Policy Compliance Library Updates, December 2025
Qualys’ library of built-in policies makes it easy to comply with the widely adopted security standards and regulations. The platform offers a broad range of policies, including many that have been certified by the Center for Internet Security (CIS), as well as security guidelines and industry best practices from operating system and application vendors.
Qualys’ Certification Page on the CIS website has also been updated.
CIS Benchmark Policies
The Center for Internet Security (CIS) Benchmark policies are technical guidelines for organizations to improve their cybersecurity posture by aligning with recommended secure configurations. By leveraging industry best practices, these guidelines help reduce the risk of cyberattacks, including data breaches.
DISA STIG Policies
STIG stands for Security Technical Implementation Guide, which is a set of cybersecurity guidelines published by the Defense Information Systems Agency (DISA). These guidelines equip organizations with the necessary tools to adhere to rules, regulations, best practices, and federal laws, facilitating compliance and bolstering cybersecurity measures.
Qualys Policies
Qualys oversees the discovery and resolution of technical issues while implementing robust policy frameworks. Researchers within Qualys actively identify cybersecurity misconfigurations and enact technical policies to fortify systems and safeguard against potential threats.
Safeguard Computer Security Evaluation Matrix (SCSEM)
It typically comprises a structured set of criteria, guidelines, and metrics designed to measure various aspects of security, such as confidentiality, integrity, availability, and compliance.
Compliance Standards
Compliance standards are regulatory frameworks that safeguard sensitive data and help ensure privacy and security. They offer guidelines and best practices for organizations to achieve compliance and mitigate risks in handling sensitive information.
New Policies/Mandates
Listed below are the number of policies and mandates deployed in December 2025:
| CIS Benchmark Policies | 10 |
| DISA STIG Policy | 7 |
| Industry Best Practices Policy | 0 |
| New Supported Mandates | 0 |
| Deprecated Mandates | 0 |
Listed below are the newly published policies and mandates:
| CIS Benchmark Policies | CIS Benchmark for Kubernetes, v1.12.0 CIS Benchmark for Apple macOS 13.0 Ventura v4.0.0 CIS Benchmark for Apple macOS 14.0 Sonoma v3.0.0 CIS Benchmark for Apple macOS 15 Sequoia v2.0.0 CIS Benchmark for Microsoft Edge, v4.0.0 CIS Benchmark for Palo Alto Firewall 11, v1.2.0 CIS Benchmark for Microsoft Windows 11 Enterprise, v4.0.0 CIS Azure Kubernetes Service (AKS) Benchmark, v1.8.0 CIS Amazon Elastic Kubernetes Service (EKS) Benchmark, v1.8.0 CIS Fortigate 7.0.x Benchmark, v1.4.0 |
| DISA STIG Policies | DISA Security Technical Implementation Guide (STIG) for IBM z/OS RACF, V9R4 DISA Security Technical Implementation Guide (STIG) for Kubernetes, V2R4 DISA Security Technical Implementation Guide (STIG) for VMware vSphere 7.0 Virtual Machine, V1R4 DISA Security Technical Implementation Guide (STIG) for VMware vSphere ESXi 7.0, V1R4 DISA Security Technical Implementation Guide (STIG) for VMware vSphere ESXi 8.0, V2R3 DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Site for Windows, V2R2 DISA Security Technical Implementation Guide (STIG) for Redis Enterprise 6.x, V2R2 |
| Industry and Best Practices Policies | NA |
| New Supported Mandates | NA |
| Deprecated mandates | NA |
Policy Updates
We have updated your Policy Library. The following policies and mandates have been re-released as part of our customer CRM.
| Policy | Update |
| Security Configuration and Compliance Policy for Amazon RDS – MySQL Database | Re-release for Security Configuration and Compliance Policy for Amazon RDS – MySQL Database v.1.0. |
| CIS Benchmark for Red Hat Enterprise Linux 7, v4.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 7, v4.0.0, to combine the Audit Procedures CIDs 10859, 17972, 17971, and 19793 with CID-29536 for CIS RHEL 7 v4.0.0 and RHEL 8 v3.0.0. |
| CIS Benchmark for Oracle Database 19c Multitenant on Windows host, v1.2.0 | Re-release for CIS Benchmark for Oracle Database 19c Multitenant on Windows host, v1.2.0, to replace 1066 with 31381 and replace 1067 with 31382. |
| CIS Benchmark for Oracle Database 19c Multitenant on Linux host, v1.2.0 | Re-release for CIS Benchmark for Oracle Database 19c Multitenant on Linux host, v1.2.0, to replace 1066 with 31381 and replace 1067 with 31382. |
| CIS Benchmark for Oracle Database 19c on Windows host, v1.2.0 | Re-release for CIS Benchmark for Oracle Database 19c on Windows host, v1.2.0, to replace 1066 with 31381 and replace 1067 with 31382. |
| CIS Benchmark for Oracle Database 19c on Linux host, v1.2.0 | Re-release for CIS Benchmark for Oracle Database 19c on Linux host, v1.2.0, to replace 1066 with 31381 and replace 1067 with 31382. |
| CIS Benchmark for Juniper OS, v2.1.0 | Re-release for CIS Benchmark for Juniper OS, v2.1.0, to replace new control 8506 with 31429. |
| CIS Benchmark for Apple macOS 26 Tahoe, v1.0.0 | Re-release for CIS Benchmark for Apple macOS 26 Tahoe, v1.0.0, to update the cover page of the policy. |
| CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1, to update the cover page and reference mapping. |
| CIS Benchmark for Microsoft SQL Server 2022, v1.2.0 | Re-release for CIS Benchmark for Microsoft SQL Server 2022, v1.2.0, to change the configuration for 27016. |
| CIS Benchmark for Microsoft SQL Server 2019, v1.5.0 | Re-release for CIS Benchmark for Microsoft SQL Server 2019, v1.5.0, to change the configuration for 27016. |
| CIS Benchmark for Microsoft SQL Server 2017, v1.3.0 | Re-release for CIS Benchmark for Microsoft SQL Server 2017, v1.3.0, to change the configuration for 27016. |
| CIS Benchmark for Microsoft SQL Server 2016, v1.4.0 | Re-release for CIS Benchmark for Microsoft SQL Server 2016, v1.4.0, to change the configuration for 27016. |
| CIS Benchmark for MongoDB 8, v1.0.0 | Re-release for CIS Benchmark for MongoDB 8, v1.0.0, to add the CID 11738 to the CIS MongoDB 8.x policy. |
| CIS Benchmark for Red Hat Enterprise Linux 9, v2.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 9, v2.0.0, to update the regular expression of CID 29167 in the policy. |
| NIST 800-171 Rev 2 for Microsoft Windows | Re-release for NIST 800-171 Rev 2 for Microsoft Windows to add Windows Server 2025 technology. |
| CIS Benchmark for Oracle Linux 8, v3.0.0 | Re-release for CIS Benchmark for Oracle Linux 8, v3.0.0, to update the regular expression for CID 10823. |
| New Database policy for AWS RDS- PostgreSQL Database | Re-release for the New Database policy for AWS RDS- PostgreSQL Database to update the policy as per the new CIS data. |
| New Database policy for Oracle AWS RDS | Re-release for the New Database policy for Oracle AWS RDS to update the policy as per the new CIS data. |
| CIS Benchmark for Microsoft Windows Server 2012 R2, v3.0.0 | Re-release for CIS Benchmark for Microsoft Windows Server 2012 R2, v3.0.0 policy to update the regular expression of CID 10028. |
| DISA for Oracle Database 19c, V1R2 | Re-release for DISA for Oracle Database 19c, V1R2, to fix the regular expression of 5676 |
| CIS Benchmark for MongoDB 5, v1.2.0 | Re-release for CIS Benchmark for MongoDB 5, v1.2.0, to change the regular expression for control 11599 to match value 5. |
| CIS Benchmark for Cisco IOS XE 17.x, v2.2.0 | Re-release for CIS Benchmark for Cisco IOS XE 17.x, v2.2.0, to update the regular expression in the policy for CID 4385. |
| CIS Apache Tomcat 9 v1.2.0 | Re-release for CIS Apache Tomcat 9 v1.2.0, to update the regular expression of CID 9553. |
| CIS Benchmark for Cisco NX-OS v1.2.0 | CIS Benchmark for Cisco NX-OS v1.2.0, to add CID 13675. |
| CIS Benchmark for Alma Linux 8 v3.0.0 | Re-release for CIS Benchmark for Alma Linux 8 v3.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Alma Linux OS 9, v2.0.0 | Re-release for CIS Benchmark for Alma Linux OS 9, v2.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Amazon Linux 2023, v1.0.0 | Re-release for CIS Benchmark for Amazon Linux 2023, v1.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Amazon Linux 2, v3.0.0 | Re-release for CIS Benchmark for Amazon Linux 2, v3.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for CentOS Linux 7, v4.0.0 | Re-release for CIS Benchmark for CentOS Linux 7, v4.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Debian Linux 11, v2.0.0 | Re-release for CIS Benchmark for Debian Linux 11, v2.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Debian Linux 12, v1.1.0 | Re-release for CIS Benchmark for Debian Linux 12, v1.1.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Oracle Linux 8, v3.0.0 | Re-release for CIS Benchmark for Oracle Linux 8, v3.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Oracle Linux 9, v2.0.0 | Re-release for CIS Benchmark for Oracle Linux 9, v2.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1, to fix the regular expression for CID 29403. |
| CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Red Hat Enterprise Linux 7, v4.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 7, v4.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Red Hat Enterprise Linux 10, v1.0. | Re-release for CIS Benchmark for Red Hat Enterprise Linux 10, v1.0., to fix the regular expression for CID 29403. |
| CIS Benchmark for Red Hat Enterprise Linux 8 STIG , v1.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 8 STIG , v1.0.0, to fix the regular expression for CID 29403. |
| CIS Rocky Linux 8 Benchmark v2.0.0 | Re-release for CIS Rocky Linux 8 Benchmark v2.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Rocky Linux 9, v2.0.0 | Re-release for CIS Benchmark for Rocky Linux 9, v2.0.0, to fix the regular expression for CID 29403. |
| CIS Rocky Linux 8 Benchmark v2.0.0 | Re-release for CIS Rocky Linux 8 Benchmark v2.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for SUSE Linux Enterprise 12.x, v3.2.0 | Re-release for CIS Benchmark for SUSE Linux Enterprise 12.x, v3.2.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for SUSE Linux Enterprise 15.x, v2.0.1 | Re-release for CIS Benchmark for SUSE Linux Enterprise 15.x, v2.0.1, to fix the regular expression for CID 29403. |
| CIS Benchmark for Ubuntu Linux 20.04 LTS, v3.0.0 | Re-release for CIS Benchmark for Ubuntu Linux 20.04 LTS, v3.0.0, to fix the regular expression for CID 29403. |
| CIS Ubuntu Linux 20.04 LTS STIG, v2.0.0 | Re-release for CIS Ubuntu Linux 20.04 LTS STIG, v2.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Ubuntu Linux 22.04 LTS, v2.0.0 | Re-release for CIS Benchmark for Ubuntu Linux 22.04 LTS, v2.0.0, to fix the regular expression for CID 29403. |
| CIS Benchmark for Ubuntu Linux 24.04 LTS, v1.0.0 | Re-release for CIS Benchmark for Ubuntu Linux 24.04 LTS, v1.0.0, to fix the regular expression for CID 29403. |
Deprecated Policies
- DISA Security Technical Implementation Guide (STIG) for Kubernetes, V1R10
- CIS Benchmark for Kubernetes, v1.11.1
- DISA Security Technical Implementation Guide (STIG) for VMware vSphere ESXi 7.0, V1R3
- DISA Security Technical Implementation Guide (STIG) for VMware vSphere 7.0 Virtual Machine, V1R3
- DISA Security Technical Implementation Guide (STIG) for VMware vSphere ESXi 8.0, V2R2
- DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Site for Windows, V2R1
- CIS Benchmark for Apple macOS 13 Ventura, v3.1.0
- CIS Benchmark for Apple macOS 14 Sonoma, v2.1.0
- CIS Benchmark for Apple macOS 15 Sequoia, v1.1.0
- CIS Benchmark for Microsoft Edge, v3.0.0
- CIS Benchmark for Palo Alto Firewall 11, v1.1.0
- CIS Benchmark for SUSE Linux Enterprise 15.x, v1.1.1
Proposed Upcoming Policies
We plan to release the following policies and updates next month:
- DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Site for UNIX, Ver 2 Rel 6
- DISA Security Technical Implementation Guide (STIG) for Active Directory Forest, V3R2
- CIS Red Hat Enterprise Linux 8 Benchmark, v4.0.0
- DISA STIG for VMWare vSphere vCenter Server 8, V2R3
- CIS Microsoft Windows Server 2025 Stand-alone v1.0.0
- CIS Ubuntu 22.04 v3.0.0
- Security Configuration and Compliance Policy for PAN OS 12
- Security Configuration and Compliance Policy for HP ILO
- Security baseline Windows 11, version 25H2
- Security Configuration and Compliance Policy for ArubaOS 10.x
- CIS Oracle MySQL Enterprise Edition 8.4 Benchmark, v1.1.0
- CIS Oracle MySQL Community Server 8.4 Benchmark, v1.1.0
- CIS Red Hat Enterprise Linux 9 STIG Benchmark, v1.0.0
- DISA STIG for Aruba Networking AOS NDM, V1R1
- DISA STIG for Aruba Networking AOS VPN, V1R1
- DISA STIG for Aruba Networking AOS Wireless, V1R1
- DISA Security Technical Implementation Guide (STIG) for Apple macOS 15 (Sequoia) STIG, Ver 1, Rel 4
- CIS AlmaLinux OS 10 Benchmark v1.0.0
- CIS HPE Aruba Networking CX Switch Benchmark, v1.0.0
- CIS Palo Alto Firewall 10 Benchmark, v1.3.0
- CIS Oracle Linux 10 Benchmark, v1.0.0
What’s Next
Discover how Qualys Enterprise TruRiskTM Platform can help you reduce cyber risk and improve business outcomes through precise remediation activities.
Get Support
If you have any questions or need any help, please contact your Technical Account Manager (TAM) or Qualys Technical Support.
Learn More: