Policy Compliance Library Updates, March 2024
Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations most used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS security guidelines from OS and application vendors, and other industry best practices.
Qualys’ Certification Page at CIS has been updated.
CIS Benchmark Policies
Center for Internet Security (CIS) Benchmarks policies are technical guidelines for organizations to improve their cybersecurity posture by aligning with recommended secure configurations. This reduces the risk of cyberattacks like data breaches by leveraging industry best practices.
DISA STIG Policies
STIG stands for Security Technical Implementation Guide, which is a set of cybersecurity guidelines published by the Defense Information Systems Agency (DISA). This equips them with the necessary tools to adhere to rules, regulations, best practices, and federal laws, facilitating compliance and bolstering cybersecurity measures.
Qualys Policies
Qualys oversees the discovery and resolution of technical issues while implementing robust policy frameworks. Researchers within Qualys actively identify cybersecurity misconfiguration and enact technical policies to fortify systems and safeguard against potential threats.
Safeguard Computer Security Evaluation Matrix (SCSEM)
It typically comprises a structured set of criteria, guidelines, and metrics designed to measure various aspects of security, such as confidentiality, integrity, availability, and compliance.
Compliance Standards
Compliance standards are regulatory frameworks safeguarding sensitive data and ensuring privacy and security. They offer guidelines and best practices for organizations to achieve compliance and mitigate risks in handling sensitive information.
New Policies/Mandates
Listed below are the number of policies and mandates deployed in March 2024:
| CIS Benchmark Policies | 21 |
| DISA STIG Policy | 12 |
| Industry Best Practices Policy | 4 |
| Mandate Policies | 1 |
| IRS SCSEM Policies | 2 |
| New Supported Mandates | 2 |
Listed below are the newly published policies and mandates:
| CIS Benchmark Policies | • CIS Benchmark for Bottlerocket Benchmark, v1.0.0. • CIS IBM AIX 7.2 Benchmark, v1.1.0.CIS Kubernetes Benchmark, v1.8.0. • CIS Benchmark for Alma Linux 8 v3.0.0. • CIS Rocky Linux 8 Benchmark v2.0.0. • CIS Benchmark for Oracle MySQL Community Edition 8.0, v1.0.0 MySQL RDBMS on Linux and MySQL RDBMS. • CIS Benchmark for Oracle MySQL Community Edition 8.0, v1.0.0 MySQL RDBMS. • CIS Benchmark for Oracle MySQL Community Edition 8.0, v1.0.0 MySQL RDBMS on Linux. • CIS Benchmark for Oracle MySQL Enterprise Edition 8.0, v1.3.0 MySQL RDBMS on Linux. • CIS Benchmark for Oracle MySQL Enterprise Edition 8.0, v1.3.0 MySQL RDBMS. • CIS Benchmark for Oracle MySQL Enterprise Edition 8.0, v1.3.0 MySQL RDBMS on Linux and MySQL RDBMS. • CIS Benchmark for MongoDB 5, v1.2.0. • CIS Benchmark for MongoDB 6, v1.1.0. • CIS Benchmark for PostgreSQL 15, v1.1.0. • CIS Benchmark for Microsoft Windows Server 2019 Stand-alone, v1.0.0. • CIS Benchmark for Oracle Database 19c on Linux host, v1.2.0. • CIS Benchmark for Oracle Database 19c on Windows host, v1.2.0. • CIS Benchmark for Oracle Database 19c Multitenant on Linux host, v1.2.0. • CIS Benchmark for Oracle Database 19c Multitenant on Windows host, v1.2.0. • CIS Benchmark for Red Hat Enterprise Linux 7, v4.0.0. • CIS Benchmark for Cisco NX-OS, V1.1.0. |
| DISA STIG Policies | • DISA Security Technical Implementation Guide (STIG) for NetApp ONTAP DSC 9.x, V1R3. • DISA Microsoft OneDrive STIG V2R3. • DISA Microsoft DotNet Framework 4.0 V2R2. • DISA Security Technical Implementation Guide (STIG) for VMWare vSphere vCenter Server 7, V1R2. • DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 8, V1R9. • DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 7, V2R14. • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7, V3R14. • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V1R13. • DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 15.x, V1R12. • DISA Security Technical Implementation Guide (STIG) for Ubuntu 18.04 LTS, V2R13. • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 MS, V1R4. • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 DC, V1R4. |
| IRS SCSEM Policies | • Safeguard Computer Security Evaluation Matrix for Microsoft Windows 10, v5.0. • Safeguard Computer Security Evaluation Matrix for Microsoft Windows 11, v2.0. |
| Industry and Best Practices Policies | • Security Configuration and Compliance Policy for Microsemi SyncServer 5.x (OCA). • Security Configuration and Compliance Policy for Arista MOS (OCA). • Security Configuration and Compliance Policy for Microsoft CBL-Mariner 2.x. • Security Configuration and Compliance Policy for Brocade Fabric 8.x (OCA). |
| Mandate Policies | • Microsoft Security Baseline for Windows 11 Version 23H2. |
| New Supported Mandates | • CSA 405(d) – Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations • CSA 405(d) – Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations |
Deprecated Policies
Listed below are deprecated policies from your Policy Library:
| Network Devices | • CIS Benchmark for Cisco NX-OS, V1.0.0. |
| Database | • CIS Benchmark for Oracle MySQL Enterprise Edition 8.0, v1.2.1 MySQL RDBMS on Linux and MySQL RDBMS. • CIS Benchmark for Oracle MySQL Enterprise Edition 8.0, v1.2.1 MySQL RDBMS on Linux. • CIS Benchmark for Oracle MySQL Enterprise Edition 8.0, v1.2.1 MySQL RDBMS. • CIS Benchmark for MongoDB 5, v1.1.0.. • CIS Benchmark for MongoDB 6, v1.0.0 • CIS Benchmark for Oracle Database 19c on Linux host, v1.1.0 . • CIS Benchmark for Oracle Database 19c on Windows host, v1.1.0. • CIS Benchmark for Oracle Database 19c Multitenant on Linux host, v1.1.0. • CIS Benchmark for Oracle Database 19c Multitenant on Windows host, v1.1.0. |
| Operating System | • CIS IBM AIX 7.2 Benchmark, v1.0.0. • CIS Benchmark for Alma Linux 8, v2.0.0. • CIS Benchmark for Rocky Linux 8, v1.0.0. • CIS Benchmark for Red Hat Enterprise Linux 7, v3.1.1. • DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 8, V1R7. • DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 7, V2R12. • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 7, V3R12. • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V1R11. • DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 15.x, V1R9. • DISA Security Technical Implementation Guide (STIG) for Ubuntu 18.04 LTS, V2R10. • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 MS, V1R1. • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 DC, V1R1. |
| Application | CIS Kubernetes Benchmark, v1.6.1. |
Policy Updates
We have updated your Policy Library. The following policies and mandates have been re-released as part of our customer CRM.
| Policy | Update |
| Data type update for control 7820 | Policy re-release for following affected policies, – CIS Benchmark for Apache HTTP Server 2.4, v2.1.0. – CIS Benchmark for Apache HTTP Server 2.2, v3.6.0. – CIS Benchmark for Apache HTTP Server 2.4, v2.0.0. – DISA Security Technical Implementation Guide (STIG) for Apache 2.2 Server for UNIX, V1R11. – US Cybersecurity Maturity Model Certification (CMMC) v2.0, Level 1 for Applications. |
| Data type update for control 7821 | Policy re-release for the following policies, -CIS Benchmark for Apache HTTP Server 2.4, v2.1.0. -DISA Security Technical Implementation Guide (STIG) for Apache 2.2 Server for UNIX, V1R11. -US Cybersecurity Maturity Model Certification (CMMC) v2.0, Level 1 for Applications. – CIS Benchmark for Apache HTTP Server 2.4, v2.0.0. |
| CIS Benchmark for Fortigate, v1.1.0 | Policy re-release for fix regular expressions for CID Benchmark for Fortigate, v1.1.0. |
| CIS Benchmark for SUSE Linux Enterprise 15.x, v1.1.1 | Policy re-release for fix regular expressions for CID in SUSE Linux Enterprise 15.x, v1.1.1. |
| CIDs Red Hat Enterprise Linux 8 v 3.0.0 | Policy re-release for Regex fix for multiple CIDs Red Hat Enterprise Linux 8 v 3.0.0. |
| CID Oracle Linux 8 v 3.0.0 | Policy re-release for regular expression fix for multiple CID Oracle Linux 8 v 3.0.0. |
| Created Separate Level 1 Policy for Cisco IOS 17.x, v2.0.0 | Polic re-release for CIS Benchmark for Cisco IOS 17.x, v2.0.0. |
| CIS MacOS 14 v1.0.0 | Policy re-release to add the CID 8925 for 2.10.3 in CIS MacOS 14 v1.0.0. |
| CIS Benchmark for Microsoft Windows 10 Enterprise, v2.0.0 | Policy re-release for CIS Microsoft Windows 10 Enterprise Benchmark v2.0.0. |
CIS Controls Version 8 Mappings
While reviewing the CIS Controls version 8 mapping, we discovered an issue where inaccurate mappings are displayed along with the correct mappings in the controls.
We are reviewing and updating the controls mapped for CIS Controls version 8, to ensure that only the accurate mappings are included under the controls.
Proposed Upcoming Policies
We plan to release the following policies and updates next month:
- CIS IBM i V7R4M0 Benchmark v1.0.0
- CIS Google Container-Optimized OS Benchmark v1.1.0
- Security configuration and compliance policy for Debian Linux 12
- CIS Debian Linux 11 STIG Benchmark v1.0.0
- CIS IBM Db2 11 Benchmark v1.1.0
- CIS Microsoft Windows Server 2012 non-R2 Benchmark v3.0.0
- CIS Apple macOS 12.0 Monterey v3.0.0
- CIS MongoDB 7 Benchmark v1.0.0
- CIS PostgreSQL 16 Benchmark v1.0.0
- DISA VMware vSphere 8.0 STIG ESXi_V1R1
- DISA SUSE Linux Enterprise Server 12 STIG – Ver 2, Rel 13
- DISA STIG for Apache 2.4 Server for UNIX V2R6 – Server
- DISA STIG PaloAlto Network ALG V2R4
- DISA Oracle MySQL 8.0 STIG – Ver 1, Rel 5
- ISC BIND DNS Server 9.x
- CIS Oracle Linux 7 Benchmark v4.0.0
- CIS Amazon Linux 2 Benchmark v3.0.0
- CIS Microsoft Windows 11 Enterprise Benchmark v3.0.0
- CIS Microsoft Intune for Windows 11 Benchmark v3.0.1
- CIS Microsoft Intune for Windows 10 Benchmark v3.0.1
- CIS Google Chrome Benchmark v3.0.0
- DISA VMware vSphere 8.0 STIG Virtual Machine V1R1
- Qualys S&C Policy for Aruba EdgeConnect OS 9.x
Learn More
Discover how Qualys Enterprise TruRisk Platform can help you reduce cyber risk and improve business outcomes through precise remediation activities. Learn more here.
Additional Information
Feel free to contact your TAM or Qualys Technical Support if you have questions.
Find all policy library updates here.
Check out Qualys’ updated Certification Page at CIS here.
