I was recently asked about STIG’ing a database server running SQL Server 2016. I checked DISA’s website and, to my surprise, they have not yet released an official STIG checklist for SQL Server 2016. The latest edition they have a STIG for is SQL Server 2014.
In fact, if you go to their website’s “master list“, and scroll down to “Microsoft SQL Server 2016 FAQ“, the link will direct you to the following FAQ page (image below):
So there you have it. Until DISA releases their official SQL Server 2016 STIGs, you can use the current SQL Server 2014 STIGs to harden SQL Server 2016.