Q1 2026 Release Notes

This release incorporates the latest DISA STIG updates from the January 2026 quarterly release cycle, along with enhanced scanning scripts and platform improvements.

492

StigID Updates

Benchmarks

Script Updates

Consolidated StigIDs

DISA STIG Updates (January 2026)

The following summarizes key changes from DISA's quarterly STIG release dated 05 January 2026.

MS SQL Server 2016 - V3R4 (Database) / V3R6 (Instance)

Major Consolidation

DISA consolidated multiple duplicate requirements into combined checks. The following StigIDs have been removed:

SQL6-D0-001100, SQL6-D0-003000 - Combined into SQL6-D0-001400
SQL6-D0-002500, SQL6-D0-002700 - Combined into SQL6-D0-002600
SQL6-D0-003400 - Combined into SQL6-D0-003300
SQL6-D0-007800 - Combined into SQL6-D0-004000
SQL6-D0-012900, SQL6-D0-013200, SQL6-D0-014000, SQL6-D0-015400, SQL6-D0-014600 - Combined into SQL6-D0-004600
SQL6-D0-011900, SQL6-D0-007700 - Combined into SQL6-D0-007600
SQL6-D0-015600, SQL6-D0-015700, SQL6-D0-015800, SQL6-D0-009200 - Combined into SQL6-D0-008700
SQL6-D0-014900, SQL6-D0-015000, SQL6-D0-015100 - Combined into SQL6-D0-011800
SQL6-D0-014400 - Combined into SQL6-D0-013800
SQL6-D0-015200 - Combined into SQL6-D0-014800

Script Changes

SQL6-D0-001200 - Updated script to exclude standard schema owners (dbo, db_owner, sys, etc.) from results
SQL6-D0-002900 - Updated script for case-sensitive collation compatibility
SQL6-D0-011800 - Removed SCHEMA_OBJECT_CHANGE_GROUP from required audit groups

Microsoft Windows 11 - V2R6

Key Changes

WN11-00-000126 - Added requirement to block consumer account user authentication
WN11-00-000155 - Added NA statement for Windows 11 version 24H2 and newer
WN11-00-000210 - Updated Check and Fix to include registry information
WN11-00-000220 - Combined with WN11-00-000210
WN11-SO-000005, WN11-AU-000550 - Removed unnecessary requirements

Microsoft Windows Server 2019 - V3R7

Key Changes

WN19-00-000020 - Updated check command and language; changed "workstation" to "server" in check text; updated PowerShell command for Administrator password age check
WN19-DC-000290 - Updated URL in Check text
WN19-00-000170 - Updated check and fix text to replace "Users" with "Authenticated Users" on the System registry key

Microsoft Windows Server 2022 - V2R7

Key Changes

WN22-00-000020 - Updated check command matching Server 2019 changes; added standalone server NA statement for LAPS
Registry path formatting standardized throughout (trailing backslash corrections)

Active Directory Domain - V3R6

Key Changes

AD.0017 - Removed NA statement about 2012 R2 functional level.
AD.0151 - Updated requirement to include references to utilize Windows LAPS.
AD.0016, AD.0200 - Rule numbers updated due to changes in content management system.

Canonical Ubuntu 22.04 LTS - V2R7

Key Changes

UBTU-22-211000 - Added release dates to Discussion and subscription status check command to Check.
UBTU-22-212015 - Updated to address /etc/default/grub and /boot/grub/grub.cfg.
UBTU-22-213015 - Updated Check to display correct output and meet intent of check.
UBTU-22-215040 - Added requirement to prohibit the installation of NFS packages.
UBTU-22-254010 - Added second finding statement to Check.
UBTU-22-254025 - Removed duplicate requirement.
UBTU-22-255050 - Removed "aes192-ctr" from the list of Ciphers and removed order requirement.
UBTU-22-432010 - Removed reference to "NOPASSWD" from check and fix text.
UBTU-22-432011 - Updated rule title to contain OS name.
UBTU-22-631015 - Updated finding statement.
UBTU-22-651015 - Corrected spacing in Check and Fix.
UBTU-22-654041 - Removed "auditctl" from Fix.
Rule numbers updated throughout due to changes in content management system.

Canonical Ubuntu 24.04 LTS - V1R4

Key Changes

UBTU-24-100050 - Added requirement to prohibit the installation of NFS packages.
UBTU-24-100110 - Corrected typo in Title.
UBTU-24-100860 - Fixed typo in Check to address MACs.
UBTU-24-102010 - Updated control to address "/etc/default/grub" and "/boot/grub/grub.cfg".
UBTU-24-200270 - Removed "auditctl" from Fix.
UBTU-24-300024 - Removed requirement; functionality handled by rsyslog.
UBTU-24-400340 - Updated NA note and finding statement.
UBTU-24-600070 - Updated Check to display correct output and meet intent of check.
UBTU-24-700400 - Added release dates to Discussion and subscription status check command to Check.

Cisco ACI - V1R2 (L2S) / V1R2 (NDM)

Key Changes

Cisco ACI Layer 2 Switch STIG:
CACI-L2-000001 - Updated navigation in Check and Fix.
CACI-L2-000002, CACI-L2-000004, CACI-L2-000009, CACI-L2-000010, CACI-L2-000011 - Changed to Not Applicable. VTP is out of scope for Cisco ACI.
CACI-L2-000014 - Changed to Not Applicable. No configuration or VLAN is assigned in ACI to any interface without configuration.
CACI-L2-000015, CACI-L2-000016, CACI-L2-000018 - Removed requirement; covered in Router STIG as part of L3 configuration.
CACI-L2-000017 - Updated navigation in Check and Fix. Updated Vulnerability Discussion.
CACI-L2-000019 - Removed requirement; OOB configured in Router STIG at layer 3.
Cisco ACI NDM STIG:
CACI-ND-000001 - Updated check and fix. As of version 6.0, date/time settings under System >> System Settings.
CACI-ND-000003 - Removed references to HTML option for banner display.
CACI-ND-000004, CACI-ND-000005 - Updated Check and Fix navigation.
CACI-ND-000007, CACI-ND-000009, CACI-ND-000029, CACI-ND-000043, CACI-ND-000045 - Updated navigation instructions.

Cisco ASA - V2R4

Key Changes

CASA-ND-001080 - Corrected syntax in check and fix text to use SHA256.
CASA-ND-000140, CASA-ND-001310, CASA-ND-001410 - Rule numbers updated due to changes in content management system.

Cisco IOS Router - V3R6

Key Changes

CISC-ND-001150 - Corrected syntax in Check and Fix and added note.
CISC-ND-001370 - Updated Fix text example to follow best practices.
CISC-ND-000140, CISC-ND-001450 - Rule number updated due to changes in content management system.

Cisco IOS Switch - V3R6

Key Changes

CISC-ND-001150 - Corrected syntax in Check and Fix and added note.
CISC-ND-001370 - Updated Fix text example to follow best practices.
CISC-ND-000140, CISC-ND-001450 - Rule number updated due to changes in content management system.

Cisco IOS-XE Switch - V3R5

Key Changes

CISC-ND-001370 - Updated Fix text example to follow best practices.
CISC-ND-000140, CISC-ND-001450 - Rule number updated due to changes in content management system.

Cisco IOS-XR Router - V3R5

Key Changes

CISC-ND-001150 - Corrected syntax in Check and Fix and added note.
CISC-ND-000140, CISC-ND-001370 - Rule number updated due to changes in content management system.

Cisco ISE - V2R3 (NDM) / V2R3 (NAC)

Key Changes

Cisco ISE NDM STIG:
CSCO-NM-000230 - Changed focus of Fix to match the requirement. Added note.
CSCO-NM-000240 - Added note about local time zone to UTC mapping.
CSCO-NM-000390 - Updated Check to add note.
CSCO-NM-000520 - Updated Rule to change to six minutes of inactivity.
Rule numbers updated throughout due to changes in content management system.
Cisco ISE NAC STIG:
CSCO-NC-000050 - Removed firewall option from the Fix.
Rule numbers updated throughout due to changes in content management system.

Cisco NX-OS Switch - V3R6 (NDM) / V3R3 (L2S)

Key Changes

NDM STIG:
CISC-ND-001150 - Corrected syntax in Check and Fix text and added note.
CISC-ND-000140, CISC-ND-001370, CISC-ND-001450 - Rule number updated due to changes in content management system.
L2S STIG:
CISC-L2-000140 - Added note that this control is NA if dot1x/mab is enabled.
CISC-L2-000060, CISC-L2-000070 - Rule number updated due to changes in content management system.

Juniper EX Switches - V2R4 (L2S) / V2R4 (NDM)

Key Changes

L2S STIG:
JUEX-L2-000120, JUEX-L2-000130, JUEX-L2-000140 - Updated with clarification: "This requirement is applicable to VLANs with active access interfaces assigned, but not to switches that only trunk the VLANs between switches."
NDM STIG:
JUEX-NM-000340 - Updated check and fix to correct values to remove hyphen in "sha256" and "sha512".
JUEX-NM-000510, JUEX-NM-000520 - Changed all examples for AES in the STIG to use AES256 and other CNSSP recommendations.
JUEX-NM-000060, JUEX-NM-000070, JUEX-NM-000640, JUEX-NM-000670 - Rule number updated due to changes in content management system.

Mozilla Firefox - V6R7

Key Changes

FFOX-00-000001 - Rule number updated due to changes in content management system.
FFOX-00-000018 - Updated CCI.

MS Defender Antivirus - V2R7

Key Changes

WNDF-AV-000054 - Changed registry value reference from "HideExclusionsFromLocalUsers" to "HideExclusionsFromLocalAdmins".
WNDF-AV-000069 - Removed duplicate requirement.
Updated verbiage in Overview section 3.

Microsoft Edge - V2R4

Key Changes

EDGE-00-000001 - Changed example IP address in Fix.
EDGE-00-000036 - Added missing selection "4" to Check.
EDGE-00-000045 - Rule number updated due to changes in content management system.
EDGE-00-000068 - Corrected policy values in Check and Fix.
EDGE-00-000069 - Added new requirement to disable "ComposeInlineEnabled".

MS IE11 - V2R6

Key Changes

DTBI014-IE11 - Updated Discussion.
DTBI999-IE11 - Updated requirement to sunset STIG.

MS Office System 2016 - V2R5

Key Changes

DTOOffice999 - Added requirement to sunset STIG.

MS SQL Server 2022 - V1R3 (Instance) / V1R2 (Database)

Key Changes

Instance STIG V1R3:
SQLI-22-011800 - Removed SCHEMA_OBJECT_CHANGE_GROUP.
SQLI-22-019500 - Clarified that the MUST_CHANGE option is only specific to accounts managed by SQL Server.
Rule numbers updated throughout due to changes in content management system.
Database STIG V1R2:
SQLD-22-001200 - Updated script to exclude some results that should not be considered a finding.
SQLD-22-002900 - Updated script for case-sensitive collation.
SQLD-22-000300, SQLD-22-002000, SQLD-22-002600, SQLD-22-003200 - Rule number updated due to changes in content management system.

RHEL 8 - V2R6

Key Changes

RHEL-08-010015 - Added requirement to install crypto-policies.
RHEL-08-010020 - Updated crypto-policies implementation requirement.
RHEL-08-010270 - Added requirement to ensure cryptographic policy is not overridden.
RHEL-08-010275 - Added requirement to implement DOD-approved encryption in the bind package.
RHEL-08-010280 - Added IP tunnels crypto-policies requirement.
RHEL-08-010287 - Removed redundant SSH daemon crypto-policies requirement.
RHEL-08-010290, RHEL-08-010291 - Updated SSH server crypto-policies requirements.
RHEL-08-010293 - Removed OpenSSL encryption requirement as it is controlled by crypto-policies.
RHEL-08-010294 - Removed TLS encryption requirement as it is controlled by crypto-policies.
RHEL-08-010295, RHEL-08-040342 - Removed ssh key exchange algorithm requirement as it is controlled by crypto-policies.
RHEL-08-010296, RHEL-08-010297 - Updated SSH client crypto-policies requirements.
RHEL-08-010350 - Updated Rule Title to exclude "system account" ownership of system files.
RHEL-08-010572, RHEL-08-010580 - Added NA note for vfat file systems.
RHEL-08-010630, RHEL-08-010640, RHEL-08-010650 - Added NA statement to NFS related requirement.
RHEL-08-010660 - Removed conflicting requirement.
RHEL-08-010670 - Updated Check text command output to show "Inactive".
Rule numbers updated throughout due to changes in content management system.

RHEL 9 - V2R7

Key Changes

RHEL-09-211045 - Added dropfile locations to Check and Fix.
RHEL-09-211010 - Added release dates to Vulnerability Discussion and updated versioning in Check text.
RHEL-09-213095 - Updated kdump requirement to remove conflicting entries and added NA note.
RHEL-09-213080 - Updated to use a dropfile.
RHEL-09-213010, RHEL-09-213015, RHEL-09-213020, RHEL-09-213025, RHEL-09-213030, RHEL-09-213035, and 22 others - Removed extra command from Check and removed conflicting file locations from Fix.
RHEL-09-213040 - Added exception for postfix installation.
RHEL-09-214025 - Added finding statement.
RHEL-09-214030 - Updated discussion to address third-party software vendor results.
RHEL-09-215101 - Added exception for postfix installation.
RHEL-09-215045 - Added NA statement to Check.
RHEL-09-215060 - Added exemption for TFTP, if required, and updated Rule Title, Discussion, Check, and Fix.
RHEL-09-231105, RHEL-09-231200 - Added NA note for vfat file systems.
RHEL-09-231110 - Updated instructions for management of /dev/shm (nodev).

Previous Quarter Updates (Reference)

The following benchmarks were not updated in the January 2026 release. Their most recent DISA revision details are included for reference.

MS Azure SQL MI - V1R1 (23 September 2025)

Initial Release.

Active Directory Forest - V3R2 (02 July 2025)

AD.3145_AD - Updated Check.

MS DotNet Framework 4.0 - V2R7 (02 July 2025)

APPNET0061 - Changed check to explain 3.5 including 2.0 and 3.0.

MS Exchange 2019 - V2R3 (02 July 2025)

EX19-MB-000127 - Removed requirement.
EX19-MB-000158 - Rule number updated due to changes in content management system.

MS Azure SQL DB - V2R3 (02 July 2025)

ASQL-00-000200, ASQL-00-000300 - These requirements were reversed in development. Moved scripts to supplemental file.
Rule numbers updated throughout due to changes in content management system.

Google Chrome - V2R11 (02 July 2025)

DTBC-0055 - Updated settings and Discussion to allow a value of "4".
DTBC-0060, DTBC-0061 - Removed deprecated requirement.
DTBC-0075 - Added requirement to configure Create Themes with AI.
DTBC-0076 - Added requirement to configure DevTools Generative AI features.
DTBC-0077 - Added requirement to configure GenAI local foundational model.
DTBC-0078 - Added requirement to configure Help Me Write.
DTBC-0079 - Added requirement to configure AI-powered History Search.
DTBC-0080 - Added requirement to configure Tab Compare Settings.

MS Windows Server DNS - V2R3 (02 April 2025)

WDNS-22-000009 - Added NA statement: "This is not applicable on classified networks."
WDNS-22-000039, WDNS-22-000041 - Updated the fix text.
WDNS-22-000046 - Updated requirement. Added ipconfig /all to identify network adapter.
WDNS-22-000061, WDNS-22-000062, WDNS-22-000063 - Rule number updated due to changes in content management system.
WDNS-22-000090 - Added NA statement: "If using DNSSEC, this requirement is not applicable."

Juniper SRX SG - V3R3 (NDM/ALG) / V3R2 (VPN) (30 January 2025)

ALG STIG:
JUSX-AG-000145 - Updated Check Text.
NDM STIG:
JUSX-DM-000110 - Removed from STIG. Combined CCI with JUSX-DM-000111.
JUSX-DM-000111 - Updated Rule Title, Discussion, Check Text, and Fix Text. Added parent SRG ID and CCI.
JUSX-DM-000136 - Updated. Changed from CAT II to CAT I.
JUSX-DM-000147, JUSX-DM-000150 - Updated. Changed from CAT II to CAT I.
VPN STIG:
JUSX-VN-000005, JUSX-VN-000006, JUSX-VN-000023 - Updated Rule Title, Discussion, Check Text, and Fix Text.
JUSX-VN-000007 - Updated. Changed from CAT II to CAT I.
JUSX-VN-000020 - Removed requirement from STIG.
JUSX-VN-000022 - Updated. Changed from CAT III to CAT II.

Juniper Router - V3R2 (NDM/RTR) (30 January 2025)

JUNI-ND-000010 - Updated Check and Fix Text for CCI NIST SP 800-53 Rev. 5 DSPAV value.
JUNI-ND-000470, JUNI-ND-001340 - Updated the syntax of the requirement.
JUNI-RT-000280, JUNI-RT-000290, JUNI-RT-000380, JUNI-RT-000390 - Updated the syntax of the requirement.

MS Exchange 2016 - V2R6 (30 January 2025)

Updated Overview document to explain references to EDSP.
EX16-ED-000430 - Added exception to the Check Text.
Rule numbers updated throughout due to changes in content management system.

MS Windows Defender Firewall - V2R2 (09 November 2023)

Updated STIG title to "Microsoft Windows Defender Firewall with Advanced Security".
Updated all requirements to state Windows Defender Firewall with Advanced Security.

StigSanctum Script Updates

The following scripts were updated to align with revised DISA CheckContent procedures:

Local Administrator Password Age Check

Affected STIGs: WN19-00-000020, WN22-00-000020

Change: Updated scan to align with revised DISA check procedure targeting the built-in Administrator account by SID. Returns a finding if password exceeds 60 days. Handles disabled and missing accounts as Not A Finding.

SQL Schema Ownership Check

Affected STIGs: SQL6-D0-001200, SQLD-22-001200

Change: Updated to exclude standard database schema principals (dbo, db_owner, sys, INFORMATION_SCHEMA, etc.) per revised DISA guidance. Reduces false positives by only flagging non-standard schema ownership.

Additional DISA Changes Reviewed

The following DISA changes were reviewed and confirmed that existing StigSanctum scan logic already handles the updated requirements correctly. No scan updates were needed:

IIST-SI-000242 - SSO exception note (documentation clarification only)
SQL6-D0-002900 - System procedure exclusions (already included)
SQL6-D0-004600, SQL6-D0-011800 - Audit group changes (comprehensive coverage maintained)
SQLI-22-019500 - SQL login wording clarification only
WN11-00-000095 - Check text examples updated (scan logic unchanged)

Repository Improvements

Recent development activity and platform enhancements:

Network Device Scanning

Added Juniper EX, SRX, and Router STIG coverage
Added Cisco IOS, IOS-XE, and NX-OS STIG coverage
Automated scanning support for network infrastructure devices

Linux Scanning

Added scanning support for Linux systems
RHEL 8/9 and Ubuntu 22.04/24.04 STIG coverage

Azure SQL Enhancements

Added Azure SQL Database and Managed Instance scanning
Reporting templates and setup documentation

Platform Improvements

Security hardening across the platform
Improved credential handling for remote authentication

Upgrade Instructions

Upgrade Steps

Back up your StigSanctum database
Run the installer and select the Upgrade option
Update the StigSanctum PowerShell module on any remote scan servers
Verify scan results on test systems before production rollout

Breaking Changes

21 SQL Server 2016 StigIDs have been consolidated by DISA. Historical scan results referencing removed StigIDs will no longer have corresponding StigDetail records. Update any custom reports or queries that reference the removed StigIDs.

Support

For questions or issues related to this release:

Email: [email protected]
Release Notes: www.stigsanctum.com/release-notes.html