Policy Compliance Library Updates, May 2026
Qualys’ library of built-in policies makes it easy to comply with the widely adopted security standards and regulations. The platform offers a broad range of policies, including many that have been certified by the Center for Internet Security (CIS), as well as security guidelines and industry best practices from operating system and application vendors.
Qualys’ Certification Page on the CIS website has also been updated.
CIS Benchmark Policies
Center for Internet Security (CIS) Benchmark policies are technical guidelines for organizations to improve their cybersecurity posture by aligning with recommended secure configurations. By leveraging industry best practices, these guidelines help reduce the risk of cyberattacks, such as data breaches.
DISA STIG Policies
STIG stands for Security Technical Implementation Guide, which is a set of cybersecurity guidelines published by the Defense Information Systems Agency (DISA). These guidelines equip organizations with the tools to comply with rules, regulations, best practices, and federal laws, facilitating compliance and bolstering cybersecurity measures.
CIS STIG Policies
CIS STIG Benchmarks are secure configuration guidelines released by the Center for Internet Security (CIS) and derived directly from DISA Security Technical Implementation Guides (STIGs). They are functionally equivalent to DISA STIGs and differ only in formatting and presentation, not in security controls or remediation guidance.
Qualys Policies
Qualys oversees the discovery and resolution of technical issues while implementing robust policy frameworks. Researchers within Qualys actively identify cybersecurity misconfigurations and enact technical policies to fortify systems and safeguard against potential threats.
Safeguard Computer Security Evaluation Matrix (SCSEM)
It typically comprises a structured set of criteria, guidelines, and metrics designed to measure various aspects of security, such as confidentiality, integrity, availability, and compliance.
Compliance Standards
Compliance standards are regulatory frameworks that safeguard sensitive data and help ensure privacy and security. They offer guidelines and best practices for organizations to achieve compliance and mitigate risks in handling sensitive information.
New Policies/Mandates
Listed below are the number of policies and mandates deployed in May 2026:
| CIS Benchmark Policies | 7 |
| DISA STIG Policy | 6 |
| CIS STIG Benchmark | 8 |
| Industry Best Practices Policy | 5 |
| New Supported Mandates | 3 |
| Deprecated Mandates | 0 |
Listed below are the newly published policies and mandates:
| CIS Benchmark Policies | CIS Alibaba Cloud Linux 3 Benchmark, v2.0.0 CIS Benchmark for Microsoft Windows Server 2022 Stand-alone, v2.0.0 CIS Kubernetes Benchmark v2.0.0 CIS Microsoft Defender Antivirus Benchmark, v1.0.0 CIS Microsoft Windows 11 Stand-alone Benchmark, v5.0.0 CIS VMware ESXi 8.0 Benchmark, v1.3.0 CIS Benchmark for Oracle Solaris 10, v5.2.0 |
| DISA STIG Policies | DISA Security Technical Implementation Guide (STIG) for Cisco IOS Switch RTR, V3R2 DISA Security Technical Implementation Guide (STIG) for Amazon Linux 2023, V1R2 DISA Security Technical Implementation Guide (STIG) for Ubuntu 24.04 LTS, V1R4 DISA Security Technical Implementation Guide (STIG) for MongoDB Enterprise Advanced 8.x, V1R1 DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2025, V1R1 DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 9, V2R7 |
| CIS STIG Benchmark | CIS MariaDB Enterprise 10.x STIG Benchmark, v1.0.0 CIS Oracle Database 19c STIG Benchmark, v1.1.0 CIS Apache Server 2.4 UNIX Server STIG Benchmark, v1.0.0 CIS MS SQL Server 2016 Instance STIG Benchmark, v1.0.0 CIS MS SQL Server 2016 Database STIG Benchmark, v1.0.0 CIS Oracle Database 12c STIG Benchmark, v1.0.0 CIS Microsoft SQL Server 2022 Database STIG Benchmark, v1.0.0 CIS Mozilla Firefox STIG Benchmark, v1.1.0 |
| Industry and Best Practices Policies | Security Configuration and Compliance Policy for FortiManager 7. X Security Configuration and Compliance Policy for FortiAnalyzer 7. X Safeguard Computer Security Evaluation Matrix for Red Hat Enterprise Linux 9, v7.0 Safeguard Computer Security Evaluation Matrix for Palo Alto Firewall 11.x, 1.0 Safeguard Computer Security Evaluation Matrix for Palo Alto Firewall 10.x, 1.0 |
| New Supported Mandates | Personal Information Protection and Electronic Documents Act, February 2026 Criminal Justice Information Services (CJIS) Security Policy, Ver. 6.0 IRS Publication 1075, November 2021 |
| Deprecated mandates | NA |
Policy Updates
We have updated your Policy Library. The following policies and mandates have been re-released as part of our customer CRM.
| Policy | Update |
| CIS Benchmark for Red Hat Enterprise Linux 9, v2.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 9, v2.0.0, to update the CID 12824 and 23747 |
| CIS Benchmark for IBM DB2 11.x, v1.1.0 | Re-release for CIS Benchmark for IBM DB2 11.x, v1.1.0, to control the regular expression of CID 4147 |
| CIS IBM AIX 7.2 Benchmark, v1.1.0 | Re-release for CIS IBM AIX 7.2 Benchmark, v1.1.0, to update the cardinality of CID 5220 and 15981. |
| CIS Benchmark for Palo Alto Firewall 11, v1.2.0 | Re-release for CIS Benchmark for Palo Alto Firewall 11, v1.2.0, to replace CID 17902 29793 with 32087 32087, and update the regular expression of CID 17895 |
| CIS Benchmark for Palo Alto Firewall 10, v1.3.0 | Re-release for CIS Benchmark for Palo Alto Firewall 10, v1.3.0, to replace CID 17902 29793 with 32087 |
| CIS Benchmark for Palo Alto Firewall 9, v1.1.0 | Re-release for CIS Benchmark for Palo Alto Firewall 9, v1.1.0, to replace CID 17902 29793 with 32087 |
| Safeguards Computer Security Evaluation Matrix for Palo Alto Firewall 10.x, v6.0 | Re-release for Safeguards Computer Security Evaluation Matrix for Palo Alto Firewall 10.x, v6.0, to replace CID 17902 29793 with 32087 |
| Safeguards Computer Security Evaluation Matrix for Palo Alto Firewall 9.x, v6.0 | Re-release for Safeguards Computer Security Evaluation Matrix for Palo Alto Firewall 9.x, v6.0, to replace CID 17902 29793 with 32087 |
| Security Configuration and Compliance Policy for Palo Alto Firewall 12.x | Re-release for Security Configuration and Compliance Policy for Palo Alto Firewall 12.x, to replace CID 17902 29793 with 32087 |
| 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Policy (SOC2) for Network Devices | Re-release for 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy Policy (SOC2) for Network Devices, to replace CID 17902 29793 with 32087 |
| DISA Security Technical Implementation Guide (STIG) for IBM WebSphere Traditional V9.x, V1R1 | Re-release for DISA Security Technical Implementation Guide (STIG) for IBM WebSphere Traditional V9. X, V1R1, to change the regular expression for CID 15863 |
| CIS Benchmark for Alma Linux 8, v4.0.0 | Re-release for CIS Benchmark for Alma Linux 8, v4.0.0, to update the regular expression of CID 28649 |
| CIS Benchmark for Oracle Linux 8, v4.0.0 | Re-release for CIS Benchmark for Oracle Linux 8, v4.0.0, to update the regular expression of CID 28649 |
| CIS Benchmark for Red Hat Enterprise Linux 8, v4.0.0 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 8, v4.0.0, to update the regular expression of CID 28649 |
| DISA Security Technical Implementation Guide (STIG) for Apache Tomcat Application Server 9, V3R3 | Re-release for DISA Security Technical Implementation Guide (STIG) for Apache Tomcat Application Server 9, V3R3, to update the references in the policy |
| CIS Benchmark for Apache HTTP Server 2.4, v2.3.0 | Re-release for CIS Benchmark for Apache HTTP Server 2.4, v2.3.0, to update the cover page |
| CIS Benchmark for Alma Linux OS 10, v1.0.0 | Re-release for CIS Benchmark for AlmaLinux OS 10, v1.0.0, to update the regular expression of CID 12807 |
| CIS Benchmark for Alma Linux OS 9, v2.0.0 | Re-release for CIS Benchmark for AlmaLinux OS 9, v2.0.0, to update the regular expression of CID 12807 |
| CIS Benchmark for Oracle Linux 10, v1.0.0 | Re-release for CIS Benchmark for Oracle Linux 10, v1.0.0, to update the regular expression of CID 12807 and 23747 |
| CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1 | Re-release for CIS Benchmark for Red Hat Enterprise Linux 10, v1.0.1, to update the regular expression of CID 12807 |
| CIS Benchmark for Rocky Linux 10, v1.0.0 | Re-release for CIS Benchmark for Rocky Linux 10, v1.0.0, to update the regular expression of CID 12807 |
| DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 8, V2R7 | Re-release for DISA Security Technical Implementation Guide (STIG) for Oracle Enterprise Linux 8, V2R7, to fix the issues found in the delta review |
| DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V2R6 | Re-release for DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 8, V2R6, to fix the issues found in the delta review |
| DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 DC, V2R7 | Re-release for DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2022 DC, V2R7, to correct the reference for 2196, 2197, 2198, 2199 |
| CIS Benchmark for Microsoft Windows Server 2025, v2.0.0 | Re-release for CIS Benchmark for Microsoft Windows Server 2025, v2.0.0, to update the regular expressions for CID 4494 |
| CIS ALMA Linux 10, v1.0.0 | Re-release for CIS ALMA Linux 10, v1.0.0, to update the control 9348 |
| CIS ALMA Linux 8, v4.0.0 | Re-release for CIS ALMA Linux 8, v4.0.0, to update the control 9348 |
| CIS ALMA Linux 9, v2.0.0 | Re-release for CIS ALMA Linux 9, v2.0.0, to update the control 29173 |
| Apache Hadoop | Re-release for Apache Hadoop, to update the controls 18400 and 18314 |
| CIS CentOS Linux 7, V4.0.0 | Re-release for CIS CentOS Linux 7, V4.0.0, to update the controls 9348 and 29797 |
| DISA HPUX i13, V1r19 | Re-release for DISA HPUX i13, V1r19, to update the controls 15186, 5015, and 14987 |
| DISA RHEL V3R14 | Re-release for DISA RHEL V3R14, to update the control 29611 |
| CIS Oracle Enterprise Linux 10, V1.0.0 | Re-release for CIS Oracle Enterprise Linux 10, V1.0.0, to update the control 9348 |
| CIS Oracle Enterprise Linux 8, V4.0.0 | Re-release for CIS Oracle Enterprise Linux 8, V4.0.0, to update the control 9348 |
| CIS Oracle Enterprise Linux 9, V2.0.0 | Re-release for CIS Oracle Enterprise Linux 9, V2.0.0, to update the control 29173 |
| Remote Endpoints Security Hygiene | Re-release of Remote Endpoints Security Hygiene against the Hafnium attack to update control 20882 |
| CIS RHEL 7, V4.0.0 | Re-release for CIS RHEL 7, V4.0.0, to update the controls 9348 and 29797 |
| CIS RHEL 8, V4.0.0 | Re-release for CIS RHEL 8, V4.0.0, to update the control 9348 |
| CIS RHEL 9, V2.0.0 | Re-release for CIS RHEL 9, V2.0.0, to update the regular expression for the CID 23747 |
| CIS Benchmark for Rocky Linux 9, V2.0.0 | Re-release for CIS Benchmark for Rocky Linux 9, V2.0.0, to update control 29173 and 23747 |
| CIS Benchmark for Rocky Linux 8 V3.0.0 | Re-release for CIS Benchmark for Rocky Linux 8, V3.0.0, to update control 9348 |
| CIS Benchmark for Rocky Linux 10, V1.0.0 | Re-release for CIS Benchmark for Rocky Linux 10, V1.0.0, to update control 9348 |
| CIS SUSE 15, V2.0.1 | Re-release for CIS SUSE 15, V2.0.1, to update the control 9348 |
| MS SCM Compliance Security Policy for MS Windows Server 2012 R2 Domain Controller | Re-release for MS SCM Compliance Security Policy for MS Windows Server 2012 R2 Domain Controller, to update the controls 8687, 8427, and 8459 |
| Security Configuration and Compliance Policy for ArubaOS 8.x v.2.0 | Re-release for Security Configuration and Compliance Policy for ArubaOS 8.x v.2.0, to update the regular expression for CID 6257 |
| CIS Benchmark for Oracle Database 19c, v2.0.0 | Re-release for CIS Benchmark for Oracle Database 19c, v2.0.0, to add support for Oracle 19c non-multitenant |
| CIS IBM WebSphere Liberty Benchmark v1.0.0 | Re-release for CIS IBM WebSphere Liberty Benchmark v1.0.0, to add control 32109 in the policy |
| DISA Security Technical Implementation Guide (STIG) for Microsoft SQL Server 2022 Database, V1R2 | Re-release for DISA Security Technical Implementation Guide (STIG) for Microsoft SQL Server 2022 Database, V1R2, to update the regular expression for the CID 7937 |
| DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2019, V3R7 | Re-release for DISA Security Technical Implementation Guide (STIG) for Microsoft Windows Server 2019, V3R7, to add new mapping documents |
| CIS Benchmark for Oracle Linux 9, v2.0.0 | Re-release for CIS Benchmark for Oracle Linux 9, v2.0.0, to update the regular expression for the CID 23747 |
| CIS Benchmark for Ubuntu Linux 20.04 LTS, v3.0.0 | Re-release for CIS Benchmark for Ubuntu Linux 20.04 LTS, v3.0.0, to update the regular expression for the CID 23747 |
| CIS Benchmark for Ubuntu Linux 24.04 LTS, v1.0.0 | Re-release for CIS Benchmark for Ubuntu Linux 24.04 LTS, v1.0.0, to update the regular expression for the CID 23747 |
| DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 9, V2R7 | Re-release for DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 9, V2R7, to update the regular expression for the CID 20536 |
Deprecated Policies
- CIS Benchmark for Kubernetes, v1.12.0
- CIS Benchmark for Microsoft Windows 11 Stand-alone, v4.0.0
- CIS Benchmark for VMware ESXi 8.0, V1.2.0
Proposed Upcoming Policies
We plan to release the following policies and updates next month:
- CIS Cisco IOS Switch L2S STIG Benchmark, v1.0.0
- CIS Microsoft Windows Server 2016 STIG Benchmark, v4.0.0
- CIS Microsoft Windows 10 STIG Benchmark, v1.0.0
- CIS Microsoft Office System 2016 STIG Benchmark, v1.0.0
- CIS Infoblox 8.x DNS STIG Benchmark, v1.0.0
- CIS Cisco IOS XR Router RTR STIG Benchmark, v1.0.0
- CIS Cisco IOS XR Router NDM STIG Benchmark, v1.0.0
- CIS JBoss Enterprise Application Platform 6.3 STIG Benchmark, v1.0.0
- CIS Microsoft Exchange 2016 Mailbox Server STIG Benchmark, v1.0.0
- CIS Microsoft Exchange 2016 Edge Transport Server STIG Benchmark, v1.0.0
- CIS VMware vSphere 8.0 vCenter STIG Benchmark, v1.0.0
- CIS VMware vSphere 8.0 Virtual Machine STIG Benchmark, v1.0.0
- CIS VMware vSphere 8.0 ESXi STIG Benchmark, v1.0.0
- CIS IBM z/OS RACF STIG Benchmark, v1.0.0
- CIS Palo Alto Networks NDM STIG Benchmark, v1.0.0
- CIS Palo Alto Networks IDPS STIG Benchmark, v1.0.0
- CIS Palo Alto Networks ALG STIG Benchmark, v1.0.0
- CIS Apache Server 2.4 Windows Server Security Technical Implementation Guide STIG Benchmark, 1.0.0
- CIS Apple macOS 14 (Sonoma) Security Technical Implementation Guide STIG Benchmark, 1.0.0
- CIS Debian Linux 13 Benchmark, v1.0.0
- CIS Microsoft Intune for Edge Benchmark v1.0.0
- DISA Security Technical Implementation Guide (STIG) for Apple macOS 26 (Tahoe) STIG – Ver 1, Rel 1
- CIS Microsoft Windows 11 STIG Benchmark, v1.1.0
- CIS Cisco IOS XE Switch NDM STIG Benchmark, v1.1.0
- CIS Cisco IOS XE Router NDM STIG Benchmark, v1.1.0
- CIS Windows 11 Enterprise Policy – Polish Language
- CIS Azure Compute Microsoft Windows Server 2022 Benchmark v1.0.0 – Spanish
- DISA Security Technical Implementation Guide (STIG) for Red Hat OpenShift Container Platform 4.x STIG – Ver 2, Rel 5
- Safeguard Computer Security Evaluation Matrix for Rocky Linux, v1.0
- Security Configuration & Compliance Policy for VMware vCenter 9.x
- CIS Cisco IOS Switch NDM STIG Benchmark, v1.1.0
- CIS Cisco IOS Router RTR STIG Benchmark, v1.1.0
- DISA STIG Microsoft Windows 11 STIG – Ver 2, Rel 7
- DISA Security Technical Implementation Guide (STIG) for Red Hat Enterprise Linux 10, Ver 1, Rel 1
- ArubaOS Security Configuration Guide (SCG) for ArubaOS-CX
- CIS Cisco IOS XE Router RTR STIG Benchmark, v1.1.0
- CIS Cisco IOS XE Switch RTR STIG Benchmark. v1.1.0
- CIS Apple MacOS 15.0 Sequoia Intune Benchmark, v1.1.0
- CIS Apple MacOS 26 Tahoe Intune Benchmark, v1.0.0
- CIS Microsoft Office 365 ProPlus STIG Benchmark, v1.1.0
- DISA STIG for Microsoft IIS 10 Server V3R7
- DISA STIG for Microsoft IIS 10 Site V2R15
- DISA STIG for Active Directory Domain, V3R7
- CIS Cisco IOS Switch RTR STIG Benchmark, v1.1.0
- CIS Cisco IOS Router NDM STIG Benchmark, v1.1.0
What’s Next
Discover how Qualys Enterprise TruRiskTM Platform can help you reduce cyber risk and improve business outcomes through precise remediation activities. Learn more about it here.
Additional Information
Feel free to contact your Technical Account Manager (TAM) or Qualys Technical Support if you have any questions.
Learn More