loading and unloading of dynamic kernel modules - module b32 | DISA STIG Oracle Linux 6 v2r7 | Unix | AUDIT AND ACCOUNTABILITY |
| SLEM-05-253045 - SLEM 5 must be configured to use TCP syncookies. | DISA SUSE Linux Enterprise Micro SLEM 5 STIG v1r3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| SLEM-05-255090 - There must be no .shosts files on SLEM 5. | DISA SUSE Linux Enterprise Micro SLEM 5 STIG v1r3 | Unix | CONFIGURATION MANAGEMENT |
| SLEM-05-255095 - There must be no shosts.equiv files on SLEM 5. | DISA SUSE Linux Enterprise Micro SLEM 5 STIG v1r3 | Unix | CONFIGURATION MANAGEMENT |
| SLEM-05-611045 - SLEM 5 must not allow passwords to be reused for a minimum of five generations. | DISA SUSE Linux Enterprise Micro SLEM 5 STIG v1r3 | Unix | IDENTIFICATION AND AUTHENTICATION |
| SLEM-05-653050 - SLEM 5 must protect audit rules from unauthorized modification. | DISA SUSE Linux Enterprise Micro SLEM 5 STIG v1r3 | Unix | AUDIT AND ACCOUNTABILITY |
| SLES-12-010910 - The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. | DISA SLES 12 STIG v3r4 | Unix | CONFIGURATION MANAGEMENT |
| SLES-15-040220 - The SUSE operating system must be configured to not overwrite Pluggable Authentication Modules (PAM) configuration on package changes. | DISA SUSE Linux Enterprise Server 15 STIG v2r6 | Unix | CONFIGURATION MANAGEMENT |
