Policy Compliance Library Updates, March 2025 

Vaishali Kulkarni
Vaishali Kulkarni
- 12 min read

Qualys’ library of built-in policies makes it easy to comply with the security standards and regulations most used and adhered to. Qualys provides a wide range of policies, including many that have been certified by CIS security guidelines from OS and application vendors, and other industry best practices. 

Qualys’ Certification Page at CIS has been updated.  

CIS Benchmark Policies

Center for Internet Security (CIS) Benchmarks policies are technical guidelines for organizations to improve their cybersecurity posture by aligning with recommended secure configurations. This reduces the risk of cyberattacks like data breaches by leveraging industry best practices.

DISA STIG Policies

STIG stands for Security Technical Implementation Guide, which is a set of cybersecurity guidelines published by the Defense Information Systems Agency (DISA). This equips them with the necessary tools to adhere to rules, regulations, best practices, and federal laws, facilitating compliance and bolstering cybersecurity measures.

Qualys Policies

Qualys oversees the discovery and resolution of technical issues while implementing robust policy frameworks. Researchers within Qualys actively identify cybersecurity misconfiguration and enact technical policies to fortify systems and safeguard against potential threats.

Safeguard Computer Security Evaluation Matrix (SCSEM)

It typically comprises a structured set of criteria, guidelines, and metrics designed to measure various aspects of security, such as confidentiality, integrity, availability, and compliance.

Compliance Standards

Compliance standards are regulatory frameworks safeguarding sensitive data and ensuring privacy and security. They offer guidelines and best practices for organizations to achieve compliance and mitigate risks in handling sensitive information.

New Policies/Mandates 

Listed below are the number of policies and mandates deployed in March 2025: 

CIS Benchmark Policies 9
DISA STIG Policy 31
Industry Best Practices Policy 2
New Supported Mandates2
Deprecated Mandates 

Listed below are the newly published policies and mandates:  

CIS Benchmark Policies • CIS Benchmark for Apache Tomcat 10.1, v1.1.0
• CIS Benchmark for MariaDB 10.11, v1.0.0
• CIS Benchmark for MariaDB 10.6, v1.1.0
• CIS Benchmark for Kubernetes, v1.10.0
• CIS Benchmark for Microsoft Windows Server 2016 STIG, v3.0.0
• CIS Benchmark for SUSE Linux Enterprise 15.x, v2.0.0
• CIS Benchmark for Oracle MySQL Community Server 8.4, v1.0.0 
• CIS Benchmark for Oracle MySQL Enterprise Edition 8.4, v1.0.0
• CIS Benchmark for Rocky Linux 9, v2.0.0
DISA STIG Policies • DISA Security Technical Implementation Guide (STIG) for VMware vSphere 8.0 Virtual Machine, V2R1
• DISA Security Technical Implementation Guide (STIG) for VMware vSphere ESXi 8.0, V2R2
• DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 12.x, V3R2
• DISA Security Technical Implementation Guide (STIG) for Juniper SRX SG NDM, V3R3
• DISA Security Technical Implementation Guide (STIG) for Juniper Router RTR, V3R2
• DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Server for Windows, V3R2
• DISA Security Technical Implementation Guide (STIG) for MariaDB 10.x, V2R3
• DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks ALG, V3R3
• DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks IDPS, V3R2
• DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V2R2
• DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 15.x, V2R3
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 MS, V2R3
• DISA Security Technical Implementation Guide (STIG) for Microsoft DotNet Framework 4.0, V2R5 
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2019 MS, V3R3
• DISA Security Technical Implementation Guide (STIG) for Microsoft Office System 2016, V2R4
• DISA Security Technical Implementation Guide (STIG) for Microsoft Exchange 2016 Edge Transport Server, V2R6
• DISA Security Technical Implementation Guide (STIG) for Solaris 11 X86, V3R2
• DISA Security Technical Implementation Guide (STIG) for Microsoft SQL Server 2016 Instance, V3R3
• DISA Security Technical Implementation Guide (STIG) for Microsoft Office 365 ProPlus, V3R2
• DISA Security Technical Implementation Guide (STIG) for Microsoft SharePoint 2013, V2R4
• DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router NDM, V3R3
• DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router RTR, V3R3
• DISA Security Technical Implementation Guide (STIG) for Cisco IOS Router NDM, V3R3
• DISA Security Technical Implementation Guide (STIG) for Cisco IOS Router RTR, V3R3
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 DC, V2R3
• DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2019 DC, V3R3
• DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Site for UNIX, V2R5
• DISA Security Technical Implementation Guide (STIG) for Cisco NX-OS Switch RTR, V3R3
• DISA Security Technical Implementation Guide (STIG) for VMWare vSphere vCenter Server 8, V2R2
• DISA Security Technical Implementation Guide (STIG) for Solaris 11 SPARC, V3R2
• DISA Security Technical Implementation Guide (STIG) for Cisco IOS Switch NDM, V3R3
Industry and Best Practices Policies • Security Configuration and Compliance Policy for Apache Tomcat 11.x
• Security Configuration and Compliance Policy for Huawei VRP OS 8.x
New Supported Mandates• Cybersecurity and Cyber Resilience Framework (CSCRF)
• Cyber Essentials: Requirements for IT Infrastructure via SCF
Deprecated mandates 

Deprecated Policies 

  • DISA Security Technical Implementation Guide (STIG) for VMware vSphere 8.0 Virtual Machine, V1R1
  • DISA Security Technical Implementation Guide (STIG) for VMware vSphere ESXi 8.0, V1R1
  • DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 12.x, V2R13
  • DISA Security Technical Implementation Guide (STIG) for Juniper SRX SG NDM, V3R1
  • DISA Security Technical Implementation Guide (STIG) for Juniper SRX SG NDM, V2R1
  • DISA Security Technical Implementation Guide (STIG) for Juniper Router RTR, V3R1
  • DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Server for Windows, V3R1
  • DISA Security Technical Implementation Guide (STIG) for MariaDB 10.x, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks ALG, V3R2
  • DISA Security Technical Implementation Guide (STIG) for Palo Alto Networks IDPS, V3R1
  • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V2R1
  • DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 15.x, V2R1
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 DC, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Microsoft DotNet Framework 4.0, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2019 MS, V3R1
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Office System 2016, V2R3
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Exchange 2016 Edge Transport Server, V2R5
  • DISA Security Technical Implementation Guide (STIG) for Solaris 11 SPARC, V3R1
  • DISA Security Technical Implementation Guide (STIG) for Solaris 11 X86, V3R1
  • DISA Security Technical Implementation Guide (STIG) for Microsoft SQL Server 2016 Instance, V3R2
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Office 365 ProPlus, V3R1
  • DISA Security Technical Implementation Guide (STIG) for Microsoft SharePoint 2013, V2R3
  • DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router NDM, V3R2
  • DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router RTR, V3R2
  • DISA Security Technical Implementation Guide (STIG) for Cisco IOS Router NDM, V3R2
  • DISA Security Technical Implementation Guide (STIG) for Cisco IOS Router RTR, V3R2
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 DC, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2019 DC, V3R1
  • CIS Benchmark for MariaDB 10.6, v1.0.0 
  • CIS Benchmark for MariaDB 10.6, v1.0.0 MariaDB RDBMS 
  • CIS Kubernetes Benchmark, v1.9.0 
  • CIS Kubernetes Benchmark, v1.8.0 
  • CIS Benchmark for Microsoft Windows Server 2016 STIG, v2.0.0 
  • CIS Benchmark for Rocky Linux 9, v1.0.0
  • DISA Security Technical Implementation Guide (STIG) for Cisco NX-OS Switch RTR, V3R2
  • DISA Security Technical Implementation Guide (STIG) for Apache 2.4 Site for UNIX, V2R4
  • CIS Benchmark for SUSE Linux Enterprise 15.x, v1.1.1
  • DISA Security Technical Implementation Guide (STIG) for Cisco IOS Switch NDM, V3R2
  • DISA Security Technical Implementation Guide (STIG) for VMWare vSphere vCenter Server 8, V1R1

Policy Updates 

We have updated your Policy Library. The following policies and mandates have been re-released as part of our customer CRM.

Policy Update  
CIS Benchmark for Microsoft IIS 10, v1.2.1Policy re-release for CIS Benchmark for Microsoft IIS 10, v1.2.1 to update CID 10753.
CIS Benchmark for Fortigate 7.0.x, v1.3.0Policy re-release for CIS Benchmark for Fortigate 7.0.x, v1.3.0 policy.
National Cybersecurity Authority – Critical Systems Cybersecurity Controls (CSCC–1:2019) for Microsoft WindowsPolicy re-release for National Cybersecurity Authority – Critical Systems Cybersecurity Controls (CSCC–1:2019) for Microsoft Windows.
National Cybersecurity Authority – Essential Cybersecurity Controls (ECC–1:2018) for Microsoft WindowsPolicy re-release for National Cybersecurity Authority – Essential Cybersecurity Controls (ECC–1:2018) for Microsoft Windows.
Compensatory Controls for CVEs Policy re-release for Compensatory Controls for CVEs.
CIS Benchmark for CentOS Linux 7, v4.0.0Policy re-release for CIS Benchmark for CentOS Linux 7, v4.0.0 to replace CID 10823 with 30006.
CIS Benchmark for Ubuntu Linux 24.04 LTS, v1.0.0Re-release for CIS Benchmark for Ubuntu Linux 24.04 LTS, v1.0.0.
CIS Benchmark for Microsoft Windows Server 2022 DC, v3.0.0, SpanishRe-release for CIS Benchmark for Microsoft Windows Server 2022 DC, v3.0.0, Spanish.
CIS Benchmark for Microsoft Windows Server 2022 MS, v3.0.0, SpanishRe-release for CIS Benchmark for Microsoft Windows Server 2022 MS, v3.0.0, Spanish.
CIS Benchmark for Microsoft Windows 11 Enterprise, v3.0.0Re-release for CIS Benchmark for Microsoft Windows 11 Enterprise, v3.0.0.
CIS Benchmark for Amazon Linux 2023, v1.0.0Re-release for CIS Benchmark for Amazon Linux 2023, v1.0.0 to:
• Update CID 3868
• Update the regular expressions for CID 10860, 2278, 17275, 27525, 3221, 21451, 21452
• Replace 21246 and 9319 with 29256
CIS Benchmark for SUSE Linux Enterprise 12.x, v3.1.0Re-release for CIS Benchmark for SUSE Linux Enterprise 12.x, v3.1.0 to update the fixes.
 CIS Benchmark for Juniper OS, v2.1.0Re-release for  CIS Benchmark for Juniper OS, v2.1.0 to change the regular expression in the policy for CID 8461.
CIS Benchmark for Debian Linux 11, v1.0.0Re-release for CIS Benchmark for Debian Linux 11, v1.0.0 to update the regular expression for CID 3376, 5222, 22973.
CIS Benchmark for Debian Linux 12, v1.1.0Re-release for CIS Benchmark for Debian Linux 12, v1.1.0 to update the regular expression for CID 5222, 22973.
CIS Benchmark for Amazon Linux 2, v3.0.0CIS Benchmark for Amazon Linux 2, v3.0.0 to enable the regular expressions for CID 1295, 12757, 20633, 14598, 14608, 14609 and 1202.
CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0Re-release for CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0 to update the regular expressions for CID 26649.
CIS Benchmark for Cisco IOS XE 17.x, v2.1.0Re-release for CIS Benchmark for Cisco IOS XE 17.x, v2.1.0.
CIS Benchmark for Microsoft SQL Server 2022, v1.1.0Re-release for CIS Benchmark for Microsoft SQL Server 2022, v1.1.0 to change the regular expression of 27017.
DISA Security Technical Implementation Guide (STIG) for Solaris 11 SPARC, V3R2Re-release for DISA Security Technical Implementation Guide (STIG) for Solaris 11 SPARC, V3R2 to update the NL value for CID 29141.
CIS Benchmark for Apple macOS 15 Sequoia v1.0.0Re-release for CIS Benchmark for Apple macOS 15 Sequoia v1.0.0 to update the fixes.
CIS Benchmark for Microsoft Windows Server 2019, v3.0.0Re-release for CIS Benchmark for Microsoft Windows Server 2019, v3.0.0.
CIS Benchmark for IBM DB2 11.x, v1.1.0Re-release for CIS Benchmark for IBM DB2 11.x, v1.1.0 to change the regular expression value of 4675.
CIS Benchmark for SUSE Linux Enterprise 15.x, v1.1.1Re-release for CIS Benchmark for SUSE Linux Enterprise 15.x, v1.1.1 to update the CIDs 17128, 9334, 11726, 17129, 17130.
CIS Benchmark for Apache Cassandra 4.0, v1.2.0Re-release for CIS Benchmark for Apache Cassandra 4.0, v1.2.0 policies.

Proposed Upcoming Policies

  We plan to release the following policies and updates next month: 

  • CIS Ubuntu Linux 20.04 LTS STIG Benchmark v2.0.0
  • CIS Ubuntu Linux 18.04 LTS Benchmark v2.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark, v1.6.0
  • CIS Oracle Cloud Infrastructure Container Engine for Kubernetes(OKE) Benchmark, v1.6.0
  • CIS Red Hat OpenShift Container Platform Benchmark v1.7.0
  • CIS AlmaLinux OS 9 Benchmark v2.0.0
  • CIS NGINX Benchmark v2.1.0
  • DISA Security Technical Implementation Guide (STIG) for Apple macOS 12 (Monterey), V1R8
  • CIS IBM i V7R4M0 Benchmark v2.0.0
  • CIS SUSE Linux Enterprise 12 Benchmark v3.2.0
  • CIS Azure Kubernetes Service (AKS) Benchmark v1.6.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.7.0
  • DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 9, V2R3
  • DISA Security Technical Implementation Guide (STIG) for VMware vSphere ESXi 7.0, V1R3
  • CIS Google Kubernetes Engine (GKE) Benchmark, v1.7.0
  • CIS Red Hat Enterprise Linux 8 STIG Benchmark, v2.0.0
  • CIS FreeBSD 14 Benchmark, v1.0.1
  • CIS Oracle MySQL Enterprise Edition 8.0 Benchmark v1.4.0
  • CIS Oracle MySQL Community Server 8.0 Benchmark v1.1.0
  • CIS and DISA policy with IBM WebSphere Liberty 24.x
  • CIS Benchmark for Red Hat Enterprise Linux 7, v4.0.0
  • DISA Security Technical Implementation Guide (STIG) for Redis Enterprise 6.x, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Apple macOS 14 (Sonoma) STIG, Ver 2, Rel 3
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Exchange 2019 STIG Edge server, V2R2
  • DISA Security Technical Implementation Guide (STIG) for Microsoft Exchange 2019 STIG Mailbox Server, V2R2
  • CIS Apache Tomcat 11 Benchmark, v1.0.0
  • CIS Benchmark for Microsoft Windows Server 2019, 3.0.1
  • CIS Benchmark for Microsoft Windows Server 2008 non-R2 DC, v3.3.0, Spanish
  • CIS Benchmark for Microsoft Windows Server 2008 non-R2 MS, v3.3.0, Spanish
  • CIS Benchmark for Microsoft Windows Server 2012 non-R2 DC, v3.0.0, Spanish
  • CIS Benchmark for Microsoft Windows Server 2012 non-R2 MS, v3.0.0, Spanish
  • CIS Benchmark for Microsoft Windows Server 2016 DC, v3.0.0, Spanish
  • CIS Benchmark for Microsoft Windows Server 2016 MS, v3.0.0, Spanish
  • CIS Benchmark for Microsoft Windows Server 2012 R2 DC, v3.0.0, Spanish
  • CIS Benchmark for Microsoft Windows Server 2012 R2 MS, v3.0.0, Spanish
  • Security Configuration & Compliance Policy for Nokia SROS
  • CIS Benchmark for Microsoft Windows Server 2025 V1.0.0
  • DISA Security Technical Implementation Guide (STIG) for Oracle Database 12c, V3R3
  • CIS Benchmark for CentOS Linux 7, v4.0.0
  • Safeguards Apache 2.4 Audit File
  • DISA Security Technical Implementation Guide (STIG) for Canonical Ubuntu 22.04 LTS STIG, Ver 2, Rel 3
  • Minor updates to the cover page of CIS/DISA policies (no impact on control evaluation or policy regex)

Learn More 

Discover how Qualys Enterprise TruRisk Platform can help you reduce cyber risk and improve business outcomes through precise remediation activities. Learn more here.  

Additional Information 

Feel free to contact your TAM or Qualys Technical Support if you have questions. 

Find all policy library updates here

Check out Qualys’ updated Certification Page at CIS here.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *