Search
Generic filters

STIG 101: Who Can Use STIGs?

January 23, 2024

STIG 101: Who Can Use STIGs?

They aren’t just for the Department of Defense.

Extensive research. Seasoned knowledge. And a standardized approach. As it turns out, the federal government knows what it is doing when it comes to cybersecurity.

Security Technical Implementation Guides or STIGs are the result of years of research into threats, vulnerabilities and remediation. They are the rules, processes, and best practices the most sensitive government agencies, such as the Department of Defense (DoD), follow to secure their systems. For the DoD and other government agencies, they are mandated. For most everyone else, they are optional. Are they an option for you?

Where do STIGS fit in the government cybersecurity process?

The DoD uses STIGs as their exclusive benchmarks. And STIGs were developed by the Defense Information Systems Agency (DISA) with defense networks and components in mind. They are a key part of the Risk Management Framework (RMF), a standard developed by the National Institute of Standards and Technology (NIST) to identify, assess, mitigate, monitor and govern information systems.

Before an application, update or network component can go live, it needs Authority to Operate (ATO). That means you’ve STIGged everything, remediated to government satisfaction, plugged all the holes, and have signoff to go live with all the work you’ve done. Now, the government wants agencies to provide continuous ATO (cATO) and take an even more aggressive cybersecurity defense posture. But is this level of RMF and ATO readiness overkill for the average commercial organization?

Can everyone use STIGs?

Within the more than 10,000 controls and endpoints that STIGs address, you’ll find the same Windows vulnerabilities any network would have. The same router vulnerabilities. The same iPad vulnerabilities. The default settings for these technologies ensure they work as intended, but they leave vulnerabilities in their wake. They may be acceptable risks for commercial users, but in an organization, they put valuable data at risk. STIGs tell you where to look and where to harden within your system and applications to lower your attack surface and protect you from bad actors.

If you do business with the federal government, STIGs may be mandated. The RMF and ATO that STIGs support is vital to protecting the supply chain.  So, it’s no surprise that organizations outside the DoD—and even outside of government contracting—are adopting STIGs voluntarily as their benchmarks. They do the work and successfully prevent breaches. But there is another option that delivers similar results.

The Center for Internet Security (CIS) developed their own Benchmarks that are based on the same NIST standards as STIGs. They offer broader functionality that suits multiple industries. CIS Benchmark compliance is the North Star many organizations follow because, while different from STIGs, they are similar and take less effort to implement. Both CIS Benchmarks and STIGs are free and downloadable.

Who implements STIGs?

This differs in every organization. System Administration people and Information Assurance professionals do most of the work, but in smaller organizations, it may be the person who implements your software.

The bigger question is “are they capable?” And, outside of the government who have cornered the market on expensive and in-short-supply STIG experts, the answer is “maybe”. There is a serious lack of qualified professionals in the marketplace. And, depending on the complexity of your network, it takes an entire team working all day, every day, year-round to complete.

How do organizations find the bandwidth to implement STIGs?

Here we have this vital process that needs to be completed and a shortage of qualified hands to do the work. Which is why so many agencies and organizations have sought automation solutions to make them STIG or CIS compliant. SteelCloud’s ConfigOS, for example, reduces weeks and months of manual work to just an hour. With the help of automation, STIG and CIS compliance is within reach for even the smallest IT teams to achieve.

To learn more about STIGs, download our free STIGs for Dummies eBook. Or if you want us to blow your mind with how you can secure your system to the highest standards, faster and with fewer errors, schedule a demo with us.

Share This Resource: