Security Hacking Stories

Vendor generated STIGs Help DISA Accelerate New Technology Adoption

New technologies are introduced all the time, and every product vendor touts the advantages of its new products. But ensuring it’s safe to connect those new systems to secure military networks can be a dicey proposition.

That’s why the Defense Information Systems Agency issues STIGS – Security Technical Implementation Guides – for high-demand information technology products.

“A Security Technical Implementation Guide is a set of secure operationally configurable settings based on NIST 800-53 controls,” says Roger Greenwell, DISA’s director of Cybersecurity and its authorizing official for systems and applications used within the agency. “If a user has a STIG for a specific product, they have a guide to configure that product in a secure manner.”

STIGs do not represent DISA’s stamp of approval or official endorsement. Greenwell emphasizes it’s up to individual users to determine if the product has utility or value in a given application. Rather, they are instructions for safe use. A STIG guides installers and reviewers on the most secure implementation of a given product; so it might restrict certain services or capabilities, detail authentication requirements, or identify features that must be restricted only to administrators. Exactly what’s in the STIG depends on what the product itself actually does.

DISA issues only about 35-40 STIGs each year, far fewer than the number of products introduced to the market. But the agency no longer methodically develops every STIG itself. Instead, there are now three ways to develop a STIG – a major step to speeding up the process of getting approved guides for emerging technology products.

“We use three different methods now,” Greenwell said. “We can internally develop the STIG, do the research ourselves and write the STIG – how we started many years ago. We have a consensus effort [where] DISA partners with other entities, to include the vendor, in terms of working through what those requirements should be. Or we have Vendor-developed STIGs.”


More of the story is available here: Vendor Generated STIGs