Policy Compliance Library Updates, September 2021

Pronamika Abraham

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations that are most commonly used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS as well as the ones based on security guidelines from OS and application vendors and other industry best practices.

In order to keep up with the latest changes in security control requirements and new technologies, Qualys publishes new content to the Policy Library twice every month. The first update contains new policies and is released in the first week of each month, followed by the second update by end of the month that includes bug fixes and updated policies.

The September release includes 3 CIS Benchmark policies, 3 new mandate-based policies, 14 DISA STIG policies, and provides updates to several existing policies in the Qualys Content Library.

Qualys’ Certification Page at CIS has been updated.

New CIS Benchmark Policies

CIS Benchmarks are developed through consensus, providing an industry recognized collection of best practice controls. Qualys is committed to providing broad coverage of the CIS Benchmarks with regular releases of CIS certified policies in Policy Compliance and by contributing to the development of new benchmarks through the CIS Community.

This release contains the following new CIS Benchmark policies:

  • CIS Benchmark for CIS Benchmark for CentOS Linux 8, v1.0.1
  • CIS Benchmark for Oracle Linux 8, v1.0.1
  • CIS Benchmark for Microsoft Windows 10 Enterprise Release 21H1 v1.11.0

New Mandate-based Policy

  • National Cyber Security Centre Cyber Essentials for Network Devices
  • National Cyber Security Centre Cyber Essentials for Database
  • Cybersecurity Maturity Model Certification (CMMC) v1.0 for Database

New DISA STIG Policies

  • DISA Security Technical Implementation Guide (STIG) for Apple macOS 10.14, Ver 2 Rel 4
  • DISA Security Technical Implementation Guide (STIG) for Apple macOS 10.15, Ver 1 Rel 5
  • DISA Security Technical Implementation Guide (STIG) for Apple macOS 11 Ver 1 Rel 3
  • DISA Security Technical Implementation Guide (STIG) for IBM AIX 7.x, V2R3
  • DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 6, V2R4
  • DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 7, V2R4
  • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7, V3R4
  • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V1R3
  • DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 12.x, V2R4
  • DISA Security Technical Implementation Guide (STIG) for Ubuntu 18.04 LTS, V2R4
  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2016 MS, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2016 DC, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2019 DC, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2019 MS, V2R2

New Industry and Best Practice Policy

  • Qualys Security Configuration and Compliance Policy for NetApp Ontap 9.x

Deprecated Policies

The following policies are deprecated in the September 2021 package:

Linux:

  • DISA Security Technical Implementation Guide (STIG) for IBM AIX 7.x, V2R1
  • CIS Benchmark for CentOS Linux 8, v1.0.0
  • CIS Benchmark for Oracle Linux 8, v1.0.0
  • DISA Security Technical Implementation Guide (STIG) for Apple macOS 10.14, Ver 2 Rel 2
  • DISA Security Technical Implementation Guide (STIG) for Apple macOS 10.15, Ver 1 Rel 3
  • DISA Security Technical Implementation Guide (STIG) for Apple macOS 11 Ver1 Rel1
  • DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 6, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Ubuntu 18, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 7, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7, V3R2
  • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V1R1
  • DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 12.x, V2R2

Windows:

  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2016 DC, V2R1
  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2016 MS, V2R1
  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2019 DC, V2R1
  • DISA Security Technical Implementation Guide (STIG) for Windows Server 2019 MS, V2R1

Updated Library Policy

The following updated policies will be available in the PC Content Library by end of this month:

  • Policy update for controls 8552 and 8513:
    • CIS Benchmark for Cisco Firewall ASA 9.x, v4.1.0
  • Policy update for control changes:
    • Microsoft Security Baseline for Windows Server 2019
  • Policy update for NL value changes for CID 11337:
    • Cybersecurity Maturity Model Certification (CMMC) v1.0 for Windows
    • DISA Security Technical Implementation Guide (STIG) for Windows 8.1, V1R23
    • DISA Security Technical Implementation Guide (STIG) for Windows Server 2016 DC, V2R1
    • DISA Security Technical Implementation Guide (STIG) for Windows Server 2016 MS, V2R1
    • DISA Security Technical Implementation Guide (STIG) for Windows Server 2019 DC, V2R1
    • DISA Security Technical Implementation Guide (STIG) for Windows Server 2019 MS, V2R1
    • National Cybersecurity Authority – Critical Systems Cybersecurity Controls (CSCC–1:2019) for Microsoft Windows
    • National Cybersecurity Authority – Essential Cybersecurity Controls (ECC–1:2018) for Microsoft Windows
    • NIST 800-53 Rev 4 for Microsoft Windows
    • NIST 800-53 Rev 5 for Microsoft Windows
    • United States Government Configuration Baseline (USGCB) for Microsoft Windows 10
    • CIS Microsoft Windows Server 2016 STIG Benchmark, v1.0.0
    • CIS Microsoft Windows Server 2019 STIG Benchmark, v1.0.1
    • United States Government Configuration Baseline (USGCB) for Microsoft Windows 7
  • Policy update for changes in configuration changes in controls 17163 and 17164:
    • CIS Benchmark for Red Hat Enterprise Linux 8, v1.0.1
  • Policy update to add the ‘Ransomware’ label and to add Best Practice controls:
    • Best Practice Controls for Malware/Ransomware Prevention
  • Policy update to replace CID 3181 with CID 22156:
    • DISA Security Technical Implementation Guide (STIG) for Canonical Ubuntu 20.04 LTS, V1R1
    • DISA Security Technical Implementation Guide (STIG) for Ubuntu 18, V2R2

Coming Next Month

The following policies and updates are currently planned for release to the policy library next month:

New Coverage:

  • CIS Benchmark for Cisco ASA 9.x Firewall v1.0.0
  • CIS Benchmark for Ubuntu Linux 20.04 LTS v1.0.0
  • CIS Benchmark for SUSE Linux Enterprise 12 Benchmark v3.0.0
  • CRI Cyber Profile for Databases
  • CRI Cyber Profile for Linux
  • CMMC policy for Network Devices
  • DISA Cisco IOS XR, NDM and RTR Ver 1 Rel 4
  • DISA Security Technical Implementation Guide (STIG) for A10 NDM – Ver 1, Rel1 and ALG Ver2, Rel1
  • DISA Security Technical Implementation Guide (STIG) for Apache Tomcat Application Server 9 STIG – Ver 2, Rel 2
  • DISA Security Technical Implementation Guide (STIG) for Docker Enterprise 2.x Linux/UNIX – Ver 2, Rel 1
  • Microsoft Office System 2016 STIG – Ver 2, Rel 1
  • Mozilla Firefox STIG – Ver 5, Rel 2
  • Palo Alto Networks STIG
  • Qualys Security Configuration and Compliance Policy for Huawei Devices – VRP OS 5.x & 8.x
  • Security Configuration and Compliance Policy for Azure Microsoft SQL Server 2014
  • Security Configuration and Compliance Policy for CentOS Stream 8
  • Security Configuration and Compliance Policy for Qualys Cloud Agent
  • Security Configuration and Compliance Policy for IBM DB2 z/OS 11.x and IBM DB2 z/OS 12.x

If you have any questions, please contact your TAM or Technical Support. See all library updates.

Share your Comments

Comments

Your email address will not be published.