June 2, 2021

How to Ensure Compliance with DISA STIGs + Pass Your Next DISA STIG Audit

Security & Compliance

DISA STIGs are an important compliance standard. Get an overview of DISA STIGs (and other compliance standards), plus learn how to enforce them with Puppet.

Back to top

What are DISA STIGs?

DISA STIG stands for Defense Information Security Agency (DISA) Security Technical Implementation Guide (STIGs). DISA STIGs are security standards that help the Department of Defense keep its IT systems safe.

DISA STIGs specify a set of policies, security controls, and best practices for securing operating systems, applications, and more.

Each STIG could specify a few hundred controls needing implementation. Compliance drift can easily occur over time, leaving systems out of DISA STIG compliance.

Other common compliance standards for technology in government agencies include: 

  • The National Institute of Standards and Technology (NIST) SP 800-53.
  • The Cybersecurity Maturity Model Certification (CMMC).
  • Risk Management Framework (RMF).
Back to top

What is DISA STIG Compliance?

DISA STIG compliance is a measure of whether or not systems and software are configured to meet standards set by the Defense Information Security Agency (DISA). Failing to meet DISA STIG compliance can result in large fines and heavy scrutiny.

Government agencies and defense contractors must comply with relevant STIGs, and there are heavy fines for failing compliance audits. Defense agencies are mandated by DODD 8500.1 to meet STIG specifications.

There are more than 490 STIGs to date. Multiply the number of STIGs by thousands of servers to be managed in any one agency and you will conclude that managing compliance can be a very daunting task. Manual implementation is tedious and very resource-consuming.

It’s also entirely possible to be in compliance today but not in compliance tomorrow, as system states are known to drift off course over time. For agency and program security teams, it often feels like a never-ending catchup to ensure all of the systems are in compliance. Automation is the clear path forward.

Back to top

How to Automate DISA STIG Compliance

Infrastructure automation, when used for compliance, can automate and monitor system configurations to comply with DISA STIGs, NIST 800-53, CMMC, and RMF. There are many community-driven templates available for popular applications and systems.

While automation is extremely helpful in configuring systems to be compliant at deployment, system states will inevitably drift over time and fall out of compliance. There will also unavoidably be rule conflicts. So, you want to make sure that your compliance automation platform checks for drift and intelligently handles rule conflicts.

Ideally, the system can continually monitor each system and enforce a compliance state as frequently as every 30 minutes. This alone can help massively reduce workforce costs associated with compliance audits.

Tips for Choosing DISA STIG Compliance Automation Solutions

Do you think a compliance automation system might work for your agency? Here are a few questions you should ask when evaluating compliance automation platforms:

  • Scalability – Can the platform handle thousands of systems without breaking a sweat or your budget? You want to make sure that scaling will be painless.
  • Compliance reporting – are there out-of-the-box reporting templates? You shouldn’t have to trade compliance headaches for reporting headaches.
  • Monitoring frequency – How often can each system state be verified? Weekly? Daily? The best-in-class approach is every 30 minutes.
  • Ecosystem support – Does the platform integrate with most of the systems in your environment?
  • Air-gapped operations – Can the system function in environments with no or limited network connectivity?

Puppet Comply Support for DISA STIGs

Puppet Comply can assess servers and entire systems against DISA STIGs. This capability makes it drastically easier for organizations to assess and demonstrate compliance with DISA STIGs.

Explore more, learn how automation helps you harden your systems and achieve compliance with a free white paper.👀

Although the Department of Defense’s Cloud Computing Security Requirements Guide indicates that the CIS Benchmarks™ are an acceptable alternative for STIGs, we know that many organizations are still required to demonstrate compliance with STIGs specifically.

Puppet Comply leverages CIS-CAT® Pro, the compliance assessment tool created by the Center for Internet Security® (CIS), to scan infrastructure against the CIS Benchmarks. Through their partnership with experts in the cybersecurity community, CIS has incorporated STIG assessment into CIS-CAT Pro.

Puppet Comply provides DevSecOps teams clear guidance on how DISA STIG controls map to each other and which controls are unique to STIGs. Here's an overview:

  • The existing CIS level 1 and level 2 profiles have been mapped to the applicable STIG recommendations.
  • A new level 3 profile contains the additional STIG requirements that aren’t covered by the level 1 and level 2 profiles.
  • Scans against the level 3 profile automatically include all of the rules for level 1 and level 2.

Comply users can select the profile to scan against, get a clear view of which systems passed or failed each control, and drill down for guidance on how to remediate failures.

Puppet Compliance Enforcement Modules for Automatic DISA STIG Compliance Enforcement

Puppet Compliance Enforcement Modules (CEM) are plug-and-play policy as code modules for Puppet Enterprise that enforce configurations that comply with DISA STIGs and CIS Benchmarks. They automate the process of DISA STIG compliance by automatically setting and continually enforcing compliant configurations across your systems.

CEM leverage Puppet's automation and configuration management capabilities to continually assess compliance with DISA STIGs and remediate noncompliant configurations to keep your systems up-to-date with DISA STIGs as they change. As part of the Puppet compliance automation solution, CEM are a turnkey method for ensuring DISA STIG compliance across complex hybrid infrastructure.

Head here for a full list of supported OSes and more details on Puppet Compliance Enforcement Modules >>

Back to top

How to Use Puppet for DISA STIG Compliance

Define Once, Apply Everywhere

With Puppet Enterprise for compliance automation, you can define security and compliance policies as code and automatically apply the appropriate settings to node groups dynamically and reach hundreds or thousands of nodes at once.

Puppet lets you assign enforcement policies so that new systems automatically inherit compliant configurations based on their system facts.

Model-Driven Automation

After defining your baseline compliant state configurations, Puppet Enterprise continuously checks your infrastructure every 30 minutes.

If a system drifts from its compliant state, it automatically makes corrective changes. The system allows you to mitigate the risk of non-compliance between scans by enabling IT ops teams to immediately validate that remediations were successful.

Continuous Compliance

Continuous compliance can be at odds with continuous delivery for some systems, ensuring compliance at the expense of speed and agility. Organizations with ambitious digital transformation initiatives can’t afford to make that tradeoff.

Puppet Enterprise makes compliance scalable and predictable by enforcing policy as code as part of DevSecOps workflows. Plus, Puppet Comply can be employed to enable continuous compliance across hybrid infrastructure by scanning for adherence to security requirements, ensuring secure system configuration.

View Compliance Status Holistically

With scanning and reporting designed for IT operations, Puppet Enterprise allows teams to assess infrastructure-wide compliance and quickly identify machines that don’t meet benchmark requirements. Puppet policy assessment technology is certified by the Center for Internet Security (CIS) to ensure CIS Benchmarks are met without taking extra steps.

Bridge Skill and Resource Gaps

You can remediate compliance failures and build a framework for ongoing compliance with content created by a Puppet expert and tailored to your environment. Or you can create cross-platform content easily with Puppet’s approachable and straightforward language for non-expert resources.

Reduce the Burden of Audit Preparation

Puppet Enterprise allows you to reduce workforce costs associated with compliance and generate automatic reports to stay ahead of audit preparation.

With the right platform and a full suite of content implementation services, agencies can meet all compliance requirements while reducing costs and avoiding hefty fines.

You can automate government security and compliance with Puppet. One federal agency in the energy sector leveraged Puppet automation to meet strict IT security standards, taking their Linux servers from 30 percent to 98 percent STIG compliance.

This significant improvement saves them a lot of money on fines paid for non-compliance while gaining complete visibility over their infrastructure. Puppet ensures servers are configured correctly to meet the requirements — and helps them stay that way.

Not using Puppet Enterprise yet? Get started with your free trial to see exactly how Puppet can help you ensure compliance:


Learn More

This blog was originally published in two parts on March 10, 2021 and June 2, 2021. It has since been consolidated and update for relevance. 

Back to top