By Brian Walker
As SteelCloud’s Director of Product Management and Customer Support, I field daily inquiries from our clients related to Security Technical Implementation Guides (STIGs). My 3 tips for tackling STIGs will help reduce the complexity around the topic of STIGS, which are filled with many fine details and continually changing requirements. Whether you address the STIG process manually or automate the process of hardening systems according to government guidelines using our ConfigOS software, there are tips and tools you can use to simplify your efforts.
We’ve compiled a list of the most valuable STIG resources we share with our clients to ease and inform their processes as they address STIG compliance in their organization. You’ll want to bookmark these links as you move forward with your own efforts.
Tip 1: Locate an authoritative source.
When first researching the STIG and familiarizing yourself with the latest requirements, be sure to check the source material directly. You should avoid the many sites out there that maintain incomplete and outdated STIG lists. We recommend going straight to the source. DISA currently authorizes and publishes STIG content and is considered the authoritative and most up-to-date source on the subject. Access their guidelines here: https://public.cyber.mil/stigs/downloads/
Tip 2: Make a list of items inside your infrastructure.
It is important to determine which STIGs you will need to address in your system. There are several valuable tools provided by the government to help you. The first is the Cyber Security Evaluation Tool (CSET®) tool, which creates a wizard to guide you not only through the STIG process, but the greater RMF process as well. You can access it here: https://us-cert.cisa.gov/ics/Downloading-and-Installing-CSET
The second tool you should consider is published by DISA—the Security Requirements Guides (SRG)/STIG Applicability Guide and Collection Tool. This tool will guide you through the process as it relates strictly to STIG. Find it here: https://public.cyber.mil/stigs/srg-stig-tools/
Tip 3: Download the STIG Viewer.
STIG Views will help you as you select and mitigate findings found in the STIGs themselves. This handy resource is a must for your toolbox: https://public.cyber.mil/stigs/srg-stig-tools/
All these tools are available freely from government sources and should become a regular part of your STIG toolbox. With so many unreliable sources out there with STIG information, you’ll want to make sure that the tools you use are created and endorsed by DISA.
For more insight on STIGs, SteelCloud recently published a STIGs for Dummies eBook that provides additional resources to leverage. Here’s a link to download it today: https://www.steelcloud.com/stigsfordummies/
Good luck on your journey. And if you ever have any questions about ConfigOS or the STIG process, you know where to find me.
About the author:
Brian Walker has spent most of his 13 years inside management and customer service, building one of the best customer service experiences in the industry for SteelCloud. He holds bachelor’s degrees in both computer science and history with a concentration in pre-law, giving him the perfect foundation for working in automation and government compliance. You can reach him at firstname.lastname@example.org.