STIG 101: How Do STIGs Work?
And why do STIGs break things?
There is one truth that everyone who has ever touched a Security Technical Implementation Guide (STIG) knows—STIGs break things. Systems, apps, and devices that work perfectly well in an unsecure environment “break” when STIGs are applied.
There are two sides to this truth. Fixing things that STIGs broke makes the work of compliance more difficult. But you also know that, when things break, it’s because there is a vulnerability that can lead to a breach. And you’re finding that vulnerability before the bad guys have a chance to exploit it.
Why do things break?
From Windows operating systems to Symantic antiviral software, the government largely uses commercial solutions. But, because they are made for the masses, those applications and devices are not developed or tested in a STIG environment. So once an application environment is hardened or secured to STIG specifications, the application won’t run or install properly. In this way, it “breaks”. It doesn’t matter whether it’s new software or a legacy application, STIGs will break it.
Implementing STIGs requires you to change application controls or block capabilities the app needs in order to operate. There are no generic rules that can be applied across all applications all the time. So, system administrators and information assurance experts have to address these issues on a one-by-one, case-by-case basis.
How do you fix the breaks?
Breaking sounds like a bad thing, but it’s not entirely. When apps break, you have an opportunity to make them stronger. Breakages are the proof that STIGs are finding vulnerabilities, and you need to create policies to address those vulnerabilities. After all, that is the point of cybersecurity.
But fixing these breaks takes time and expertise of which nobody has enough. That is why compliance automation is making big news in the industry. The right automation solution can save 90% of the effort it takes to scan and remediate STIG policy across a network—and by “remediate” we mean fix all those breaks. It can ease the strain of today’s cyberworkforce challenges. And it can get new applications and updates online faster, ensuring you always have the best, most secure technology at hand.
Are STIGs here to stay?
STIGs are a way of life in government agencies, as well as in many of the organizations that serve them. And because it’s a way of life, you have to make it livable. With over 10,000 system controls, unique policies for every solution and updates every 90 days, STIG compliance is becoming harder and harder to do by manual means alone.
Download our STIGs for Dummies eBook for more of our expertise around STIGs, how to implement them, and all the acronyms you need to know to achieve ATO. SteelCloud is the leading provider of STIG compliance automation solutions to the DoD, as well as other government agencies and the organizations that serve them.