Security Technical Implementation Guides 101: The Basics

What are Security Technical Implementation Guides?

As we speak, there are as many as 10,000 vulnerabilities in your system that, if not secured, could be a gateway to phishing, hacking or malware. This is why the Defense Information Systems Agency (DISA) created Security Technical Implementation Guides (STIGs). Security Technical Implementation Guides encompass a standardized and customizable set of rules for installing, supporting, running, and securing systems in the government against cyberattack. Security Technical Implementation Guides are critical to protecting our most sensitive data. They are updated quarterly with known and emerging vulnerabilities in mind. Throughout the DoD and other agencies—such as TSA and the DoJ—they are a mandated part of securing and maintaining systems and devices.

How did Security Technical Implementation Guides come about?

Security Technical Implementation Guides are created and maintained by DISA, an agency of the DoD. A government study was conducted to determine whether government systems were being implemented securely and if there was consistency across agencies. The result of the study was a recognized need to create rules, identify best practices and provide guidance around the technical aspects of organizing, delivering, and managing defense-related information. This encompasses not just rules around system implementation and maintenance, but also the human behaviors that frequently result in breaches. Those rules, also known as controls, are what make up the Security Technical Implementation Guides that we call Security Technical Implementation Guides.

What all gets STIGged in a system?

As you can imagine, commercial applications are not created to align with internal DoD mandates. The operating systems, routers, printers, apps—the elements that make up modern systems—all need to go through the Security Technical Implementation Guide process before they are secure enough to be used in government systems. DISA lists over 10,000 controls that need to be STIGged to meet mandates. Then, 90 days later, you need to do it again when updates come out. Whether you are a small network managed by just one expert or a larger organization with a team of dozens, it is an overwhelming effort. There are not enough experts in the workforce to do the work easily and efficiently. But STIGs are a vital factor in our nation’s cybersecurity. And, mandated or not, government or not, organizations look to Security Technical Implementation Guides as the gold standard. This level of security is becoming more accessible, both inside the government and out, with the help of automation solutions that do the work in hours, not weeks and months.

Are Security Technical Implementation Guides right for me?

Security Technical Implementation Guides are both incredibly important and incredibly intricate. On the one hand, it’s a lot of work. On the other, they are very effective in keeping data secure. To learn more about what Security Technical Implementation Guides can do for your cybersecurity, download SteelCloud’s STIGs For Dummies eBook, a definitive guide from the minds of SteelCloud’s most seasoned subject matter experts. Then, if you want to see how to make short work of a long process, schedule a demo of our STIG automation solution, ConfigOS.