Search
Generic filters

“What are STIGs?”(And everything else you’ve always wanted to know about DISA STIGs but were afraid to ask)

August 30, 2024

“What are STIGs?”(And everything else you’ve always wanted to know about DISA STIGs but were afraid to ask)

As we speak, there are as many as 10,000 vulnerabilities in your system that, if not secured, could be a gateway to phishing, hacking or malware. This is why the Defense Information Systems Agency (DISA) created STIGs. Over the years, we’ve answered a lot of questions as government agencies address STIG mandates. So, we thought we’d share the most common questions asked. Between this article and the eBook linked below, you’ll learn all the most important aspects of STIGs and STIG compliance.

What does STIG stand for?

STIG stands for Security Technical Implementation Guide. STIGs encompass a standardized and customizable set of rules for installing, supporting, running, and securing systems in the government against cyberattack.

STIGs are critical to protecting our most sensitive data. Throughout the DoD and other agencies—such as TSA and the DOJ—STIG compliance is a mandated part of securing and maintaining systems and devices.

What is STIG Compliance?

DISA recognized the need to create rules, identify best practices, and provide guidance around the technical aspects of organizing, delivering, and managing defense-related information.

STIG compliance encompasses not just rules around system implementation and maintenance, but also the human behaviors that frequently result in breaches. Those rules, also known as controls, are what make up the Security Technical Implementation Guides that we call STIGs.

What all gets STIGged in a system?

Commercial applications are not created to align with internal DoD mandates. The operating systems, routers, printers, apps—the elements that make up modern systems—all need to go through the STIG process before they are secure enough to be used in government systems.

DISA lists over 10,000 controls that need to be STIGged to meet mandates. Then, 90 days later, you need to do it again when updates come out.

Whether you are a small network managed by just one expert or a larger organization with a team of dozens, it is an overwhelming effort. There are not enough experts in the workforce to do the work easily and efficiently.

The good news is that this level of security is becoming more accessible – both inside the government and out – with the help of STIG automation solutions that relieve the burden on your workforce and do the work in hours, not weeks or months.

Where do STIGS fit in the government cybersecurity process?

DISA STIGs were developed with defense networks and components in mind. Not surprisingly, the DoD uses STIGs as their exclusive benchmarks.

DoD STIGs are a key part of a standard developed by the National Institute of Standards and Technology (NIST) to identify, assess, mitigate, monitor and govern information systems.

Before an application, update, or network component can go live, it needs Authority to Operate (ATO). That means you’ve STIGged everything, remediated to government satisfaction, plugged all the holes, and have signoff to go live with all the work you’ve done.

Now, the government wants agencies to provide continuous ATO (cATO) and take an even more aggressive cybersecurity defense posture.

Once people know the answer to “What is a STIG?”, the next question is usually “Are STIGs for me?”

That question can be hard to answer, especially for government agencies and those in their supply chain. But the short answer is yes, everyone can use STIGs. But they might be overkill if you’re not a government entity or a key player in their supply chain.

Here’s a little more context to help.

Within the more than 10,000 controls and endpoints that STIGs address, you’ll find the same Windows vulnerabilities any network would have. The same router vulnerabilities. The same iPad vulnerabilities.

The default settings for these technologies ensure they work as intended, but they leave

These might be acceptable risks for commercial users, but in an organization, they put valuable data at risk. STIGs tell you where to look and where to harden within your system and applications to lower your attack surface and protect you from bad actors. Once you know what STIGs are and what STIGs stand for, you’ll see how thoroughly they protect your system.

Do you HAVE to use STIGS?

If you do business with the federal government, STIGs are mandated. The RMF and ATO that STIGs support is vital to protecting the supply chain.

It’s no surprise that organizations outside the DoD—and even outside of government contracting—are adopting DISA STIGs voluntarily as their benchmarks. They do the work and successfully prevent unwanted breaches.

But there is another option that delivers similar results and is right-sized for most organizations.

The Center for Internet Security (CIS) developed their own Benchmarks that are based on the same NIST standards as STIGs. They offer broader functionality that suits multiple industries. CIS Benchmark compliance is the North Star many organizations follow because, while different from STIGs, they are similar and take less effort to implement. Many government agencies and some contractors might find STIGs the right-sized approach. Meanwhile, most other organizations will find CIS Benchmarks to be right sized. Both CIS Benchmarks and STIGs are free and downloadable.

How often are STIGs updated?

DISA updates and releases new STIGs quarterly, though there may be interim updates in response to emerging threats.

Addressed manually, updates could take weeks to implement. And the new and updated software versions the updates reflect cannot be implemented until they have been STIGged and granted authority to operate.

Therefore, the vulnerabilities these updates protect remain in your system until it has been STIGged. Thus, the speed at which you STIG your system and process these updates is a critical factor in its security.

Who implements STIGs in the organization?

This differs in every organization. System Administration people and Information Assurance professionals do most of the work, but in smaller organizations, it may be the person who implements your software.

The bigger question is “are they capable?”

And, outside of the government who have cornered the market on expensive and in-short-supply STIG experts, the answer is “maybe”.

The elephant in the room that nobody wants to talk about is that there is a serious lack of qualified professionals in the marketplace. And, depending on the complexity of your network, it takes an entire team working all day, every day, year-round to complete.

When cybersecurity teams are shorthanded, mental health issues grow. And mental health issues often result in errors and missed workdays. Which is why many are turning to automation. It simplifies the work and reduces stress so you can complete the work without needing to hire a new team.

What are the benefits of STIG compliance?

In the DoD, STIGs are keeping our nation’s most sensitive data safe. Here are just a few of the benefits STIGs stand for:

  • Enhanced threat detection. Consistent threat detection and configurations across the enterprise means threat detection and analysis is centralized, allowing rapid identification and response to potential breaches.
  • Streamlined cybersecurity. Because STIGs provide a standardized compliance roadmap, they simplify the process.
  • Optimized resilience. STIGs result in resilient systems that can thwart cyberattacks effectively and enable quicker recovery if an attack is successful.
  • Fewer vulnerabilities. STIGs close the door on all the avenues attackers count on to enter your system. They minimize the attack surface and keep adversaries from exploiting outdated systems.
  • Improved security. STIGs’ robust configurations are specifically designed to make your system harder to penetrate.

 

Compliance automation doubles down on all these benefits by simplifying the process, eliminating human error, speeding up time to ATO, and enabling continuous compliance at the touch of a button.

Are all STIGs created equal?

In the DoD, where STIG compliance is mandated, security requirements differ across various systems and missions.

So DISA offers a tiered compliance model for the DoD. This empowers system administrators to select the level of security controls to implement based on their requirements.

The 3 levels empower administrators to strike the right balance between protection and operational needs:

  • Category I—High Severity. Refers to vulnerabilities that can directly and immediately result in loss of confidentiality, system availability, or system integrity. Worse, these kinds of breaches enable unauthorized access to classified data or facilities. Example: Unencrypted data storage and misconfigured firewalls with open ports.
  • Category II—Medium Severity. Covers vulnerabilities that result in loss of confidentiality, system availability, or system integrity. These vulnerabilities create opportunities for attackers to escalate to something bigger. Examples: weak passwords, and outdated or unpatched software
  • Category III—Low Severity. Includes vulnerabilities that degrade measures to protect confidentiality, system availability, or system integrity. These vulnerabilities weaken your overall security posture. Examples: insecure wireless networks and a lack of malware filtering for emails.

How do STIGs work?

STIGs provide a prescriptive roadmap for where to find known vulnerabilities in your system and how to fix them.

Each STIG is targeted to specific technologies within your system, rather than a generic approach. So, they lay a foundation of enhanced security directly tailored to your specific system and configuration.

Once the foundation is laid and you know where to look, then you can harden your system against known threats.

STIGs also provide consistency across your system by implementing the same prescribed fixes enterprise-wide. All of this minimizes your attack surface.

Once your system is STIGged, STIGs help you maintain that secure baseline by validating controls have been implemented correctly.

Automation makes it easy to continually monitor your system to     out of compliance.

What makes STIGs so hard to implement?

Beyond the 10,000 controls to review and repair, not to mention the different categories, there is one frustrating truth that makes STIGs hard to implement—STIGs break things.

Systems, apps, and devices that work perfectly well in an unsecure environment “break” when STIGs are applied.

Fixing the applications that STIGs break can make the work of compliance more difficult and frustrating. But, on a positive note, each break is an indication that you’re finding a vulnerability in your system before any would-be attackers do.

Why do STIGs break things?

From Windows operating systems to Norton antiviral software, the government largely uses commercial solutions.

However, because they are made for the masses, those applications and devices are not developed or tested in a DoD STIG environment.

In fact, if you asked, many commercial developers would be left scratching their heads, wondering, “What is a STIG?”

STIGs illuminate areas of known vulnerability in your system. STIG controls tell you where to look and what to fix. And they often require you to change application controls or block capabilities the app needs in order to operate.

Apply STIG controls to commercial software and, once an application environment is hardened or secured to DoD STIG specifications, the application won’t run or install properly. STIGs find the vulnerabilities in commercial applications and won’t let the application work until they are fixed.

Unfortunately, there are no generic rules that can be applied across all applications all the time. So, system administrators and information assurance experts must address these issues on a one-by-one, case-by-case basis.

How do you fix the breaks?

Breaking sounds like a bad thing, but it’s not all doom and gloom. When apps break, you have an opportunity to make them stronger.

Breakages are the proof that STIGs are finding vulnerabilities, and you need to create policies to address those vulnerabilities. After all, that is the point of cybersecurity and STIG compliance.

But fixing these breaks takes time and expertise. You need to turn off application capabilities, rewrite policy around an application, and even change the application controls. It’s an involved, time-intensive process that is considered across 10,000 controls.

That is why compliance automation is making big news in the industry.

The right automation solution can save 90% of the effort it takes to scan and remediate or fix  those breaks.

It can ease the strain of today’s cyber workforce challenges with hidden staffing benefits. And it can get new applications and updates online faster, ensuring you always have the best, most secure technology at hand.

Do STIGs have an impact on other cybersecurity practices?

STIGs provide good cyber hygiene and enable world-class cybersecurity in the organization. The security they establish and maintain is a foundation for building other cybersecurity practices upon.

STIGs not only create a secure hardening baseline, but they also address   two of the hottest topics in cybersecurity today.

How do STIGs help with ransomware?

Ransomware is one of the most common and effective forms of malware attack. Bad actors enter the system through phishing or an infected server or site. Then they render your files unusable and demand a ransom to get them back. Ransomware attacks cost millions, damage your reputation, and erode trust with your users.

Overall, STIGs support a healthy cyber regimen which keeps out of your network. Simply put, STIGs prevent ransomware attacks.

A few examples include:

  • Microsoft Office. STIGs prevent linking to other sites from within documents, as bad actors commonly embed malicious links in files.
  • Operating systems. STIGs block malicious actors from entering by requiring complex logon requirements, limiting failed logon attempts, and enabling early warning of questionable activity on the network.
  • Web browsers. STIGs reduce the attack surface by preventing the running of mini Java applets or the download of cookies and software without authorization.

In essence, STIG compliance reduces the avenues of attack within your system. Hackers don’t even have to know what “STIG” stands for to be stopped in their tracks. And even if they do know what a STIG is, hackers will be powerless against your system.

When used in tandem with traditional approaches, such as password protection, it is extremely rare to suffer a major attack with a fully STIGged system.

Are STIGs and Zero Trust compatible?

In addition to STIGs, Zero Trust is another preventative measure government organizations implement to ward off bad actors. As you might imagine, Zero Trust means that you don’t trust anyone who enters your system.

The DoD is already transitioning to Zero Trust cybersecurity frameworks and urges all its agencies and organizations to follow suit.

With Zero Trust, authentication moves from the perimeter to data-specific entryways.

The five fundamental assertions of a Zero Trust network are:

  1. The network is always assumed to be hostile.
  2. There are external and internal threats on the network at all times.
  3. Network locality is not sufficient enough for deciding trust in the network.
  4. Every device, user, and network flow is authenticated and authorized.
  5. Policies must be dynamic and calculated from multiple sources of data.

In other words, a Zero Trust approach assumes every attempt to access the system is a breach. You only get to access the data and capabilities you need, authenticating again and again the deeper your access takes you.

This contains the blast radius of malicious activity to just the part of your system that got breached. Having a secure baseline that meets STIG standards helps capture unauthorized access attempts and makes your network that much harder to attack.

How do organizations find the bandwidth to implement STIGs?

STIGs are a way of life in government agencies, as well as in many of the organizations that serve them. And because it’s a way of life, you must find a way to make it livable, from the impact it has on users to the challenge it presents to your cybersecurity team.

With over 10,000 system controls, unique policies for every solution and updates every 90 days, STIG compliance is becoming harder and harder to do by manual means alone.

With qualified professionals in extremely short supply, many organizations are looking toward automation.

SteelCloud’s patented ConfigOS can reduce weeks and months of manual scanning and remediation work to just an hour. Which is what has made it the DoD’s primary cybersecurity automation solution.

With the help of proven automation solutions like ConfigOS, STIG (and CIS) compliance is within reach for even the smallest IT teams to achieve.

Where can I learn more about STIG compliance?

Dive deeper into STIGS! Download our free STIGs for Dummies eBook for a more technical and comprehensive look at DISA STIGs, what STIGs are, and how to implement them, including some more technical notes about the STIG compliance process.

Share This Resource:

Leave a comment