DISA STIG compliance explained
Security Technical Implementation Guides (STIGs) are configuration standards developed by the Defense Information Systems Agency (DISA). They are designed to make device hardware and software as secure as possible, safeguarding the Department of Defense (DoD) IT network and systems. Compliance with STIGs is a requirement for DoD agencies, or any organization that is a part of the DoD information networks (DoDIN). This includes defense contractors that connect to the DoD network or system.
There are hundreds of STIGs designed for specific software, routers, operating systems and devices. DoD agencies may use off-the-shelf IT products within their network and infrastructure and STIGs ensure these products are as secure as possible, in contrast to the default vendor configurations that may favor usability over security. Hardening the configuration of IT solutions helps to mitigate vulnerabilities and lower the risk of cybersecurity incidents. The creation of a STIG will also be key to gaining approval for a product to be used within the network. This guide explores DISA STIGs, what they consist of, and an overview of solutions that can help your organization achieve compliance.
What is a DISA STIG?
The Defense Information Systems Agency is part of the US Department of Defense. It is a support agency that focuses on maintaining the IT services and infrastructure of the DoDIN. DISA provides IT and communications systems to all parts of the defense network, whether for combat or non-combat operations. The DoD relies on its IT systems and networks to operate effectively. A major focus for DISA is making the DoD network secure and resilient against cybersecurity threats and possible risks. It achieves this aim by focusing on infrastructure and network security, and strengthening cybersecurity measures, including boundary defense and endpoint security.
Security Technical Implementation Guides (STIGs) are a principal way that DISA works to safeguard DoD network resilience and protect government information systems from cybersecurity threats and malicious attacks by strengthening baseline security configurations. STIGs provide security standards for a range of specific products and solutions, and consist of controls, requirements and policies for securing networks, software and devices that are part of the DoDIN.
What is STIG Security?
Security Technical Implementation Guides (STIGs) are a series of cybersecurity requirements for IT products deployed within DoD agencies. STIGs are the source of configuration guidance for network devices, software, databases and operating systems. The aim is to lower the risk of cybersecurity threats, breaches and intrusion by making the set-up of the network as secure as possible. Organizations that connect to DoD systems or networks must be STIG compliant. This applies to defense agencies, defense contractors that connect to DoD systems, and other federal agencies.
Topics for STIGs include:
- Cloud networks
- Mobile devices
- Operating systems
- Routers and servers
- Network devices
There have been hundreds of STIGs released to date, all covering a range of networks, operating systems, network devices and software. The guidance helps to seal off devices and software from outside influence or vulnerabilities, protecting the entire network. There are also guidelines for broader cybersecurity policies, such as user access.
Beyond products and software, STIGs can cover whole system architecture and configuration of many network elements together. Complex STIGs may include firewall, router, and server configurations. One system might require multiple overlapping STIGs to securely configure each element. STIGs are also designed for specific versions of devices, operating systems and software. Therefore, unique vulnerabilities may need to be considered with each iteration.
How are STIGs developed?
New and updated STIGs are released by DISA every quarter, though some may be released in response to emerging threats and issues. The updates take into account version changes by the vendor, which may change configuration requirements, or to mitigate new vulnerabilities. STIGs are developed either entirely by DISA, alongside other government agencies and departments, or by the software or device vendors themselves. In the first instance, internal specialists from DISA will design and update STIGs to meet emerging technologies or threats.
STIG compliance is needed for products or IT services to operate on DoD networks and systems. Each STIG assesses the product against DoD cybersecurity requirements. In many cases, DISA will work with the vendor to develop a STIG and ensure the product is compliant with DoD requirements. STIG controls focus on being highly secure, which can impact functionality of software and applications. Vendor involvement in the development of a STIG means a balance of functionality and security.
When an IT solution is superseded by a newer product or is no longer supported, the relevant guidance becomes a ‘sunset STIG’. This means DISA is no longer actively updating the STIG, though the guidance is still available for legacy tools and software. In 2020, DISA updated the systems that produce STIGs to provide increased flexibility for future developments. This has resulted in a modification to Group and Rule IDs (Vul and Subvul IDs). New and updated STIGs are now being published with the modified content.
DISA STIG requirements
There are hundreds of different STIG requirements covering a range of products, software versions, and operating systems. STIG requirements are comprehensive, and include mobile devices, operating systems, cloud networks, and applications. Requirements cover all areas of device or software configuration to achieve secure integration. This is to maintain security of the systems and prevent breaches or cybersecurity incidents.
Government systems will use a range of off-the-shelf software, servers, and network devices. STIG requirements make commercially available operating systems, devices and servers as secure as possible. Out-of-the box software, servers and devices need to be configured to lower the risk to the wider network. By setting minimum requirements when integrating a new system or IT product, DISA helps improve the resilience of government networks against attacks and outages.
Federal IT systems process and store highly sensitive information, and therefore a data breach or loss of service could have a direct impact on matters of national security. However, the default settings and configurations provided by product manufacturers generally will not meet the security requirements needed to safeguard DoD systems. STIG requirements strengthen the resilience of the system infrastructure as a whole, mitigating known vulnerabilities in software and networks.
What are the DISA STIG compliance levels?
The vulnerabilities mitigated by each STIG requirement have different levels of potential threat. These range from vulnerabilities at immediate risk of significant exploitation to indirect risks that affect the general security of the system. Compliance with the most at-risk controls is of utmost importance. Each control found within the STIG has a compliance level assigned to it. The level corresponds to the degree of risk from the vulnerability or threat. There are three categories of severity, ranked on level of risk or vulnerability. These are known as Severity Category Codes (CAT), with CAT 1, CAT 2 and CAT 3 levels of risk. CAT 1 controls cover the most severe vulnerabilities and risks.
CAT 1 STIG compliance level
CAT 2 STIG compliance level
CAT 3 STIG compliance level
How to implement DISA STIG
DISA STIGs are comprehensive technical guides that outline controls to counter security risks and known vulnerabilities. STIGs take the form of a checklist of configurations to help with implementation, but hundreds of controls can take up time and resources. The challenge comes from staying compliant as new versions are released, and the varying degree of input needed to meet each requirement. STIGs may include guidance on minimum levels of training for personnel, frequency of update, or configuration settings. Here are some tips on how best to implement a STIG, including where to find the guidance and what tools are available to save time and resources when assessing STIG implementation and compliance.
Finding STIGs to Implement
Assessing STIG Compliance
Use a test environment when implementing changes
Maintaining STIG Compliance
Tools for STIG compliance audits
With hundreds of different controls, STIG compliance audits can require significant resources to complete manually. Guidance is regularly updated, so keeping track of compliance can add to the drain on time and resources. Automated auditing tools that check against the latest STIGs requirements can save valuable time. Titania has developed trusted solutions for automating STIG audits that reduce the resources required to achieve, evidence and maintain a secure and compliant environment.
Titania Nipper accurately detects vulnerabilities in routers, switches and firewalls and recommends exact fixes, helping teams save time when auditing STIGs compliance. Get a free trial of Titania Nipper to see how it can save time and resources when auditing STIG compliance.