Policy Compliance Library Updates, June 2026
Qualys’ library of built-in policies makes it easy to comply with the widely adopted security standards and regulations. The platform offers a broad range of policies, including many that have been certified by the Center for Internet Security (CIS), as well as security guidelines and industry best practices from operating system and application vendors.
Qualys’ Certification Page on the CIS website has also been updated.
CIS Benchmark Policies
Center for Internet Security (CIS) Benchmark policies are technical guidelines for organizations to improve their cybersecurity posture by aligning with recommended secure configurations. By leveraging industry best practices, these guidelines help reduce the risk of cyberattacks, such as data breaches.
DISA STIG Policies
STIG stands for Security Technical Implementation Guide, which is a set of cybersecurity guidelines published by the Defense Information Systems Agency (DISA). These guidelines equip organizations with the necessary tools to adhere to rules, regulations, best practices, and federal laws, facilitating compliance and bolstering cybersecurity measures.
CIS STIG Policies
CIS STIG Benchmarks are secure configuration guidelines released by the Center for Internet Security (CIS) and derived directly from DISA Security Technical Implementation Guides (STIGs). They are functionally equivalent to DISA STIGs and differ only in formatting and presentation, not in security controls or remediation guidance.
Qualys Policies
Qualys oversees the discovery and resolution of technical issues while implementing robust policy frameworks. Researchers within Qualys actively identify cybersecurity misconfigurations and enact technical policies to fortify systems and safeguard against potential threats.
Safeguard Computer Security Evaluation Matrix (SCSEM)
It typically comprises a structured set of criteria, guidelines, and metrics designed to measure various aspects of security, such as confidentiality, integrity, availability, and compliance.
Compliance Standards
Compliance standards are regulatory frameworks that safeguard sensitive data and help ensure privacy and security. They offer guidelines and best practices for organizations to achieve compliance and mitigate risks in handling sensitive information.
New Policies/Mandates
Listed below are the number of policies and mandates deployed in June 2026:
| CIS Benchmark Policies | 6 |
| DISA STIG Policy | 7 |
| CIS STIG Benchmark | 25 |
| Industry Best Practices Policy | 2 |
| New Supported Mandates | 1 |
| Deprecated Mandates | 0 |
Listed below are the newly published policies and mandates:
| CIS Benchmark Policies | CIS Benchmark for Microsoft Intune for Edge, v1.0.0 CIS Benchmark for Microsoft Windows 11 Enterprise, v5.0.0 – Polish CIS Benchmark for Azure Compute Microsoft Windows Server 2022 v1.0.0 – Spanish CIS Benchmark for Apple macOS 15 Sequoia Intune, v1.1.0 CIS Apple MacOS 26 Tahoe Intune Benchmark, v1.0.0 CIS Benchmark for Debian Linux 13, v1.0.0 |
| DISA STIG Policies | DISA Security Technical Implementation Guide (STIG) for Microsoft OneNote 2016, V2R1 DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 10, V1R1 DISA Security Technical Implementation Guide (STIG) for Active Directory Domain, V3R7 DISA Security Technical Implementation Guide (STIG) for Microsoft Windows 11, V2R7 DISA Security Technical Implementation Guide (STIG) for Microsoft Internet Explorer 11, V2R7 DISA Security Technical Implementation Guide (STIG) for Microsoft Edge, V2R5 DISA Security Technical Implementation Guide (STIG) for IIS 10 Server, V3R7 |
| CIS STIG Benchmark | CIS Benchmark for Microsoft Windows 10 STIG, v1.0.0 CIS IBM WebSphere Liberty Server STIG Benchmark, v1.0.0 CIS VMware vSphere 7.0 vCenter STIG Benchmark, v1.0.0 CIS VMware vSphere 7.0 Virtual Machine STIG Benchmark, v1.0.0 CIS Cisco IOS Router NDM STIG Benchmark, v1.1.0 CIS Microsoft Office System 2016 STIG Benchmark, v1.0.0 CIS Infoblox 8.x DNS STIG Benchmark, v1.0.0 CIS Microsoft DotNet Framework 4.0 STIG Benchmark, v1.0.0 CIS VMware vSphere 8.0 vCenter STIG Benchmark, v1.0.0 CIS VMware vSphere 8.0 Virtual Machine STIG Benchmark, v1.0.0 CIS Debian Linux 13 Benchmark, v1.0.0 CIS Cisco IOS Switch NDM STIG Benchmark, v1.1.0 CIS Cisco IOS Router RTR STIG Benchmark, v1.1.0 CIS Cisco IOS Switch RTR STIG Benchmark, v1.1.0 CIS Benchmark for JBoss Enterprise Application Platform 6.3 STIG, v1.0.0 CIS Benchmark for Microsoft Exchange 2019 Mailbox Server STIG, v1.0.0 CIS Benchmark for Microsoft Exchange 2016 Mailbox Server STIG, v1.0.0 CIS Benchmark for VMware ESXi 8.0 STIG, v1.0.0 CIS Benchmark for Apache Server 2.4 Windows Server STIG, v1.0.0 CIS Benchmark for Microsoft Office 365 ProPlus STIG, v1.1.0 CIS Benchmark for Microsoft Exchange 2019 Edge Server STIG, v1.0.0 CIS Benchmark for Microsoft IIS 10.0 Site STIG, v1.0.0 CIS Benchmark for VMware vSphere 7 ESXi STIG, v1.0.0 CIS Benchmark for Cisco IOS Switch L2S STIG, v1.0.0 CIS Benchmark for Microsoft Windows 11 STIG, v1.1.0 |
| Industry and Best Practices Policies | Safeguard Computer Security Evaluation Matrix for Rocky Linux 9, v1.0 ArubaOS Security Configuration Guide (SCG) for ArubaOS-CX |
| New Supported Mandates | NERC Critical Infrastructure Protection (CIP) 2026 |
| Deprecated mandates | NA |
Policy Updates
We have updated your Policy Library. The following policies and mandates have been re-released as part of our customer CRM.
| Policy | Update |
| Security Configuration and Compliance Policy for VMware vCenter Server Appliance | Re-release for Security Configuration and Compliance Policy for VMware vCenter Server Appliance, to addthe VMware vCenter Server 9.x. |
| DISA Security Technical Implementation Guide (STIG) for IBM WebSphere Traditional V9.x, V1R1 | Re-release for DISA Security Technical Implementation Guide (STIG) for IBM WebSphere Traditional V9. x, V1R1 to update the regular expression for 7807 and change the regular expression for 15809. |
| CIS Benchmark for Red Hat Enterprise Linux 8, v4.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 8, v4.0.0, to update the regular expression for the CID 10693 and CID 10692 for the ownership and permission, respectively. |
| DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 9, V2R7 | Re-release for DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 9, V2R7, to replace the CID 10647 with control 21455. |
| CIS Benchmark for Red Hat Enterprise Linux 9, v2.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 9, v2.0.0, to fix the regular expression for the CID 29437. |
| DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2025 DC, V1R1 | Re-release for DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2025 DC, V1R1 policy to update cover page. |
| CIS Benchmark for Juniper OS v2.1.0 | Re-release for CIS Benchmark for Juniper OS v2.1.0, to add JunOS 25.x and the missing versions in CIS Juniper OS and DISA policies. |
| CIS Benchmark for IBM DB2 11.x, v1.1.0 | Re-release for CIS Benchmark for IBM DB2 11.x, v1.1.0, to change the regular expressions of CID 10182, 10183, 10184, 10185, 4662, 4663, 4664, 4665. |
| CIS Benchmark for Cisco IOS 15, V4.1.1 | Re-release for CIS Benchmark for Cisco IOS 15, V4.1.1, to update the regular expressions for CID 4385. |
| CIS Benchmark for Amazon Linux 2023, v1.0.0 | Re-release for CIS Benchmark for Amazon Linux 2023, v1.0.0, to fix the CID 29185. |
| DISA Security Technical Implementation Guide (STIG) for Cisco IOS XR Router NDM, V3R5 | Re-release for DISA Security Technical Implementation Guide (STIG) for Cisco IOS XR Router NDM, V3R5, to add Cisco IOS XR 24.x and Cisco IOS XR 25.x” in DISA policies. |
| DISA Security Technical Implementation Guide (STIG) for Cisco IOS XR Router RTR, V3R3 | Re-release for DISA Security Technical Implementation Guide (STIG) for Cisco IOS XR Router RTR, V3R3, , to add Cisco IOS XR 24.x and Cisco IOS XR 25.x” in DISA policies. |
| CIS Benchmark for Microsoft Windows Server 2008 R2, v3.3.1 | Re-release for CIS Benchmark for Microsoft Windows Server 2008 R2, v3.3.1, to add CID 10968. |
| Compensatory Controls for CVEs | Re-release for Compensatory Controls for CVEs withthe latest CID |
| CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1, to update the regular expressions of auditctl controls. |
| CIS Benchmark for PostgreSQL 17, v1.0.0 | Re-release for CIS Benchmark for PostgreSQL 17, v1.0.0, to pass the control 27901 using a regular expression. |
| CIS Benchmark for Oracle Linux 8, v4.0.0 | Re-release for CIS Benchmark for Oracle Linux 8, v4.0.0, to to replace the CID 28220 to 32324. |
| DISA Security Technical Implementation Guide (STIG) for Crunchy Data PostgreSQL, V3R1 | Re-release for DISA Security Technical Implementation Guide (STIG) for Crunchy Data PostgreSQL, V3R1, for correction in Reference numbers. |
Deprecated Policies
- CIS Benchmark for Apple macOS 15 Sequoia Intune, v1.0.0
- DISA Security Technical Implementation Guide (STIG) for Active Directory Domain, V3R5
- Security configuration and compliance policy for Debian Linux 13.x
- DISA STIG Microsoft Windows 11 STIG, V2R7
- DISA Security Technical Implementation Guide (STIG) for Microsoft Internet Explorer 11, V2R6
- DISA Security Technical Implementation Guide (STIG) for Microsoft Edge, V2R4
- DISA Security Technical Implementation Guide (STIG) for IIS 10 Server, V3R4
Proposed Upcoming Policies
We plan to release the following policies and updates next month:
- CIS Red Hat Enterprise Linux 8 STIG Benchmark, v2.0.0
- CIS Cisco IOS XE Switch L2S STIG Benchmark v1.0.0
- CIS Oracle Linux 7 STIG Benchmark, v1.0.0
- CIS SUSE Linux Enterprise Server 15 STIG Benchmark, v1.0.0
- CIS Microsoft Windows Server 2016 STIG Benchmark, v4.0.0
- CIS Juniper Router NDM STIG Benchmark, v1.0.0
- CIS Oracle Linux 8 STIG Benchmark, v1.0.0
- CIS Juniper Router RTR STIG Benchmark, v1.0.0
- CIS Solaris 11 SPARC STIG Benchmark, v1.0.0
- CIS Solaris 11 X86 STIG Benchmark, v1.0.0
- CIS Apple macOS 15 (Sequoia) STIG Benchmark, v1.0.0
- CIS Cisco IOS XR Router RTR STIG Benchmark, v1.0.0
- CIS Cisco IOS XR Router NDM STIG Benchmark, v1.0.0
- CIS Microsoft Exchange 2016 Edge Transport Server STIG Benchmark, v1.0.0
- CIS Palo Alto Networks NDM STIG Benchmark, v1.0.0
- CIS Palo Alto Networks IDPS STIG Benchmark, v1.0.0
- CIS Palo Alto Networks ALG STIG Benchmark, v1.0.0
- CIS Apple macOS 14 (Sonoma) Security Technical Implementation Guide STIG Benchmark, 1.0.0
- CIS IBM Db2 12.1 Benchmark v1.0.0
- DISA Security Technical Implementation Guide (STIG) for Apple macOS 26 (Tahoe) STIG – Ver 1, Rel 2
- DISA Security Technical Implementation Guide (STIG) for Microsoft Skype for Business 2016 STIG – Ver 2, Rel 1
- CIS SUSE Linux Enterprise 16 Benchmark, v1.0.0
- CIS Cisco IOS XE Switch NDM STIG Benchmark, v1.1.0
- CIS Cisco IOS XE Router NDM STIG Benchmark, v1.0.0
- CIS Benchmark for Microsoft Intune Office Enterprise v1.1.0
- CIS Cisco IOS XE Router RTR STIG Benchmark, v1.1.0
- CIS Cisco IOS XE Switch RTR STIG Benchmark. v1.1.0
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark, v2.0.0
- CIS Microsoft SQL Server 2022 Instance STIG Benchmark, v1.0.0
- CIS Amazon Linux 2023 STIG Benchmark, v1.0.0
- CIS Apache Tomcat Application Server 9 STIG Benchmark, v1.0.0
- CIS Apple macOS 14.0 Sonoma Benchmark, v3.1.0
- CIS Apple macOS 26 Tahoe Benchmark, v1.1.0
- CIS Apple macOS 15.0 Sequoia Benchmark, v2.1.0
- DISA STIG for Microsoft Windows Server 2022 – Ver 2, Rel 8
- DISA STIG for Microsoft Windows Server 2019 – Ver 3, Rel 8
- DISA STIG for Microsoft Windows 11 – Ver 2, Rel 7
- DISA STIG for Red Hat Enterprise Linux 9 – Ver 2, Rel 8
- DISA STIG for Red Hat Enterprise Linux 8 – Ver 2, Rel 7
- DISA STIG for Red Hat Enterprise Linux 7 – Ver 3, Rel 15
- DISA STIG for Solaris 11 SPARC – Ver 3, Rel 5
- DISA STIG for IIS 10.0 Site Ver 2, Rel5
- CIS IBM Db2 11 Benchmark, v1.2.0
- CIS MariaDB Enterprise 10.x STIG Benchmark, v1.1.0
What’s Next
Discover how Qualys Enterprise TruRiskTM Platform can help you reduce cyber risk and improve business outcomes through precise remediation activities. Learn more about it here.
Additional Information
Feel free to contact your Technical Account Manager (TAM) or Qualys Technical Support if you have any questions.
Learn More
- Find all policy library updates here.
- Check out Qualys’ updated Certification Page at CIS here.