Get Puppet Enterprise First 10 nodes are free!
Try it now
Request a demo
Automate IT and infrastructure, manage complex workflows, and mitigate risk at scale.
Try the full-featured Puppet Enterprise for free on 10 nodes.
Puppet Comply Find and prevent compliance failures
Compliance Enforcement Modules Remediate to stay in compliance
Continuous Delivery for Puppet Enterprise Build, test, and deploy infrastructure as code faster and easier
Content & Modules Pre-built scripts to automate common tasks
CentOS EOL Here’s how to secure your CentOS infrastructure – even after EOL.
Find thousands of component modules built by the community and guidance on using them in your own infrastructure.
Visit Puppet Forge >>
Open Source PuppetPerfect for individuals and small infrastructure
BoltAutomate tasks in orchestration workflows
See all open source projects >>
Contribute to open source projects >>
DISA STIGs are an important compliance standard. Get an overview of DISA STIGs (and other compliance standards), plus learn how to enforce them with Puppet.
DISA STIG stands for Defense Information Security Agency (DISA) Security Technical Implementation Guide (STIGs). DISA STIGs are security standards that help the Department of Defense keep its IT systems safe.
DISA STIGs specify a set of policies, security controls, and best practices for securing operating systems, applications, and more.
Each STIG could specify a few hundred controls needing implementation. Compliance drift can easily occur over time, leaving systems out of DISA STIG compliance.
Other common compliance standards for technology in government agencies include:
DISA STIG compliance is a measure of whether or not systems and software are configured to meet standards set by the Defense Information Security Agency (DISA). Failing to meet DISA STIG compliance can result in large fines and heavy scrutiny.
Government agencies and defense contractors must comply with relevant STIGs, and there are heavy fines for failing compliance audits. Defense agencies are mandated by DODD 8500.1 to meet STIG specifications.
There are more than 490 STIGs to date. Multiply the number of STIGs by thousands of servers to be managed in any one agency and you will conclude that managing compliance can be a very daunting task. Manual implementation is tedious and very resource-consuming.
It’s also entirely possible to be in compliance today but not in compliance tomorrow, as system states are known to drift off course over time. For agency and program security teams, it often feels like a never-ending catchup to ensure all of the systems are in compliance. Automation is the clear path forward.
Infrastructure automation, when used for compliance, can automate and monitor system configurations to comply with DISA STIGs, NIST 800-53, CMMC, and RMF. There are many community-driven templates available for popular applications and systems.
While automation is extremely helpful in configuring systems to be compliant at deployment, system states will inevitably drift over time and fall out of compliance. There will also unavoidably be rule conflicts. So, you want to make sure that your compliance automation platform checks for drift and intelligently handles rule conflicts.
Ideally, the system can continually monitor each system and enforce a compliance state as frequently as every 30 minutes. This alone can help massively reduce workforce costs associated with compliance audits.
Do you think a compliance automation system might work for your agency? Here are a few questions you should ask when evaluating compliance automation platforms:
Puppet Comply can assess servers and entire systems against DISA STIGs. This capability makes it drastically easier for organizations to assess and demonstrate compliance with DISA STIGs.
Explore more, learn how automation helps you harden your systems and achieve compliance with a free white paper.👀
Although the Department of Defense’s Cloud Computing Security Requirements Guide indicates that the CIS Benchmarks™ are an acceptable alternative for STIGs, we know that many organizations are still required to demonstrate compliance with STIGs specifically.
Puppet Comply leverages CIS-CAT® Pro, the compliance assessment tool created by the Center for Internet Security® (CIS), to scan infrastructure against the CIS Benchmarks. Through their partnership with experts in the cybersecurity community, CIS has incorporated STIG assessment into CIS-CAT Pro.
Puppet Comply provides DevSecOps teams clear guidance on how DISA STIG controls map to each other and which controls are unique to STIGs. Here's an overview:
Comply users can select the profile to scan against, get a clear view of which systems passed or failed each control, and drill down for guidance on how to remediate failures.
Puppet Compliance Enforcement Modules (CEM) are plug-and-play policy as code modules for Puppet Enterprise that enforce configurations that comply with DISA STIGs and CIS Benchmarks. They automate the process of DISA STIG compliance by automatically setting and continually enforcing compliant configurations across your systems.
CEM leverage Puppet's automation and configuration management capabilities to continually assess compliance with DISA STIGs and remediate noncompliant configurations to keep your systems up-to-date with DISA STIGs as they change. As part of the Puppet compliance automation solution, CEM are a turnkey method for ensuring DISA STIG compliance across complex hybrid infrastructure.
Head here for a full list of supported OSes and more details on Puppet Compliance Enforcement Modules >>
With Puppet Enterprise for compliance automation, you can define security and compliance policies as code and automatically apply the appropriate settings to node groups dynamically and reach hundreds or thousands of nodes at once.
Puppet lets you assign enforcement policies so that new systems automatically inherit compliant configurations based on their system facts.
After defining your baseline compliant state configurations, Puppet Enterprise continuously checks your infrastructure every 30 minutes.
If a system drifts from its compliant state, it automatically makes corrective changes. The system allows you to mitigate the risk of non-compliance between scans by enabling IT ops teams to immediately validate that remediations were successful.
Continuous compliance can be at odds with continuous delivery for some systems, ensuring compliance at the expense of speed and agility. Organizations with ambitious digital transformation initiatives can’t afford to make that tradeoff.
Puppet Enterprise makes compliance scalable and predictable by enforcing policy as code as part of DevSecOps workflows. Plus, Puppet Comply can be employed to enable continuous compliance across hybrid infrastructure by scanning for adherence to security requirements, ensuring secure system configuration.
With scanning and reporting designed for IT operations, Puppet Enterprise allows teams to assess infrastructure-wide compliance and quickly identify machines that don’t meet benchmark requirements. Puppet policy assessment technology is certified by the Center for Internet Security (CIS) to ensure CIS Benchmarks are met without taking extra steps.
You can remediate compliance failures and build a framework for ongoing compliance with content created by a Puppet expert and tailored to your environment. Or you can create cross-platform content easily with Puppet’s approachable and straightforward language for non-expert resources.
Puppet Enterprise allows you to reduce workforce costs associated with compliance and generate automatic reports to stay ahead of audit preparation.
With the right platform and a full suite of content implementation services, agencies can meet all compliance requirements while reducing costs and avoiding hefty fines.
You can automate government security and compliance with Puppet. One federal agency in the energy sector leveraged Puppet automation to meet strict IT security standards, taking their Linux servers from 30 percent to 98 percent STIG compliance.
This significant improvement saves them a lot of money on fines paid for non-compliance while gaining complete visibility over their infrastructure. Puppet ensures servers are configured correctly to meet the requirements — and helps them stay that way.
Not using Puppet Enterprise yet? Get started with your free trial to see exactly how Puppet can help you ensure compliance:
👉START MY TRIAL
This blog was originally published in two parts on March 10, 2021 and June 2, 2021. It has since been consolidated and update for relevance.