DISA STIGs: Who Needs Them & How to Enforce DISA STIG Compliance

DISA STIGs are an important compliance standard. There’s a security technical implementation guide (STIG) for almost every kind of technology in an IT environment, and each STIG can include hundreds of individual settings, configurations, and recommendations for ensuring compliance and security.

In this blog, we’ll share an overview of DISA STIGs with examples, why they matter for system security and your bottom line, and explain how automation and configuration management can be used to keep your technology compliant with DISA STIGs.

What are DISA STIGs?

DISA STIG stands for Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG). DISA STIGs are IT security configurations designed by DISA to protect systems and networks. Department of Defense entities and contractors are required to implement DISA STIGs and meet STIG compliance or risk losing their contracts.

You can think of DISA STIGs as best practices for cybersecurity in U.S. Department of Defense (DoD) systems. They’re a guideline for assessing and minimizing risk in systems, but contracts and service level agreements (SLAs) between DoD entities and contractors often specify STIGs that must be implemented. DISA STIGs are an element of DoD compliance and can be used to ensure cybersecurity configurations and practices aligned to DoD standards.

Many STIGs are specific to technology vendors, like separate operating system STIGs for Windows and Linux, for example. There are more than 490 STIGs to date, each targeting a specific technology or aspect of a system. Each STIG specifies a set of recommendations for securing the technology it covers, and each STIG could specify a few hundred controls needing implementation (read on for an example).

Can You Still Use DISA STIGs if You’re Not in the U.S.?

DISA STIGs can be used by any organization, even non-U.S. government entities and private organizations. DISA STIGs are publicly available and free to download, so any public or private business can use them as a baseline standard for securing their IT.  

CIS Benchmarks are also commonly used by international organizations to implement better cybersecurity practices.

What’s It Actually Like to Use a STIG?

STIGs are available free from the DoD Cyber Exchange website as downloadable .zip archives, usually containing .pdf instructions and .xml checklists. DISA STIGs are detailed guides for implementing recommended security measures — not plug-and-play solutions for compliance.

The typical process of using a STIG might look like this:

• Download a STIG from the DISA website as a .zip file.
• Unzip the archive to find STIG documents, which typically come in .pdf and .xml formats, along with other resources.
• Review STIG documents to understand the detailed instructions for configuring systems according to DISA standards.
• Import STIG checklists (if available) into your compliance scanning tools to automatically assess whether or not your systems are configured to comply with the STIG’s recommendations.
• Implement configurations to make affected systems comply with the recommendations found in the STIG.
• Monitor STIG compliance on a continuous basis to make sure any drift or unauthorized configurations are remediated quickly to stay compliant.

Top DISA STIGs to Know

The STIGs that apply to your systems will depend on what technologies your organization uses, including your specific resource types, hosting environments, and system components. While this is far from a comprehensive list, there are some STIG types that are relevant to any information technology in government:

1. Operating Systems (OS) STIGs: There are STIGs for various versions of Windows, including Windows 10 and Windows Server 2019, and Linux/Unix distributions like Red Hat, Ubuntu, and more. These touch on things like file permissions, services, package management, and security features at the OS level.
2. Database STIGs: DISA publishes STIGs outlining recommendations for configuring databases like Oracle, SQL Server, MySQL, and more. These STIGs govern things like authentication settings, permissions, and patching and upgrades.
3. Virtualization STIGs: These cover security recommendations for virtual machine (VM) environments like those created with VMware. Virtualization STIGs outline recommendations for hypervisor configurations, VM settings, and configuring VMs for deployment.
4. Cloud Infrastructure STIGs: There are STIGs covering AWS, Azure, and other cloud hosting platforms. These STIGs help organizations apply security policies to VMs, cloud storage, manage cloud resources, and monitor security and compliance in cloud computing.
5. Identity and Access Management (IAM) STIGs: These STIG recommendations cover authentication and access control mechanisms, including measures like role-based access control (RBAC), group policy management, and zero-trust security.

What is DISA STIG Compliance?

DISA STIG compliance is a measure of whether or not systems and software are configured to meet standards set by the Defense Information Security Agency (DISA). Failing to meet DISA STIG compliance can result in security vulnerabilities, loss of contracts, fines, and more.

Defense agencies are mandated by DODI 8500.1 to meet STIG specifications. Essentially, DODI 85001.01 provides a framework for what elements of a system need to be secured and why, and STIGs provide steps for actually securing them. DISA STIG compliance is often required as part of SLAs and contracts between government agencies and their contractors or vendors. Organizations working with certain government agencies must comply with relevant STIGs, and there are heavy fines for failing compliance audits.

Each STIG can contain hundreds of requirements and recommendations (called “findings” in official DISA STIG documentation). Each of those recommendations is assigned a category in terms of the severity of the risk presented by not adhering to it.

DISA STIG Categories + Recommendations

The three DISA STIG categories are:

• Category I indicates a high-severity vulnerability that will have a direct impact on confidentiality, availability, or integrity. Unaddressed Category I vulnerability findings will result in service denial, loss of access, or even loss of life.
• Category II indicates a vulnerability that can result in loss of confidentiality, availability, or integrity. These can have a negative impact on mission outcomes and result in injury and damage to systems and equipment.
• Category III indicates a vulnerability that can make it harder to protect against loss of confidentiality, availability, or integrity. These can affect data accuracy and prolong downtime if left unaddressed.

Go deeper on DISA STIG categories >>

DISA STIGs Example (CAT I, CAT II, CAT III)

As of this writing, the Windows 10 STIG from DISA contains 257 recommendations, including 26 Category I findings, 213 Category II findings, and 18 Category III findings. Here are examples of each from the Windows 10 STIG:

• V-220712 (Category I) states that “Only accounts responsible for the administration of a system must have Administrator rights on the system.”
  • Improperly configured admin access presents an obvious threat to system security, so it’s considered a high-severity vulnerability in this STIG.
• V-220705 (Category II) states that “The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.”
  • Whitelisting authorized software is a great way to decrease risk to systems, but failure to do so doesn’t always and immediately endanger system security, so this one is considered a medium-severity vulnerability in this STIG.
• V-220954 (Category III) states that “Toast notifications to the lock screen must be turned off.”
  • Pop-up notifications can potentially undermine information security by displaying sensitive information to unauthorized personnel, but they’re not guaranteed to — which is why this finding is considered low-severity in the Windows 10 STIG.

How to Automate DISA STIG Compliance

Combining infrastructure automation with configuration management can automate DISA STIG compliance. Configuration automation using policy as code (PaC) can keep IT configurations in a desired state that complies with relevant DISA STIGs.

Managing STIG compliance can be a behemoth task at scale. Multiply the number of STIGs by thousands of servers to be managed in any one agency and you will conclude that managing compliance can be a very daunting task. Manual implementation is tedious and very resource-consuming.

It’s also entirely possible to be in compliance today but not in compliance tomorrow, as system states are known to drift off course over time. For agency and program security teams, it often feels like a never-ending catchup to ensure all of the systems are in compliance. Automation is the clear path forward.

Ideally, automation platform continually monitors each system and enforces a compliance state as frequently as every 30 minutes. This alone can help massively reduce delays and workforce costs associated with compliance audits.

Tips for Choosing DISA STIG Compliance Automation Solutions

Do you think a compliance automation system might work for your agency? Here are a few questions you should ask when evaluating compliance automation platforms:

• Scalability: Can the platform handle thousands of systems without breaking a sweat or your budget? You want to make sure that scaling will be painless.
• Compliance reporting: Are there out-of-the-box reporting templates? You shouldn’t have to trade compliance headaches for reporting headaches.
• Monitoring frequency: How often can each system state be verified? Weekly? Daily?
• Ecosystem support: Does the platform integrate with most of the systems in your environment?
• Air-gapped operations: Can the system function in environments with no or limited network connectivity?

How Puppet Helps Meet + Maintain DISA STIG Compliance

DISA STIG Scanning, Assessment, Monitoring + Reporting

Writing infrastructure configurations as Puppet code makes it easy to assess servers and entire systems against the recommendations laid out in DISA STIGs. When you write Puppet manifests that comply with DISA STIGs, Puppet can assess configurations across your infrastructure for adherence and apply compliant configurations across all those system components. That includes server configurations, OS STIGs on Windows and Linux, application configurations, and more.

Puppet’s infrastructure as code (IaC) approach also creates an auditable paper trail tracking changes made to STIG configurations over time (as well as efforts to remediate configuration drift). This capability makes it drastically easier for organizations to assess and demonstrate compliance with DISA STIGs.

Although the Department of Defense’s Cloud Computing Security Requirements Guide (SRG) indicates that the CIS Benchmarks are an acceptable alternative to DISA STIGs, many organizations are still required to demonstrate compliance with STIGs specifically.

The Security Compliance Management Console in Puppet Enterprise features the built-in CIS-CAT® Pro Assessor from the Center for Internet Security (CIS), which also includes DISA STIG assessment for Puppet-managed infrastructure. With this assessment capability, Puppet Enterprise provides DevSecOps teams clear guidance on how DISA STIG controls map to each other and which controls are unique to STIGs. Here's an overview:

• The existing CIS level 1 and level 2 profiles have been mapped to the applicable STIG recommendations.
• A new level 3 profile contains the additional STIG requirements that aren’t covered by the level 1 and level 2 profiles.
• Scans against the level 3 profile automatically include all of the rules for level 1 and level 2.

Using the Security Compliance Management features included with Puppet Enterprise, users can select the profile to scan against, get a clear view of which systems passed or failed each control, and drill down for guidance on how to remediate failures.

Automatic DISA STIG Compliance Enforcement

Manually writing compliance policies as code takes time, and remediating noncompliant configurations can eat up valuable resources that could be better used preparing for the next vulnerability. Not to mention the fact that DISA STIGs are constantly being updated, making it nearly impossible to keep up with each new finding to stay compliant. That’s where Puppet Security Compliance Enforcement comes in.

Security Compliance Enforcement is a premium feature in Puppet Enterprise and Open Source Puppet that automates hardened security baselines to enforce both DISA STIGs and CIS Benchmarks. It automates the process of DISA STIG compliance by continually making sure your Puppet-managed infrastructure configurations comply with DISA STIG recommendations.

Security Compliance Enforcement leverages Puppet’s agent-based automation and policy PaC to continually assess compliance with DISA STIGs and remediate noncompliant configurations—even when networks are down. Here’s how it works:

• Security Compliance Enforcement contains pre-written blocks of Puppet code that enforce hardened security baselines on the primary Puppet server
• Puppet agents on each node check in every 30 minutes (by default) to make sure their own configurations are in compliance with the configurations on the primary Puppet server
• Nodes that have drifted out of compliance are flagged
• Puppet primary server automatically brings the noncompliant configurations back into alignment with the coded configurations
• New systems automatically inherit compliant configurations based on their system facts

Security Compliance Enforcement saves time on setting, enforcing, and reporting on DISA STIG compliance across OS environments and hybrid cloud deployments.

Not using Puppet Enterprise yet? Get started with your free trial to see exactly how Puppet can help you ensure compliance.