Checklist Summary:

The Microsoft SQL Server 2022 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DOD) information systems. The Microsoft SQL Server 2022 STIG is published as two documents, one covering individual databases and the other addressing the database management system (DBMS) instance. The STIG provides the technical security requirements and implementation details for applying security concepts to Microsoft SQL Server 2022. This SQL Server 2022 STIG contains the following STIGs: • Microsoft SQL Server 2022 Instance STIG. • Microsoft SQL Server 2022 Database STIG. This document is meant to be used in conjunction with the Windows (Operating System) STIG, Network STIGs, and other STIGs as applicable to the database host environment. It is based on the Database Security Requirements Guide (SRG), which in turn derives its cybersecurity controls from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. In the Microsoft SQL Server domain, a “database” (often abbreviated as DB) is a logical collection of data stored in files and managed not by the operating system alone but by the DBMS. Multiple databases may exist under one DBMS instance. At least four system databases always support an instance, and usually one database (possibly more) supports an application. In the Microsoft SQL Server domain, an “instance” is an installed, operational copy of the DBMS software. Although multiple SQL Server instances can coexist on a Windows server, it is customary in a production environment for a single instance to be deployed on a dedicated server. Microsoft SQL Server is a relational database management system (RDBMS). Applications and tools connect to a SQL Server instance or database and communicate using Transact-SQL (T-SQL). This STIG requires that the product be deployed on a FIPS-compliant, cryptography-enabled operating system found in the Cryptographic Module Validation Program or by other means ensure that the DPMS uses FIPS 140-2 or FIPS 140-3 certified OpenSSL libraries.

Checklist Role:

• Database Management System

Known Issues:

Not provided.

Target Audience:

Parties within the DOD and federal government’s computing environments can obtain the applicable STIG from the DOD Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DOD Certificates can obtain the STIG from https://public.cyber.mil/.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

This document is provided under the authority of DoDI 8500.01.

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via email to the following address: [email protected]. DISA will coordinate all change requests with the relevant DOD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Point of Contact:

[email protected]

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Created New Checklist - 07/21/2025

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 07/21/2025