There are 50 Microsoft-defined policies and 71 conditions for Policy Based Management (PBM) that get put onto the hard drive when you install SQL Server 2008, but not installed into SQL Server Management Studio (SSMS) by default. You can import them by expanding Management/Policy Management, right-clicking on Policies, clicking on "Import Policy...", and browsing to "C:\Program Files\microsoft sql server\100\Tools\Policies\DatabaseEngine\1033". You can import all of them at one time by clicking on any policy in the import dialog box, then using Ctrl-A to select all.
These are great to experiment with to start learning PBM, and some of these policies are STIG-relevant. Double-click any policy (or right-click it, and choose properties), then click on the Description page. The description, naturally, will tell you what that policy does. Then click back to the General page to examine the settings to see how it accomplishes its goal. Then close the properties, right-click on the name of the policy again, and choose Evaluate. The policy will run in evaluation mode (that means it won't make any changes to force things into policy compliance) and show you the results.
If you have Analysis Services or Reporting Services installed, there's a few additional polices under "C:\Program Files\microsoft sql server\100\Tools\Policies\AnalysisServices\1033" and "C:\Program Files\microsoft sql server\100\Tools\Policies\ReportingServices\1033".
If you chose a non-default location to install the SQL Server engine engine or shared files, then your polices will be under that file tree. If you want to search for them, they're XML files, such as "Guest Permissions.xml".
Incidentally, there are 74 pre-defined Facets that are installed into SSMS by default, and none are added by importing the pre-defined policies.