DISA Security Technical Implementation Guides

STIG Reference

Official DISA STIG checklists for system hardening and security compliance. Browse CAT I, II, and III findings with check procedures and remediation guidance.

8 Benchmarks

1,466 Total Rules

125 CAT I Findings

Browser

Google Chrome Release: 11 Benchmark Date: 02 Jul 2025

Google Chrome

0 CAT I 44 CAT II 2 CAT III 46 rules

Directory Services

Active Directory Domain Release: 6 Benchmark Date: 05 Jan 2026

Active Directory Domain

5 CAT I 27 CAT II 4 CAT III 36 rules

Endpoint Security

Microsoft Defender Antivirus Release: 7 Benchmark Date: 05 Jan 2026

Microsoft Defender Antivirus

4 CAT I 63 CAT II 0 CAT III 67 rules

Operating System

Windows Server 2022 Release: 7 Benchmark Date: 05 Jan 2026

Windows Server 2022

31 CAT I 240 CAT II 12 CAT III 283 rules

Windows Server 2019 Release: 7 Benchmark Date: 05 Jan 2026

Windows Server 2019

34 CAT I 235 CAT II 14 CAT III 283 rules

Windows 11 Release: 6 Benchmark Date: 05 Jan 2026

Windows 11

27 CAT I 219 CAT II 17 CAT III 263 rules

Red Hat Enterprise Linux 9 Release: 7 Benchmark Date: 05 Jan 2026

Red Hat Enterprise Linux 9

20 CAT I 411 CAT II 15 CAT III 446 rules

Web Server

Microsoft IIS 10.0 Release: 6 Benchmark Date: 05 Jan 2026

Microsoft IIS 10.0

4 CAT I 36 CAT II 2 CAT III 42 rules

Severity Categories

CAT I High Severity

Any vulnerability that could directly and immediately result in loss of Confidentiality, Integrity, or Availability. These are open findings — remediate immediately.

CAT II Medium Severity

Any vulnerability that could potentially result in loss of CIA. The majority of STIG findings fall in this category and must be addressed within 30 days.

CAT III Low Severity

Any vulnerability that could degrade measures protecting CIA. These are best-practice hardening items addressed within 90 days or during scheduled maintenance.