| 1.4.3 Set 'username secret' for all local users | CIS Cisco IOS XE 16.x v2.1.0 L1 | Cisco | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.135 - User Account Control - Switch to secure desktop | DISA Windows Vista STIG v6r41 | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 17.2.5 Ensure 'Audit Other Account Management Events' is set to include 'Success' (STIG only) | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS | Windows | AUDIT AND ACCOUNTABILITY |
| 20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store' | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 20.21 Ensure 'DoD Root Certificate Authority (CA) certificates' are installed in the 'Trusted Root Store' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG MS | Windows | SYSTEM AND COMMUNICATIONS PROTECTION |
| 20.27 Ensure 'Event Viewer must be protected from unauthorized modification and deletion' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | AUDIT AND ACCOUNTABILITY |
| 20.27 Ensure 'Event Viewer must be protected from unauthorized modification and deletion' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG DC | Windows | AUDIT AND ACCOUNTABILITY |
| 20.28 Ensure 'Fax Server role' is set to 'Not Installed' | CIS Microsoft Windows Server 2016 STIG v3.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 20.28 Ensure 'Fax Server role' is set to 'Not Installed' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| 20.30 Ensure 'FTP servers must be configured to prevent anonymous logons' | CIS Microsoft Windows Server 2019 STIG v3.0.0 STIG DC | Windows | CONFIGURATION MANAGEMENT |
| 20.30 Ensure 'FTP servers must be configured to prevent anonymous logons' (STIG only) | CIS Microsoft Windows Server 2022 STIG v2.0.0 STIG MS | Windows | CONFIGURATION MANAGEMENT |
| CASA-FW-000020 - The Cisco ASA must immediately use updates made to policy enforcement mechanisms such as firewall rules, security policies, and security zones. | DISA STIG Cisco ASA FW v2r1 | Cisco | ACCESS CONTROL |
| CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred - Log Parameters | DISA STIG Cisco ASA FW v2r1 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-FW-000040 - The Cisco ASA must be configured to generate traffic log entries containing information to establish what type of events occurred - Logging Enabled | DISA STIG Cisco ASA FW v2r1 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-FW-000090 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable - Buffer Enabled | DISA STIG Cisco ASA FW v2r1 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-FW-000130 - The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture - HTTP | DISA STIG Cisco ASA FW v2r1 | Cisco | CONFIGURATION MANAGEMENT |
| CASA-FW-000130 - The Cisco ASA must be configured to disable or remove unnecessary network services and functions that are not used as part of its role in the architecture - Telnet | DISA STIG Cisco ASA FW v2r1 | Cisco | CONFIGURATION MANAGEMENT |
| CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - From-address | DISA STIG Cisco ASA FW v2r1 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Recipient-address | DISA STIG Cisco ASA FW v2r1 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-FW-000210 - The Cisco ASA must be configured to generate a real-time alert to organization-defined personnel and/or the firewall administrator in the event communication with the central audit server is lost - Severity | DISA STIG Cisco ASA FW v2r1 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-FW-000230 - The Cisco ASA must be configured to filter inbound traffic on all external interfaces - ACL | DISA STIG Cisco ASA FW v2r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - ACL | DISA STIG Cisco ASA FW v2r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-FW-000260 - The Cisco ASA must be configured to forward management traffic to the Network Operations Center (NOC) via an IPsec tunnel - set peer | DISA STIG Cisco ASA FW v2r1 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-FW-000300 - The Cisco ASA must be configured to generate an alert that can be forwarded to organization-defined personnel and/or the firewall administrator when denial-of-service (DoS) incidents are detected - scanning-threat | DISA STIG Cisco ASA FW v2r1 | Cisco | SYSTEM AND INFORMATION INTEGRITY |
| CASA-ND-000110 - The Cisco ASA must be configured to automatically audit account-disabling actions. | DISA STIG Cisco ASA NDM v2r2 | Cisco | ACCESS CONTROL |
| CASA-ND-000210 - The Cisco ASA must be configured to protect against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. | DISA STIG Cisco ASA NDM v2r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-ND-000930 - The Cisco ASA must be configured to generate an immediate real-time alert of all audit failure events requiring real-time alerts. | DISA STIG Cisco ASA NDM v2r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-ND-001310 - The Cisco ASA must be configured to use at least two authentication servers to authenticate users prior to granting administrative access. | DISA STIG Cisco ASA NDM v2r2 | Cisco | CONFIGURATION MANAGEMENT |
| CASA-ND-001350 - The Cisco ASA must be configured to conduct backups of system-level information contained in the information system when changes occur. | DISA STIG Cisco ASA NDM v2r2 | Cisco | CONTINGENCY PLANNING |
| CASA-VN-000010 - The Cisco ASA must be configured to generate log records containing information to establish what type of VPN events occurred. | DISA STIG Cisco ASA VPN v2r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000020 - The Cisco ASA must be configured to generate log records containing information to establish when the events occurred. | DISA STIG Cisco ASA VPN v2r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000080 - The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable. | DISA STIG Cisco ASA VPN v2r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000130 - The Cisco ASA must be configured to not accept certificates that have been revoked when using PKI for authentication. | DISA STIG Cisco ASA VPN v2r2 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000180 - The Cisco ASA must be configured to specify Perfect Forward Secrecy (PFS) for the IPsec Security Association (SA) during IKE Phase 2 negotiation. | DISA STIG Cisco ASA VPN v2r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000200 - The Cisco ASA must be configured to use a FIPS-validated cryptographic module to implement IPsec encryption services. | DISA STIG Cisco ASA VPN v2r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000210 - The Cisco ASA must be configured to use a Diffie-Hellman (DH) Group of 16 or greater for Internet Key Exchange (IKE) Phase 1 - IKE Phase 1. | DISA STIG Cisco ASA VPN v2r2 | Cisco | ACCESS CONTROL |
| CASA-VN-000230 - The Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1 - IKE Phase 1. | DISA STIG Cisco ASA VPN v2r2 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000390 - The Cisco ASA remote access VPN server must be configured to use a separate authentication server than that used for administrative access. | DISA STIG Cisco ASA VPN v2r2 | Cisco | IDENTIFICATION AND AUTHENTICATION |
| CASA-VN-000460 - The Cisco ASA remote access VPN server must be configured to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the network. | DISA STIG Cisco ASA VPN v2r2 | Cisco | ACCESS CONTROL |
| CASA-VN-000500 - The Cisco ASA remote access VPN server must be configured to generate log records containing information that establishes the identity of any individual or process associated with the event. | DISA STIG Cisco ASA VPN v2r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000530 - The Cisco ASA remote access VPN server must be configured to produce log records containing information to establish the outcome of the events. | DISA STIG Cisco ASA VPN v2r2 | Cisco | AUDIT AND ACCOUNTABILITY |
| CASA-VN-000610 - The Cisco ASA remote access VPN server must be configured to generate unique session identifiers using a FIPS-validated Random Number Generator (RNG) based on the Deterministic Random Bit Generators (DRBG) algorithm. | DISA STIG Cisco ASA VPN v2r2 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| CASA-VN-000630 - The Cisco ASA remote access VPN server must be configured to use SHA-2 at 384 bits or greater for hashing to protect the integrity of IPsec remote access sessions. | DISA STIG Cisco ASA VPN v2r2 | Cisco | ACCESS CONTROL |
| Ensure timezone is properly configured | Tenable Cisco Firepower Best Practices Audit | Cisco | CONFIGURATION MANAGEMENT |
| EX13-EG-000170 - Exchange messages with a blank sender field must be filtered. | DISA Microsoft Exchange 2013 Edge Transport Server STIG v1r6 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| EX16-ED-000340 - Exchange messages with a blank sender field must be filtered. | DISA Microsoft Exchange 2016 Edge Transport Server STIG v2r5 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| EX19-ED-000124 - Exchange messages with a blank sender field must be filtered. | DISA Microsoft Exchange 2019 Edge Server STIG v2r2 | Windows | SYSTEM AND INFORMATION INTEGRITY |
| JUSX-DM-000166 - The Juniper SRX Services Gateway must be configured to use Junos 12.1 X46 or later to meet the minimum required version for DoD. | DISA Juniper SRX Services Gateway NDM v3r2 | Juniper | CONFIGURATION MANAGEMENT |
