General Cyber Exchange Announcements
Supplemental Automation Content has been updated for July 2020
This content leverages Configuration Management tools to enforce STIG requirements. These tools allow for customization and use a STIG-centric approach.
The Supplemental Automation Content can be found on the Cyber Exchange website on the Supplemental Automation Content tab located at:
https://cyber.mil/stigs/supplemental-automation-content/
For users who do not have a CAC that has DoD Certificates, the Supplemental Automation Content is also available from:
https://public.cyber.mil/stigs/supplemental-automation-content/
McAfee Home Use Solutions
McAfee has announced a “Work from Home (WFH)” program that provides free access to their Total Protection solution for 60-days. Under McAfee WFH, anyone can download their premier anti-virus and secure virtual private networking solutions to better protect their systems in response to the heightened mission need to support telework requirements. Click here to learn more about McAfee’s corporate Work from Home program.
The DoD Home Use program provides an annual subscription to McAfee’s Internet Security product for approved DoD employees via this website: https://www.disa.mil/Cybersecurity/Network-Defense/Antivirus/Home-Use.
SRGs/STIGs Announcements
GPO Update
Group Policy Objects (GPOs) have been updated for April 2024. Refer to the Change Log document included in the zip file for additional information.
The DISA Risk Management Executive posts the GPOs for use by system administrators to ease the burden in securing systems within their environment.
The GPOs can be found on the Cyber Exchange website on the Group Policy Objects tab:
- DOD Cyber Exchange – https://cyber.mil/stigs/gpo/ (Common Access Card required).
- DOD Cyber Exchange Public – https://public.cyber.mil/stigs/gpo/.
List of GPOs currently in the package:
Office Products
- Access 2013
- Access 2016
- Excel 2013
- Excel 2016
- InfoPath 2013
- Lync 2013
- Office 2019-M365 Apps
- Office System 2013
- Office System 2016
- OneDrive for Business 2016
- Outlook 2013
- Outlook 2016
- PowerPoint 2013
- PowerPoint 2016
- Project 2013
- Project 2016
- Publisher 2013
- Publisher 2016
- Skype for Business 2016
- Visio 2013
- Visio 2016
- Word 2013
- Word 2016
Browsers
- Edge
- Google Chrome
- Internet Explorer 11
- Mozilla Firefox
Antivirus
- Windows Defender AV
Adobe Acrobat
- Adobe Acrobat Pro DC Continuous
- Adobe Acrobat Reader DC Continuous
Operating Systems
- Windows 10
- Windows 11
- Windows Firewall
- Windows 2012 R2 DC
- Windows 2012 R2 MS
- Windows Server 2016 (MS and DC)
- Windows Server 2019 (MS and DC)
- Windows Server 2022
Assistance
For issues accessing files, email the Cyber Exchange web team at dod.cyberexchange@mail.mil.
For questions related to STIG content, email the DISA STIG Customer Support Desk at disa.stig_spt@mail.mil.
DISA publishes April 2024 Quarterly Maintenance Release
DISA recently released the following updated Security Guidance.
Note: The automation portion of the April maintenance release will be held until the July maintenance release. This is due to recent changes in automation processes and procedures and upcoming changes to STIGs and SRGs from the fifth revision of the NIST SP 800-53.
Unclassified Application STIGs
Apache Server 2.4 Unix STIG
Microsoft .Net Framework 4.0 STIG – Ver 2, Rel 4
Microsoft Edge STIG – Ver 1, Rel 8
Microsoft Excel 2016 STIG – Ver 2, Rel 1
Microsoft Office 365 ProPlus STIG – Ver 2, Rel 12
Microsoft Office System 2016 STIG – Ver 2, Rel 3
MS SQL Server 2016 STIG
Rancher Government Solutions RKE2 STIG – Ver 1, Rel 5
Red Hat Ansible Automation Controller STIG
Red Hat JBoss Enterprise Application Platform (EAP) 6.3 STIG – Ver 2, Rel 4
Unclassified Mobility STIGs and SRGs
Apple iOS/iPadOS 15 STIG – Ver 1, Rel 4
Google Android 13 BYOAD STIG
Samsung Android 14 with Knox 3.x STIG
Unclassified Network STIGs and SRGs:
Cisco IOS Switch STIG
Cisco IOS XE Switch STIG
Cisco NX OS Switch STIG
NetApp ONTAP DSC 9.x STIG – Ver 1, Rel 4
Router SRG – Ver 4, Rel 3
Unclassified Operating System STIGs and Overviews
Apple macOS 13 (Ventura) STIG – Ver 1, Rel 4
Apple macOS 14 (Sonoma) STIG – Ver 1, Rel 2
Canonical Ubuntu 18.04 LTS STIG – Ver 2, Rel 14
Canonical Ubuntu 20.04 LTS STIG – Ver 1, Rel 12
IBM zOS STIG
Oracle Linux 8 STIG – Ver 1, Rel 10
Red Hat Enterprise Linux 8 STIG – Ver 1, Rel 14
Red Hat Enterprise Linux 9 STIG – Ver 1, Rel 3
Solaris 11 SPARC STIG – Ver 2, Rel 10
Solaris 11 X86 STIG – Ver 2, Rel 10
SUSE Linux Enterprise Server 15 STIG – Ver 1, Rel 13
z/OS ACF2 Products – Ver 6, Rel 60
z/OS RACF Products – Ver 6, Rel 60
z/OS TSS Products – Ver 6, Rel 60
Sunset
Sunset – VMware Horizon 7.13 STIG
Assistance
For issues accessing files, email the Cyber Exchange web team at dod.cyberexchange@mail.mil.
For questions related to STIG content, email the DISA STIG Customer Support Desk at disa.stig_spt@mail.mil.
DISA releases the updated DOD Annex for MDFPP V 3.3
The Defense Information Systems Agency recently released the updated DOD Annex for Mobile Device Fundamental Protection Profile MDFPP V3.3, which becomes effective immediately.
Customers who possess a Common Access Card that has valid Department of Defense certificates can obtain the Annex from the DOD Cyber Exchange website at https://cyber.mil/stigs/niap/. The Annex is also available on the Cyber Exchange public site at https://public.cyber.mil/stigs/niap.
Users who are unable to find and download the content can report their issue to the Cyber Exchange web team at dod.cyberexchange@mail.mil. Individuals who have further questions related to Annex content should email the DISA STIG customer support desk at disa.stig_spt@mail.mil.
DISA releases the Mirantis Kubernetes Engine Security Technical Implementation Guide
The Defense Information Systems Agency recently approved the Mirantis Kubernetes Engine Security Technical Implementation Guide (STIG), which is effective immediately upon release.
Customers who possess a Common Access Card that has valid Department of Defense certificates can obtain the STIG from the DOD Cyber Exchange website at https://cyber.mil/stigs/downloads/. The STIG is also available on the Cyber Exchange public site at https://public.cyber.mil/stigs/downloads.
Users who are unable to find and download the guide or other content can report their issue to the Cyber Exchange web team at dod.cyberexchange@mail.mil. Individuals who have further questions related to STIG content should email the DISA STIG customer support desk at disa.stig_spt@mail.mil.
STIG/SRG Updates for NIST SP 800-53 Rev 5 Set for July
DISA will be updating numerous STIGS and SRGs to bring them into compliance with changes from the fifth revision of the NIST SP 800-53. The STIG team will complete this work for the July maintenance release. Therefore, any routine STIG/SRG maintenance will be held until the October release. All SRGs and 100 STIGs, listed below, will be included in the July updates. View Rev 5 Update List
DISA releases out-of-cycle update for the Virtual Private Network Security Requirements Guide and the Web Server Security Requirements Guide
The Defense Information Systems Agency has released an out-of-cycle update for the Virtual Private Network Security Requirements Guide (SRG) and the Web Server SRG, which become effective immediately upon release.
Customers who possess a Common Access Card that has valid Department of Defense certificates can obtain the STIG from the DOD Cyber Exchange website at https://cyber.mil/stigs/downloads/. The STIG is also available on the Cyber Exchange public site at https://public.cyber.mil/stigs/downloads.
Users who are unable to find and download the guide or other content can report their issue to the Cyber Exchange web team at dod.cyberexchange@mail.mil. Individuals who have further questions related to STIG content should email the DISA STIG customer support desk at disa.stig_spt@mail.mil.
DISA releases the Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide
The Defense Information Systems Agency recently approved the Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide (STIG), which is effective immediately upon release.
Customers who possess a Common Access Card that has valid Department of Defense certificates can obtain the STIG from the DOD Cyber Exchange website at https://cyber.mil/stigs/downloads/. The STIG is also available on the Cyber Exchange public site at https://public.cyber.mil/stigs/downloads.
Users who are unable to find and download the guide or other content can report their issue to the Cyber Exchange web team at dod.cyberexchange@mail.mil. Individuals who have further questions related to STIG content should email the DISA STIG customer support desk at disa.stig_spt@mail.mil.
Release of SCC 5.9
The SCC team is pleased to announce the release of SCC 5.9, which contains:
– Added support for SQL Server 2016 -> 2022
– Added new Hybrid test to allow more automation
– Created SCAP benchmarks for SQL Server
– Updated all internal dependencies
– Removed support for older OS’s
Available from Cyber Exchange in the next week or two at:
####################################################
FY24 Funding Update: We have funding that looks promising for the first 1/2 of FY24, but are still looking for other groups to join in as a supporting member. Please contact our team if you’d like to help out.
DISA releases the Enterprise Voice, Video, and Messaging Security Requirements Guide
The Defense Information Systems Agency recently approved the Enterprise Voice, Video, and Messaging (EVVM) Security Requirements Guide (SRG), which is effective immediately upon release.
Note: The EVVM SRG replaces the Voice, Video, and VoIP STIGs currently in sunset. The Voice, Video, and VoIP STIGs must not be used and will be retired and removed from Cyber Exchange.
Customers who possess a Common Access Card that has valid Department of Defense certificates can obtain the STIG from the DOD Cyber Exchange website at https://cyber.mil/stigs/downloads/. The STIG is also available on the Cyber Exchange public site at https://public.cyber.mil/stigs/downloads.
Users who are unable to find and download the guide or other content can report their issue to the Cyber Exchange web team at dod.cyberexchange@mail.mil. Individuals who have further questions related to STIG content should email the DISA STIG customer support desk at disa.stig_spt@mail.mil.
Request for comments - DISA releases draft Microsoft Office365 ProPlus STIG SCAP benchmark snapshot for review
The Defense Information Systems Agency recently released the draft Microsoft Office365 ProPlus Security Technical Implementation Guide (STIG) Security Content Automation Protocol (SCAP) benchmark snapshot for review.
The draft benchmark is a snapshot of SCAP content developed for the technology and does not include the full spectrum of content expected to be included in the final release of the benchmark.
The Microsoft Office 365 ProPlus SCAP Benchmark must be used with the SCAP Compliance Checker (SCC) application to avoid potential false negative results.
Customers who possess a Common Access Card that has valid Department of Defense certificates can submit comments and/or recommended changes to the draft benchmark snapshot by 03 May 2024 on the comment matrix spreadsheet, which is located with the benchmark at https://cyber.mil/stigs/downloads/.
The draft benchmark snapshot and comment matrix are also available on the Cyber Exchange public site at https://public.cyber.mil/stigs/downloads.
Please limit comments and recommendations in the comment matrix to those that address the benchmark. Questions regarding the manual STIG should be sent to dod.cyberexchange@mail.mil.
Please email comments to disa.stig_spt@mail.mil and include the title and version of the benchmark in the subject line.
Users who are unable to find and download these files or other content can report their issue to the Cyber Exchange web team at dod.cyberexchange@mail.mil.
SCC Survey 2024
The SCAP Compliance Checker (SCC) development team is requesting your feedback as part of their annual customer satisfaction survey. The survey has been redesigned from previous years, and it’s now shorter and easier to complete, with more focus on what end users need going forward. This is your chance to help influence SCC requirements for FY25.
The survey is currently open and results will be analyzed at the end of April 2024. The SCC team requests your feedback be completed by April 15.
https://usnavy.gov1.qualtrics.com/jfe/form/SV_4ZpXv8JkUlDs4lw
DISA releases the Google Android 14 BYOAD Security Technical Implementation Guide
The Defense Information Systems Agency recently approved the Google Android 14 BYOAD Security Technical Implementation Guide (STIG), which is effective immediately upon release.
Customers who possess a Common Access Card that has valid Department of Defense certificates can obtain the STIG from the DOD Cyber Exchange website at https://cyber.mil/stigs/downloads/. The STIG is also available on the Cyber Exchange public site at https://public.cyber.mil/stigs/downloads.
Users who are unable to find and download the guide or other content can report their issue to the Cyber Exchange web team at dod.cyberexchange@mail.mil. Individuals who have further questions related to STIG content should email the DISA STIG customer support desk at disa.stig_spt@mail.mil.
PKI/PKE Announcements
New WCF CAs released
The WCF PKI has recently deployed updated WCF Signing CAs 1-10. These new certificates are now available in the WCF PKI PKCS#7 Certificate Bundle v5.15.
Updated version of InstallRoot
InstallRoot version 5.6 is now available from the PKI/E Tools page. This release includes bug fixes and updates to InstallRoot embedded TAMP messages.
New DoD PKI CAs Released
The latest DoD PKI CA Certificates Bundle (PKCS#7) v5.12 has been updated to include DoD ID/Email CAs 70-73 and DoD SW CAs 74-77. These new CAs should begin production issuance in the second half of 2023.