| 1.1 Ensure DNS server is configured | CIS Fortigate 7.0.x v1.3.0 L1 | FortiGate | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.7 Ensure DNS is servers are configured - nameserver 1 | CIS Amazon Linux 2 STIG v1.0.0 L3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.5.7 Ensure DNS is servers are configured - nameserver 2 | CIS Amazon Linux 2 STIG v1.0.0 L3 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.5 Ensure hostname is set | CIS Fortigate 7.0.x v1.3.0 L1 | FortiGate | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.6 Ensure DNS server is configured - primary | CIS Check Point Firewall L1 v1.1.0 | CheckPoint | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ensure DNS services are configured correctly - name-server | CIS Cisco Firewall v8.x L1 v4.2.0 | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.16 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' | CIS Microsoft Azure Foundations v3.0.0 L2 | microsoft_azure | RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Restrict Recursive Queries - Authoritative Name Server | CIS BIND DNS v3.0.1 Authoritative Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.4 Restrict Queries of the Cache - Authoritative Only | CIS BIND DNS v3.0.1 Authoritative Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 CIFS - 'dns.domainname has been configured' | TNS NetApp Data ONTAP 7G | NetApp | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 CIFS - 'dns.enable = on' | TNS NetApp Data ONTAP 7G | NetApp | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 CIFS - 'dns.update.enable = on or secure' | TNS NetApp Data ONTAP 7G | NetApp | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7.4 The default namespace should not be used | CIS RedHat OpenShift Container Platform v1.6.0 L2 | OpenShift | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Ensure Root Domain Alias Record Points to ELB | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Ensure a DNS alias record for the root domain | CIS Amazon Web Services Three-tier Web Architecture L2 1.0.0 | amazon_aws | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure Either SPF or DKIM DNS Records are Configured | CIS BIND DNS v1.0.0 L2 Authoritative Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.3 Ensure Any Signing Keys using RSA Have a Length of 2048 or Greater | CIS BIND DNS v1.0.0 L2 Authoritative Name Server | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| Adtran : Ensure a trusted, primary DNS server is set | TNS Adtran AOS Best Practice Audit | Adtran | SYSTEM AND COMMUNICATIONS PROTECTION |
| Adtran : Ensure a trusted, secondary DNS server is set | TNS Adtran AOS Best Practice Audit | Adtran | SYSTEM AND COMMUNICATIONS PROTECTION |
| DNS Profile - Address - DNS Server 1 | Tenable Cisco ACI | Cisco_ACI | SYSTEM AND COMMUNICATIONS PROTECTION |
| DNS Profile - Address - DNS Server 2 | Tenable Cisco ACI | Cisco_ACI | SYSTEM AND COMMUNICATIONS PROTECTION |
| DNS: A trusted primary DNS server is configured | TNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit | Alcatel | SYSTEM AND COMMUNICATIONS PROTECTION |
| DNS: A trusted secondary DNS server is configured | TNS Alcatel-Lucent TiMOS/Nokia SR-OS Best Practice Audit | Alcatel | SYSTEM AND COMMUNICATIONS PROTECTION |
| Ensure DNS services are configured correctly - name-server | Tenable Cisco Firepower Best Practices Audit | Cisco | SYSTEM AND COMMUNICATIONS PROTECTION |
| Ensure DNS services are configured correctly - name-server | Tenable Cisco Firepower Threat Defense Best Practices Audit | Cisco_Firepower | SYSTEM AND COMMUNICATIONS PROTECTION |
| FireEye - The appliance uses a trusted DNS server | TNS FireEye | FireEye | SYSTEM AND COMMUNICATIONS PROTECTION |
| Fortigate - DNS - primary server | TNS Fortigate FortiOS Best Practices v2.0.0 | FortiGate | SYSTEM AND COMMUNICATIONS PROTECTION |
| Fortigate - DNS - secondary server | TNS Fortigate FortiOS Best Practices v2.0.0 | FortiGate | SYSTEM AND COMMUNICATIONS PROTECTION |
| MS.AAD.3.1v1 - Phishing-resistant MFA SHALL be enforced for all users. | CISA SCuBA Microsoft 365 Entra ID v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.DEFENDER.1.4v1 - Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy. | CISA SCuBA Microsoft 365 Defender v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.DEFENDER.1.5v1 - Sensitive accounts SHALL be added to Defender for Office 365 protection in the strict preset security policy. | CISA SCuBA Microsoft 365 Defender v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.DEFENDER.2.1v1 - User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies. | CISA SCuBA Microsoft 365 Defender v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.DEFENDER.2.2v1 - Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies. | CISA SCuBA Microsoft 365 Defender v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.DEFENDER.2.3v1 - Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies. | CISA SCuBA Microsoft 365 Defender v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.9.1v2 - Emails SHALL be filtered by attachment file types. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.9.3v2 - Disallowed file types SHALL be determined and enforced. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.9.4v1 - Alternatively chosen filtering solutions SHOULD offer services comparable to Microsoft Defender's Common Attachment Filter. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.9.5v1 - At a minimum, click-to-run files SHOULD be blocked (e.g., .exe, .cmd, and .vbe). | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.10.1v1 - Emails SHALL be scanned for malware. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.10.2v1 - Emails identified as containing malware SHALL be quarantined or dropped. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.10.3v1 - Email scanning SHALL be capable of reviewing emails after delivery. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.15.1v1 - URL comparison with a block-list SHOULD be enabled. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.15.2v1 - Direct download links SHOULD be scanned for malware. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.EXO.15.3v1 - User click tracking SHOULD be enabled. | CISA SCuBA Microsoft 365 Exchange Online v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| MS.TEAMS.7.1v1 - Attachments included with Teams messages SHOULD be scanned for malware. | CISA SCuBA Microsoft 365 Teams v1.5.0 | microsoft_azure | ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| SonicWALL - Review the DNS Server Settings | TNS SonicWALL v5.9 | SonicWALL | SYSTEM AND COMMUNICATIONS PROTECTION |
| WatchGuard : DNS Servers | TNS Best Practice WatchGuard Audit 1.0.0 | WatchGuard | SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000003 - The Windows 2012 DNS Servers IP address must be statically defined and configured locally on the server. | DISA Microsoft Windows 2012 Server DNS STIG v2r7 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000004 - The Windows 2012 DNS Server must return data information in responses to internal name/address resolution queries. | DISA Microsoft Windows 2012 Server DNS STIG v2r7 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| WDNS-SC-000005 - The Windows 2012 DNS Server must use DNSSEC data within queries to confirm data origin to DNS resolvers. | DISA Microsoft Windows 2012 Server DNS STIG v2r7 | Windows | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
