U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Mozilla Firefox STIG Version 6, Release 2 Checklist Details (Checklist Revisions)

Checklist Highlights

Checklist Name:
Mozilla Firefox STIG
Checklist ID:
Version 6, Release 2
Review Status:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:

Checklist Summary:

This Mozilla Firefox Technology Overview provides the technical security policies, requirements, and implementation details for applying security concepts to Commercial-Off-The-Shelf (COTS) applications. The nearly universal presence of systems on the desktops of all levels of staff provides tremendous opportunities for office automation, communication, data sharing, and collaboration. Unfortunately, this presence also brings about dependence and vulnerabilities. Malicious and mischievous forces have attempted to take advantage of the vulnerabilities and dependencies to disrupt the work processes of the Government. Compounding this problem is the fact that the vendors of software applications have not expended sufficient effort to provide strong security in their applications. Where applications do offer security options, the default settings typically do not provide a strong security posture.

Checklist Role:

  • Web Browser

Known Issues:

Not provided.

Target Audience:

The requirements and recommendations set forth in this document will assist IAOs and Information Assurance Managers (IAMs) in protecting desktop applications in DoD locations hereafter referred to as sites. The responsible Configuration Control Board (CCB) will approve revisions to site systems that could have a security impact. Therefore, before implementing desktop application security measures, the IAO or will submit a change notice to the CCB for review and approval.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Although there are a few different operating system platforms for desktop environments, this document addresses applications running on Microsoft Windows platforms. This document does not include specific guidance for UNIX or Linux or Apple desktop environments at this time. The security requirements detailed in this document apply to applications installed on Microsoft Windows Server platforms as well as Microsoft Windows Workstation platforms. On server platforms, the security configuration parameters will be set to at least as restrictive values as those listed in this document. It must be noted that the guidelines specified should be evaluated in a local, representative test environment before implementation within large user populations. The extensive variety of environments makes it impossible to test these guidelines for all potential software configurations. For some environments, failure to test before implementation may lead to a loss of required functionality.

Regulatory Compliance:

DoD Directive (DoDD) 8500.1


NOTE - Resource fails validation for XCCDF 1.1.4 content. Workaround - Edit the XCCDF file and change the ID element within the xml, replacing the " " (space values) with an "_" (underscore) Example: id="Mozilla Firefox STIG" would become id="Mozilla_Firefox_STIG"


It should be noted that Field Security Operations (FSO) support for the STIGs, Checklists, and Tools is only available to DoD customers. Comments or proposed revisions to this document should be sent via e-mail to disa.stig_spt@mail.mil. DISA FSO will coordinate all change requests with the relevant DoD organizations before inclusion in this document.

Product Support:

Comments or proposed revisions to this document should be sent via e-mail to disa.stig_spt@mail.mil

Point of Contact:

Comments or proposed revisions to this document should be sent via e-mail to disa.stig_spt@mail.mil




DoD has clarified policy on the use of open source software (OSS) to take advantage of the capabilities available in the Open Source community as long as certain prerequisites are met. DoD no longer requires that operating system software be obtained through a valid vendor channel and have a formal support path, if the source code for the operating system is publicly available for review. From the DoD Chief Information Officer (CIO) memo, Open Source Software (OSS) in Department of Defense (DoD), 28 May 2003: DoD Components acquiring, using or developing OSS must ensure that the OSS complies with the same DoD policies that govern Commercial off the Shelf (COTS) and Government off the Shelf (GOTS) software. This includes, but is not limited to, the requirements that all information assurance (IA) or IA-enabled IT hardware, firmware and software components or products incorporated into DoD information systems whether acquired of originated within DoD: Comply with the evaluation and validation requirements of National Security Telecommunications and Information Systems Security Policy Number 11 and be configured in accordance with DoD approved security and configuration guidelines at http://iase.disa.mil/ and http://www.nsa.gov/ OSS takes several forms and may be acceptable or unacceptable depending on the form: 1. A utility that has publicly available source code is acceptable. 2. A commercial product that incorporates OSS is acceptable because the commercial vendor provides a warranty. 3. Vendor supported OSS is acceptable. 4. A utility that comes compiled and has no warranty is not acceptable. The DoDD 8500.1 states Public domain software products, and other software products with limited or no warranty, such as those commonly known as freeware or shareware, shall only be used in DoD information systems to meet compelling operational requirements. Such products shall be thoroughly assessed for risk and accepted for use by the responsible DAA.

Change History:

Version 4, Release 12 - 03 August 2015
Changed status from "Under Review" to "Final" - 03 June 2015
Version 4, Release 10 - 25 July 2014
Version 4, Release 9 - 25 April 2014
Version 4, Release 8 - 24 January 2014
Version 4, Release 7 - 24 July 2013
Version 4, Release 6 - 26 April 2013
Version 4, Release 5 - 26 October 2012
Version 4, Release 4 - 27 April 2012
Version 4, Release 3 - 29 July 2011
Version 4, Release 2 - 23 April 2010
Version 4, Release 1 - 09 December 2010
Updated "Point of Contact", "Product Support" and "Comments" Sectons - 08 January 2015
Changed status from "under review" to "final" - 11 September 2015
Version 4, Release 13 - 28 October 2015
Changed status from "Under Review" to "Final" - 04 December 2015
Version 4, Release 14 - 29 January 2016
3/8/2016 - Promote to Final
UPDATED - Mozilla Firefox STIG - Version  4, Release 15 - 07/22/2016
Updated to FINAL - 09/12/2016
Updated STIG to V4, R16 - 10-28-2016
updated to FINAL - 12/07/2016
Updated to Version 4, Release 17 - 01/27/2017
Updated to FINAL - 03/08/2017
updated to Version 4, Release 18 - 04/28/2017
Updated to FINAL - 05/30/2017
Updated URL to reflect change to the DISA website - http --> https
updated to v4,r20 - 02/16/2018
Updated to FINAL - 3/18/2018
updated to Version 4, Release 21 - 4/25/18
Update to FINAL - 5/25/18
Updated to v4,r22 - 8/22/18
Updated "Comments/Warnings/Miscellaneous" under the General Tab - 8/22/18
Updated to FINAL - 9/24/18
Updated to Version 4, Release 23 - 10/25/18
Updated to FINAL - 11/26/18
updated to Version 4, Release 24- 1/22/19
Updated to FINAL - 2/19/19
updated to Ver 4, Rel 25 - 4/30/19
Updated URLs - 6/12/19
Updated Benchmarks - 6/26/19
Updated URLs - 8/9/19
updated URLs - 11/1/19
updated resource title - 11/6/19
updated URLs per DISA - 1/21/2020
corrected resource - 1/22/2020
updated benchmark - 4/24/2020
updated URLs - 8/3/2020
Updated resources per DISA - 1/26/2021
added SCC links per DISA guidance - 4/20/2021
updated links per DISA - 5/12/2021
Updated resources per DISA - 5/25/21
updated URLs - 7/28/2021
Updated SCC per DISA - 9/16/21
updated URLs - 12/15/2021
updated SCAP resources - 4/8/2022
removed draft content - 4/8/2022
Updated resource per DISA - 4/24/22
Added GPO per DISA - 5/29/22
Updated resource per DISA - 6/13/22
Updated SCC per DISA - 6/14/22
Updated SCC per DISA - 6/15/22
Updated resource per DISA - 8/1/22


URL Description


Reference URL Description

NIST checklist record last modified on 08/06/2022