General Cyber Exchange Announcements
Supplemental Automation Content has been updated for July 2020
This content leverages Configuration Management tools to enforce STIG requirements. These tools allow for customization and use a STIG-centric approach.
The Supplemental Automation Content can be found on the Cyber Exchange website on the Supplemental Automation Content tab located at:
https://cyber.mil/stigs/supplemental-automation-content/
For users who do not have a CAC that has DoD Certificates, the Supplemental Automation Content is also available from:
https://public.cyber.mil/stigs/supplemental-automation-content/
McAfee Home Use Solutions
McAfee has announced a “Work from Home (WFH)” program that provides free access to their Total Protection solution for 60-days. Under McAfee WFH, anyone can download their premier anti-virus and secure virtual private networking solutions to better protect their systems in response to the heightened mission need to support telework requirements. Click here to learn more about McAfee’s corporate Work from Home program.
The DoD Home Use program provides an annual subscription to McAfee’s Internet Security product for approved DoD employees via this website: https://www.disa.mil/Cybersecurity/Network-Defense/Antivirus/Home-Use.
SRGs/STIGs Announcements
STIG Update - DISA Has Released the Juniper SRX for Anisble Automation Package
DISA has released the Juniper SRX for Anisble Automation Package.
Customers who have a CAC that has DoD Certificates can obtain the file at https://cyber.mil/stigs/downloads/.
For those who do not have a CAC that has DoD Certificates, the file is also available from https://public.cyber.mil/stigs/downloads/.
If you are unable to find and download the content, please report broken link issues to the DoD Cyber Exchange Web team at dod.cyberx@mail.mil. For all questions related to the package content, please contact the DISA STIG Customer Support Desk at disa.stig_spt@mail.mil.
STIG Update - DISA Has Released the Canonical Ubuntu 18.04 STIG Benchmark
DISA has released the automated benchmark for the Canonical Ubuntu 18.04 Security Technical Implementation Guide (STIG). The requirements of the benchmark become effective immediately.
Customers who have a CAC that has DoD Certificates can obtain the benchmark at https://cyber.mil/stigs/downloads/.
For those who do not have a CAC that has DoD Certificates, the benchmark is also available from https://public.cyber.mil/stigs/downloads/.
If you are unable to find and download the content, please report broken link issues to the DoD Cyber Exchange Web team at dod.cyberx@mail.mil. For all questions related to the benchmark content, please contact the DISA STIG Customer Support Desk at disa.stig_spt@mail.mil.
DISA has released the Motorola Android 9.x STIG
DISA has released the Motorola Android 9.x Security Technical implementation Guide (STIG). The requirements of the STIG become effective immediately.
Customers who have a CAC that has DoD Certificates can obtain the STIG at https://cyber.mil/stigs/downloads/.
For those who do not have a CAC that has DoD Certificates, the STIG is also available from https://public.cyber.mil/stigs/downloads/.
If you are not able to find and download the content, please report broken link issues to the DoD Cyber Exchange Web team at dod.cyberexchange@mail.mil. For all questions related to the STIG content, please contact the DISA STIG Customer Support Desk at disa.stig_spt@mail.mil.
Supplemental Automation Content has been updated for October 2020
This content leverages Configuration Management tools to enforce STIG requirements. These tools allow for customization and use a STIG-centric approach.
The Supplemental Automation Content can be found on the Cyber Exchange website on the Supplemental Automation Content tab located at: https://cyber.mil/stigs/supplemental-automation-content/. For users who do not have a CAC that has DoD Certificates, the Supplemental Automation Content is also available from https://public.cyber.mil/stigs/supplemental-automation-content/.
The following content has been updated:
Ansible Content:
Cisco IOS XE Router STIG for Ansible – Ver 2, Rel 1
Red Hat Enterprise Linux 7 STIG for Ansible – Ver 3, Rel 1
Chef Content:
Red Hat Enterprise Linux 7 STIG for Chef – Ver 3, Rel 1
DISA has released updates to the SRG/STIG Library Compilations
These updates include the latest quarterly SRG/STIG update and newly released SRGs and STIGs published since the last quarterly update.
https://public.cyber.mil/stigs/compilations/
Group Policy Objects (GPOs) have been updated for October 2020
Group Policy Objects (GPOs) have been updated for October 2020. See the Change Log document included in the zip file for additional information.
DISA Risk Management Executive is posting the GPOs for use by system administrators to ease the burden in securing systems within their environment.
The GPOs can be found on Cyber Exchange website on the Group Policy Objects tab located at https://cyber.mil/stigs/gpo/. For users who do not have a CAC that has DoD Certificates, the GPO is also available from https://public.cyber.mil/stigs/gpo/.
List of GPOs currently in the package:
Office Products
Access 2013
Access 2016
Excel 2013
Excel 2016
InfoPath 2013
Lync 2013
Office 365 ProPlus
Office System 2013
Office System 2016
OneDrive for Business 2016
OneNote 2013
OneNote 2016
Outlook 2013
Outlook 2016
PowerPoint 2013
PowerPoint 2016
Project 2013
Project 2016
Publisher 2013
Publisher 2016
SharePoint 2010
SharePoint Designer 2013
Skype for Business 2016
Visio 2013
Visio 2016
Word 2013
Word 2016
Browsers
Google Chrome
Internet Explorer 11
Antivirus
Windows Defender AV
Adobe Acrobat
Adobe Acrobat Pro DC Classic
Adobe Acrobat Pro DC Continuous
Adobe Acrobat Reader DC Classic
Adobe Acrobat Reader DC Continuous
Operating Systems
Windows 10
Windows 8/8.1
Windows Firewall
Windows 2008 R2 DC
Windows 2008 R2 MS
Windows 2012 R2 DC
Windows 2012 R2 MS
Windows Server 2016 (MS and DC)
Windows Server 2019 (MS and DC)
STIG Update - October 2020 Quarterly Release
DISA has released the following updated Security Guidance, Security Readiness Review Scripts and Benchmarks:
Unclassified Application STIGs:
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=app-security
Apache Server 2.4 UNIX Server STIG – Ver 2, Rel 1
Apache Server 2.4 Windows Server STIG – Ver 2, Rel 1
Apache Tomcat Application Server 9 STIG – Ver 2, Rel 1
Application Server SRG – Ver 3, Rel 1
Application Security and Development STIG – Ver 5, Rel 1
EDB Postgres Advanced Server v11 on Windows STIG – Ver 2, Rel 1
EDB Postgres Advanced Server STIG – Ver 2, Rel 1
Google Chrome STIG – Ver 2, Rel 1
Microsoft Exchange 2016 Edge Transport Server STIG – Ver 2, Rel 1
Microsoft Exchange 2016 Mailbox Server STIG – Ver 2, Rel 1
Microsoft IIS 8.5 Server STIG – Ver 2, Rel 1
Microsoft IIS 8.5 Site STIG – Ver 2, Rel 1
Microsoft IIS 10.0 Server STIG – Ver 2, Rel 1
Microsoft IIS 10.0 Site STIG – Ver 2, Rel 1
Microsoft SQL Server 2016 Database STIG – Ver 2, Rel 1
Microsoft SQL Server 2016 Instance STIG – Ver 2, Rel 1
Microsoft Office 365 ProPlus STIG – Ver 2, Rel 1
Microsoft Office System 2013 STIG – Ver 2, Rel 1
Microsoft Outlook 2016 STIG – Ver 2, Rel 1
PostgresSQL 9.x STIG – Ver 2, Rel 1
Splunk Enterprise 7.x for Windows STIG – Ver 2, Rel 1
Unclassified Mobility STIGs and SRGs:
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=mobility
ISEC7 Sphere STIG – Ver 2, Rel 1
Unclassified Network STIGs and SRGs:
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=network-perimeter-wireless
Cisco IOS Router NDM STIG – Ver 2, Rel 1
Cisco IOS Router RTR STIG – Ver 2, Rel 1
Cisco IOS Switch NDM STIG – Ver 2, Rel 1
Cisco IOS-XE Router NDM STIG – Ver 2, Rel 1
Cisco IOS-XE Router RTR STIG – Ver 2, Rel 1
Cisco IOS-XE Switch NDM STIG – Ver 2, Rel 1
Cisco IOS-XR Router NDM STIG – Ver 2, Rel 1
Cisco IOS-XR Router RTR STIG – Ver 2, Rel 1
F5 BIG-IP Access Policy Manager 11.x STIG – Ver 2, Rel 1
F5 BIG-IP Device Management 11.x STIG – Ver 2, Rel 1
F5 BIG-IP Local Traffic Manager 11.x STIG – Ver 2, Rel 1
Juniper SRX SG ALG STIG – Ver 2, Rel 1
Microsoft Windows 2012 Server Domain Name System STIG – Ver 2, Rel 1
Palo Alto Networks ALG STIG – Ver 2, Rel 1
Palo Alto Networks IDPS STIG – Ver 2, Rel 1
Voice Video Session Management SRG – Ver 2, Rel 1
Virtual Private Network (VPN) SRG – Ver 2, Rel 1
Unclassified Operating System STIGs and Overviews:
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems
Apple OS X 10.13 STIG – Ver 2, Rel 1
Apple OS X 10.14 STIG – Ver 2, Rel 1
Canonical Ubuntu 16.04 LTS STIG – Ver 2, Rel 1
Canonical Ubuntu 18.04 LTS STIG – Ver 2, Rel 1
IBM AIX 7.x STIG – Ver 2, Rel 1
Oracle Linux 6 STIG – Ver 2, Rel 1
Oracle Linux 7 STIG – Ver 2, Rel 1
Red Hat Enterprise Linux 6 STIG – Ver 2, Rel 1
Red Hat Enterprise Linux 7 STIG – Ver 3, Rel 1
Solaris 10 SPARC STIG – Ver 2, Rel 1
Solaris 10 x86 STIG – Ver 2, Rel 1
Solaris 11 SPARC STIG – Ver 2, Rel 1
Solaris 11 x86 STIG – Ver 2, Rel 1
z/OS ACF2 Products – Ver 6, Rel 47
z/OS RACF Products – Ver 6, Rel 47
z/OS TSS Products – Ver 6, Rel 47
z/OS STIG – Ver 8, Rel 1
Benchmarks:
https://public.cyber.mil/stigs/scap/
Adobe Acrobat Reader DC Classic Track STIG Benchmark – Ver 2, Rel 1
Canonical Ubuntu 16.04 STIG Benchmark – Ver 2, Rel 1
Google Chrome for Windows STIG Benchmark – Ver 2, Rel 1
Oracle Linux 7 STIG Benchmark – Ver 2, Rel 1
Red Hat Enterprise Linux 6 STIG Benchmark – Ver 2, Rel 1
Red Hat Enterprise Linux 7 STIG Benchmark – Ver 3, Rel 1
SUSE Linux Enterprise Server 12 STIG Benchmark – Ver 2, Rel 1
Solaris 10 SPARC STIG Benchmark – Ver 2, Rel 1
Solaris 10 X86 STIG Benchmark – Ver 2, Rel 1
Solaris 11 SPARC STIG Benchmark – Ver 2, Rel 1
Solaris 11 X86 STIG Benchmark – Ver 2, Rel 1
Sunset STIGs:
https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=sunset
Adobe Acrobat Reader DC Classic Track STIG – Ver 2, Rel 1
Adobe Acrobat Professional DC Classic Track STIG – Ver 2, Rel 1
DISA Draft Microsoft Edge STIG Comments Due 03 November
DISA has released the Draft Microsoft Edge Security Technical Implementation Guide (STIG) for review.
Customers who have a CAC with DoD Certificates can submit comments, recommended changes, and/or additions to the draft STIG by 03 November 2020 on the Comment Matrix spreadsheet, located with the STIG at https://cyber.mil/stigs/downloads/.
For those who do not have a CAC with DoD Certificates, the Comment Matrix spreadsheet is located with the STIG at https://public.cyber.mil/stigs/downloads/.
If you are unable to find and download the content, please report broken link issues to the DoD Cyber Exchange Web team at dod.cyberexchange@mail.mil. For all questions related to the STIG content, please contact the DISA STIG Customer Support Desk at disa.stig_spt@mail.mil.
Comments should be sent via email to disa.stig_spt@mail.mil. Please include the title and version of the STIG in the subject line of your email.
Notice of Discontinued Support for Microsoft Office 2016 SCAP 1.3 Benchmarks
The Microsoft Office 2016 SCAP 1.3 benchmarks for Microsoft Access, Excel, Office System, OneDrive, OneNote, Outlook, PowerPoint, Project, Publisher, Skype, Visio, and Word are being withdrawn to be reevaluated.
Profile hives for domain users are not being processed correctly because of a technical implementation limitation that did not manifest during internal testing.
Please contact the DISA STIG Customer Support Desk at disa.stig_spt@mail.mil with any questions
DISA Posts Revised Files to Test New STIG Group and Rule IDs
DISA has posted the following additional content for testing new Security Technical Implementation Guide (STIG) and Security Requirements Guide (SRG) Group and Rule IDs:
- Apple OS X 10.13 TEST STIG – Ver 2, Rel 0.1
- Apple OS X 10.14 TEST STIG – Ver 2, Rel 0.1
- BlackBerry Enterprise Mobility Server 2.x TEST STIG – Ver 2, Rel 0.1
- Canonical Ubuntu 16.04 TEST STIG – Ver 2, Rel 0.1
- Canonical Ubuntu 18.04 LTS TEST STIG – Ver 2, Rel 0.1
- SLES 12 TEST STIG – Ver 2, Rel 0.1
- Samsung Android OS 9 with Knox 3.x TEST STIG – Ver 2, Rel 0.1
- Voice Video Endpoint TEST SRG – Ver 2, Rel 0.1
- Voice Video Session Management TEST SRG – Ver 2, Rel 0.1
The following new and updated SCAP 1.2 content has also been posted:
- Canonical Ubuntu 16.04 TEST STIG Benchmark – Ver 2, Rel 0.1
- RHEL 7 TEST STIG Benchmark – Ver 3, Rel 0.5
- SLES 12 TEST STIG Benchmark – Ver 2, Rel 0.1
As noted previously, to provide increased flexibility for the future, DISA is updating the systems that produce STIGs and SRGs. The initial modification will be to change Group and Rule IDs (Vul and Subvul IDs). The previous Group and Rule IDs will be retained through the update as “legacy” IDs, presented as XCCDF ident elements. See the example below:
<Group id="V-204392">
<title>SRG-OS-000257-GPOS-00098</title>
<description>…</description>
<Rule id="SV-204392r85825_rule" weight="10.0" severity="high">
<version>RHEL-07-010010</version>
<title>The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values.</title>
<description>…</description>
<reference>…</reference>
<ident system="http://cyber.mil/legacy">SV-86473</ident>
<ident system="http://cyber.mil/legacy">V-71849</ident>
<ident system="http://cyber.mil/cci">CCI-001494</ident>
<ident system="http://cyber.mil/cci">CCI-001496</ident>
<ident system="http://cyber.mil/cci">CCI-002165</ident>
<ident system="http://cyber.mil/cci">CCI-002235</ident>
These updates will necessitate a new version number for every STIG as it is converted to the new format. For example, if the old version/release of a STIG is V2R6, the updated version/release will be V3R1.
DISA has posted manual STIGs on DoD Cyber Exchange in the new format for review and testing, along with several automated benchmarks. A new XSL stylesheet is included in the STIGs to handle the “legacy” identifiers.
For those who do not have a CAC with DoD Certificates, the STIGs are available at https://public.cyber.mil/stigs/downloads/.
If you have any comments after reviewing these samples, please email them to disa.stig_spt@mail.mil and note in the subject line STIG Testing Comments.
DISA Posts Additional File to Test New STIG/SRG Group and Rule IDs
To provide increased flexibility for the future, DISA is updating the systems that produce STIGs and Security Requirements Guides (SRGs). The initial modification will be to change Group and Rule IDs (Vul and Subvul IDs).
Several manual test STIGs and benchmarks are available for review and comment. Click “More about Critical Updates” for additional details.
DISA Draft Container Platform SRG Comments due 09 September
DISA recently released the Draft Container Platform Security Requirements Guide (SRG) for review. The due date for comments is being revised to 09 September 2020.
Customers who have a CAC with DoD Certificates can submit comments, recommended changes, and/or additions to the draft SRG by 09 September 2020 on the Comment Matrix spreadsheet, located with the SRG at https://cyber.mil/stigs/downloads/.
For those who do not have a CAC with DoD Certificates, the Comment Matrix spreadsheet is located with the SRG at https://public.cyber.mil/stigs/downloads/.
If you are unable to find and download the content, please report broken link issues to the DoD Cyber Exchange Web team at dod.cyberexchange@mail.mil. For all questions related to the SRG content, please contact the DISA STIG Customer Support Desk at disa.stig_spt@mail.mil.
Comments should be sent via email to disa.stig_spt@mail.mil. Please include the title and version of the SRG in the subject line of your email.
PKI/PKE Announcements
New WCF CAs released - Certificate Bundle v5.10
The WCF PKI has recently deployed updated WCF Signing CAs 1-10. These new certificates are now available in the WCF PKI PKCS#7 Certificate Bundle v5.10.