Policy Compliance Library Updates, April 2026
Qualys’ library of built-in policies makes it easy to comply with the widely adopted security standards and regulations. The platform offers a broad range of policies, including many that have been certified by the Center for Internet Security (CIS), as well as security guidelines and industry best practices from operating system and application vendors.
Qualys’ Certification Page on the CIS website has also been updated.
CIS Benchmark Policies
Center for Internet Security (CIS) Benchmark policies are technical guidelines for organizations to improve their cybersecurity posture by aligning with recommended secure configurations. By leveraging industry best practices, these guidelines help reduce the risk of cyberattacks, such as data breaches.
DISA STIG Policies
STIG stands for Security Technical Implementation Guide, which is a set of cybersecurity guidelines published by the Defense Information Systems Agency (DISA). These guidelines equip organizations with the tools to comply with rules, regulations, best practices, and federal laws, facilitating compliance and bolstering cybersecurity measures.
Qualys Policies
Qualys oversees the discovery and resolution of technical issues while implementing robust policy frameworks. Researchers within Qualys actively identify cybersecurity misconfigurations and enact technical policies to fortify systems and safeguard against potential threats.
Safeguard Computer Security Evaluation Matrix (SCSEM)
It typically comprises a structured set of criteria, guidelines, and metrics to measure security aspects such as confidentiality, integrity, availability, and compliance.
Compliance Standards
Compliance standards are regulatory frameworks that safeguard sensitive data and help ensure privacy and security. They offer guidelines and best practices for organizations to achieve compliance and mitigate risks in handling sensitive information.
Introducing CIS STIG Policies in the Policy Audit
We are pleased to announce the introduction of CIS STIG labels within the Policy Audit (PA) Policy Library. This update expands the benchmark coverage available to Policy Audit customers by surfacing CIS-released STIG-aligned benchmarks directly within the module, making it significantly easier to identify, apply, and audit against them. These benchmarks are functionally equivalent to DISA STIG benchmarks and differ only in layout and presentation format, not in controls, checks, or remediation guidance. CIS has confirmed this equivalence on their official community page.
As acknowledged by CIS on their community page, the CIS STIG Benchmarks are substantively identical to their DISA counterparts across all security dimensions:
- Security controls and requirements
- Compliance checks and test procedures
- Remediation and hardening guidance
- Presentation format follows the CIS-defined document structure
New Policies/Mandates
Listed below are the number of policies and mandates deployed in April 2026:
| CIS Benchmark Policies | 3 |
| DISA STIG Policy | 15 |
| CIS STIG Benchmark | 3 |
| Industry Best Practices Policy | 12 |
| New Supported Mandates | 0 |
| Deprecated Mandates | 0 |
Listed below are the newly published policies and mandates:
| CIS Benchmark Policies | CIS NGINX Benchmark, v3.0.0 CIS Intune Windows 10, v4.0.0 – Spanish Policy CIS Intune Windows 11, v4.0.0 – Spanish Policy |
| DISA STIG Policies | DISA Security Technical Implementation Guide (STIG) for Cisco IOS Router NDM, V3R6 DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router NDM, V3R6 DISA Security Technical Implementation Guide (STIG) for Cisco IOS Switch NDM, V3R6 DISA Security Technical Implementation Guide (STIG) for Ubuntu 20.04 LTS STIG V2R4 DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 15.x, V2R6 DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 7, V3R5 DISA Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS, V2R7 DISA Security Technical Implementation Guide (STIG) for Apple MacOS 15 (Sequoia) STIG – Ver 1, Rel DISA Security Technical Implementation Guide (STIG) for Oracle Linux 8 STIG – Ver 2, Rel 7 DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8 STIG – Ver 2, Rel DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2019 STIG – Ver 3, Rel 7 DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 STIG – Ver 2, Rel 7 DISA Security Technical Implementation Guide (STIG) for Microsoft Office 365 ProPlus STIG – Ver 3, Rel 5 DISA Security Technical Implementation Guide (STIG) for Cisco NX OS Switch STIG – NDM V3R6 DISA Security Technical Implementation Guide (STIG) for Apache Tomcat Application Server 9 STIG – Ver 3, Rel 3 |
| CIS STIG Benchmark | CIS Arista MLS EOS 4.X NDM STIG Benchmark, v1.0.0 CIS Arista MLS EOS 4.X Router STIG Benchmark, v1.0.0 CIS Arista MLS EOS 4.X L2S STIG Benchmark, v1.0.0 |
| Industry and Best Practices Policies | Security Configuration and Compliance Policy for Neo4j 4.x Safeguard Computer Security Evaluation Matrix for Red Hat Enterprise Linux 8, v7.0 Safeguard Computer Security Evaluation Matrix for Red Hat Enterprise Linux 7, v7.0 Security Configuration and Compliance Policy for Neo4j 5.x Security Configuration and Compliance Policy Microsoft Word for MacOS Security Configuration and Compliance Policy Microsoft PowerPoint for MacOS Security Configuration and Compliance Policy for Oracle Linux Virtualization Manager 4.x Security Configuration and Compliance Policy for HP ILO 4.x Security Configuration and Compliance Policy for HP ILO 5.x Security Configuration and Compliance Policy for HP ILO 6.x Security Configuration and Compliance Policy for Dell EMC Networking OS 10.x Security Configuration and Compliance Policy for Tomcat v10 for Windows |
| New Supported Mandates | NA |
| Deprecated mandates | NA |
Policy Updates
We have updated your Policy Library. The following policies and mandates have been reissued in our customer CRM.
| Policy | Update |
| DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V2R4 | Re-release for DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V2R4, to update the regular expressions for CID 28677, 28678, and 30383 |
| CIS Benchmark for Oracle Linux 7, v4.0.0 | Re-release for CIS Benchmark for Oracle Linux 7, v4.0.0, to update the regular expressions for CID 11413, 7445, and 16066 |
| CIS Benchmark for F5 Networks, v1.0.0 | Re-release for CIS Benchmark for F5 Networks, v1.0.0, to fix the new control created CID 32020 |
| CIS Benchmark for Microsoft Windows Server 2019, v4.0.0 | Re-release for CIS Benchmark for Microsoft Windows Server 2019, v4.0.0, to update the regular expressions for CID 2200 |
| CIS Benchmark for AlmaLinux OS 10, v1.0.0 | Re-release for CIS Benchmark for AlmaLinux OS 10, v1.0.0, to update the regular expressions for CID 10666 |
| CIS Benchmark for Oracle Linux 10, v1.0.0 | Re-release for CIS Benchmark for Oracle Linux 10, v1.0.0, to update the regular expressions for CID 10666 |
| CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1, to update the regular expressions for CID 10666 |
| CIS Benchmark for Rocky Linux 10, v1.0.0 | Re-release for CIS Benchmark for Rocky Linux 10, v1.0.0, to update the regular expressions for CID 10666 |
| CIS Benchmark for Debian Linux 11, v2.0.0 | Re-release for CIS Benchmark for Debian Linux 11, v2.0.0, to update the section name |
| CIS Benchmark for Debian Linux 12, v1.1.0 | Re-release for CIS Benchmark for Debian Linux 12, v1.1.0, v2.0.0, to update the section name |
| CIS FortiGate 7.4.x Benchmark, 1.0.1 | Re-release for CIS FortiGate 7.4.x Benchmark, 1.0.1, to add new controls |
| CIS Benchmark for IBM i V7R4M0, v2.1.0 | Re-release for CIS Benchmark for IBM i V7R4M0, v2.1.0, to correct the CID 27715 |
| CIS Benchmark for FortiGate 7.0. x, v1.4.0 | Re-release for CIS Benchmark for FortiGate 7.0. x, v1.4.0, to update the regular expression of CID 27165 |
| CIS Benchmark for Bottlerocket Benchmark, v1.0.0 | Re-release for CIS Benchmark for Bottlerocket Benchmark, v1.0.0, to update the regular expressions of CID 9700, 9711, 14402, 14401, and 10665 |
| CIS Red Hat Enterprise Linux 10 v1.0.1 | Re-release for CIS Red Hat Enterprise Linux 10 v1.0.1, to update the Criticality for the CID 9348 |
| Security Configuration and Compliance Policy for HP ILO 4.x | Re-release for Security Configuration and Compliance Policy for HP ILO 4.x, to update the regular expression of CID 30069 |
| Security Configuration and Compliance Policy for HP ILO 5.x | Re-release for Security Configuration and Compliance Policy for HP ILO 5.x, to update the regular expression of CID 30069 |
| Security Configuration and Compliance Policy for HP ILO 6.x | Re-release for Security Configuration and Compliance Policy for HP ILO 6.x, to update the regular expression of CID 30069 |
| CIS IBM AIX 7 Benchmark, v1.1.0 | Re-release for CIS IBM AIX 7 Benchmark, v1.1.0, to update the cardinality in the policy for CID 15981 |
| CIS Benchmark for Oracle MySQL Community Server 5.6, v2.0.0 MySQL RDBMS on Linux and MySQL RDBMS | Re-release for CIS Benchmark for Oracle MySQL Community Server 5.6, v2.0.0 MySQL RDBMS on Linux, and MySQL RDBMS to update the cover page |
| CIS Benchmark for Oracle MySQL Enterprise Edition 5.6, v2.0.0 MySQL RDBMS on Linux and MySQL RDBMS | Re-release for CIS Benchmark for Oracle MySQL Enterprise Edition 5.6, v2.0.0 MySQL RDBMS on Linux, and MySQL RDBMS to update the cover page |
| CIS Benchmark for Oracle MySQL Community Server 5.7, v2.0.0 MySQL RDBMS on Linux | Re-release for CIS Benchmark for Oracle MySQL Community Server 5.7, v2.0.0 MySQL RDBMS on Linux to update the cover page |
| CIS Benchmark for Oracle MySQL Enterprise Edition 5.7, v2.0.0 MySQL RDBMS on Linux and MySQL RDBMS | Re-release for CIS Benchmark for Oracle MySQL Enterprise Edition 5.7, v2.0.0 MySQL RDBMS on Linux, and MySQL RDBMS to update the cover page |
| CIS Benchmark for Red Hat Enterprise Linux 9, v2.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 9, v2.0.0, to fix the CIDs 25372, 10155, 10156, and update the NL for CID 26773 |
Deprecated Policies
- Safeguard Computer Security Evaluation Matrix for Red Hat Enterprise Linux 8, v7.0
- Safeguard Computer Security Evaluation Matrix for Red Hat Enterprise Linux 7, v6.0
- DISA Security Technical Implementation Guide (STIG) for Cisco IOS Router NDM, V3R5
- DISA Security Technical Implementation Guide (STIG) for Cisco IOS XE Router NDM, V3R6
- DISA Security Technical Implementation Guide (STIG) for Cisco IOS Switch NDM, V3R6
- DISA Security Technical Implementation Guide (STIG) for Ubuntu 20.04 LTS STIG V2R3
- DISA Security Technical Implementation Guide (STIG) for SUSE Linux Enterprise 15.x, V2R5
- DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 7, V3R3
- DISA Security Technical Implementation Guide (STIG) for Ubuntu 22.04 LTS, V2R5
- Security Configuration and Compliance Policy for HP ILO
- CIS Benchmark for NGINX v2.1.0
- DISA Security Technical Implementation Guide (STIG) for Cisco NX-OS Switch NDM, V3R4
- DISA Apache Tomcat Application Server 9 Security Technical Implementation Guide, V3R2
- DISA Security Technical Implementation Guide (STIG) for Apple MacOS 15 (Sequoia), V1R4
- DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 8, V2R5
- DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V2R4
- DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2019, V3R5
- DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022, V2R5
- DISA Security Technical Implementation Guide (STIG) for Microsoft Office 365 ProPlus, V3R3
Proposed Upcoming Policies
We plan to release the following policies and updates next month:
- CIS Alibaba Cloud Linux 3 Benchmark, v2.0.0
- Security Configuration and Compliance Policy for FortiManager 7.x
- Security Configuration and Compliance Policy for FortiAnalyzer 7.x
- CIS Microsoft Intune for Edge Benchmark v1.0.0
- DISA Security Technical Implementation Guide (STIG) for Cisco IOS Switch STIG – RTR V3R2
- DISA Security Technical Implementation Guide (STIG) for Amazon Linux 2023 STIG – Ver 1, Rel 2
- DISA Security Technical Implementation Guide (STIG) for Canonical Ubuntu 24.04 LTS STIG – Ver 1, Rel 4
- DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 9 STIG – Ver 2, Rel 7
- DISA Security Technical Implementation Guide (STIG) for MongoDB Enterprise Advanced 8.x, V1R1
- Safeguard Computer Security Evaluation Matrix for Red Hat Enterprise Linux 9, v7.0
- CIS Microsoft Windows 11 Stand-alone Benchmark, v5.0.0
- CIS Microsoft Windows Server 2022 Stand-alone Benchmark, v2.0.0
- Safeguard Computer Security Evaluation Matrix for Palo Alto Firewall 10.x, 1.0
- Safeguard Computer Security Evaluation Matrix for Palo Alto Firewall 11.x, 1.0
What’s Next
Discover how Qualys Enterprise TruRiskTM Platform can help you reduce cyber risk and improve business outcomes through precise remediation activities. Learn more about it here.
Additional Information
Feel free to contact your Technical Account Manager (TAM) or Qualys Technical Support if you have any questions.
Learn More