Cygilant Blog

DISA STIG Demystified

Posted by Security Steve on Jan 26, 2015


STIG defined:
  
“The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for Department of Defense (DOD) IA and IA-enabled devices/systems. The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. These requirements encompass two areas – policy requirements for security programs and best practices for Information Assurance (IA)-enabled applications.”  Information Assurance Support Environment

 

Ok, so really, what exactly is a STIG?

 

Basically, STIGs are nothing more than alternate configurations that make commonly used applications more secure.  All DoD IT assets must meet STIG compliance in some fashion before they are allowed to operate on DoD networks. The purpose of STIGs are obvious; default configurations for many applications are inadequate in terms of security, and therefore DISA felt that developing a security standard for these applications would allow various DoD agencies to utilize the same standard – or STIG - across all application instances that exist. Continuous audits using automated tools are routinely conducted and reported back to DISA Field Security Operations (FSO) to assess compliance/security posture.

 

STIGs exist for many variations of software packages such as Operating Systems, Database Apps, Open Source Software, Network Devices, Wireless Devices, Virtual Software, and a growing list that now includes Mobile Operating Systems.  

Now that I know what a STIG is, how do ensure that I’m compliant with these continuous monitoring requirements?

 

Well, much time is spent doing manual checks of devices that will help ensure that they’re configured in accordance with the DISA STIGs.  That’s a time-consuming and definitely error-prone process.   And this is where EIQ can help.

 

SecureVue includes the ability to validate DISA STIG and USGCB compliance checks against a switches, firewalls, applications (Oracle/SQL), RHEL, Solaris, and of course Windows systems. This automated compliance auditing drastically reduces the overhead associated with compliance checks, while providing a continuous view of compliance across your enterprise.

 

We’re proud to say that Federal DoD customers have identified that SecureVue’s prescriptive configuration assessment capabilities have saved up to 90% on DISA STIG compliance.

Tags: Compliance, DISA STIG

Most Recent Posts

Subscribe to Email Updates