STIGs, otherwise known as ‘Security Technical Implementation Guides’ are published by DISA (The Defense Information Systems Agency) and must be adhered to by any organization that is connecting to the US Department of Defense’s networks (DoD).
DISA is responsible for maintaining security standards for computer systems and networks which, for any reason, connect to the DoD. STIGs are usually published quarterly, and their purpose is to ensure all connecting organizations remain fully up-to-date and compliant. However, they can be updated at any time if a major threat or new bug has been discovered and it is the responsibility of the connecting organization to ensure compliancy.
The DoD’s security needs are far higher than manufacturers, who are typically focussed on ease of use. This means connecting organizations need to have a robust approach to checking and updating their networks’ security. A system which is deemed secure one month may be vulnerable by the next.
This is where automated configuration auditing tools such as Titania’s Nipper can be extremely useful. Not only does it save time and money through automating audits and ensuring compliance with STIGs is up to date, it also provides all of the reporting necessary in an audit trail to prove compliance.