News & Events

Understanding DISA STIG Compliance Requirements

SWI FED DISA Compliance

Information security is one of the most important tasks a federal IT pro undertakes.

It’s also one of the most complex—particularly as it relates to compliance requirements.

While the National Institute for Standards and Technology (NIST) provides reference guidance across the federal government, and the Federal Information Security Management Act (FISMA) provides guidance for civilian agencies, Department of Defense (DoD) systems have yet another layer of requirements promulgated by the Defense Information Systems Agency (DISA).

Federal IT security pros within the DoD must comply with the technical testing and hardening frameworks known by the acronym STIG, or Security Technical Implementation Guide. According to DISA, STIGs “are the configuration standards for DOD [information assurance, or IA] and IA-enabled devices/systems…The STIGs contain technical guidance to ‘lock down’ information systems/software that might otherwise be vulnerable to a malicious computer attack.”

To date, DoD has released 461 STIGs, and continues to release more on a semi-regular basis.

While meeting so many requirements may seem daunting, DISA provides both requirements and tools for validating and implementing the security requirements. There are several common testing tools that implement STIGs. Some, like Assured Compliance Assessment Solution (ACAS), were developed by industry specifically for DISA. Others, like the Security Content Automation Protocol (SCAP) Compliance Checker (SCC) were developed by the U.S. Navy for use by Defense agencies. Some tools have even been developed to encompass a particular category of system components, such as network components, or a particular functional process, such as log aggregation and analysis.

Testing Tools

While the DoD has made managing risk easier by providing hardened baselines for operating systems, system components, and network devices through STIGs, additional compliance requirements will require further effort.

That said, the additional effort is highly manageable, especially with automation.

SolarWinds® Network Configuration Manager (NCM) is designed specifically to automate
the task of managing network configuration and compliance. NCM can help federal IT pros deploy standardized configurations, detect out-of-process changes, audit configurations, and correct compliance violations. NCM can integrate with the National Vulnerability Database to help more easily identify and eliminate known vulnerabilities.

NCM is also built to:

  • Inventory network device configurations, assess configurations for compliance, and automate change and configuration management
  • Implement configuration of security controls and help assure effectiveness
  • Produce FISMA and DISA STIGs reports from configuration templates
  • Produce audit documentation and reports

Federal IT pros can get more information on NCM here.

SolarWinds Server Configuration Manager (SCM)

In modern IT environments, making configuration changes is easy, but tracking them and their impact is hard. Even with the best change control processes, it’s often impossible to control all the configuration changes happening to your infrastructure. And when configurations start to drift, the problems start—outages, slowdowns, security breaches, and compliance violations. SolarWinds Server Configuration Monitor is designed to quickly reveal when server, application, or database configurations change, who’s changing them, what changed, and show performance impact—helping you have the necessary visibility to troubleshoot faster, improve security, and demonstrate compliance. Monitoring your server configurations against compliance policies can be cumbersome. With adding a policy engine, out-of-the box policies for DISA STIG, new alerts, and reports for compliance policies, SCM is helping operationalize compliance monitoring. SCM is also built to:

  • Detect, alert, and report on changes with hardware inventory, registry entries, binary and text files,
    software inventory, IIS configuration files, and script outputs
  • Capture and track who made configuration changes
  • Compare current configurations against a baseline or between any two points in time
  • Correlate configuration changes with network and application performance
  • Automatically detect infrastructure eligible for monitoring
  • View and report on hardware and software inventories

Federal IT pros can get more information on SCM here.

Most system components covered by a STIG can generate logs. System logs, event logs, error logs, messages, and the like can quickly grow to tremendous size and, taken together, can present an equally tremendous effort to review the logs for anomalous behavior that may indicate compromise of the system’s confidentiality, integrity, and availability. Many federal IT teams address this challenge by implementing a Security Information and Event Management (SIEM) solution.

An SIEM tool may be configured to consume logs across the environment, analyze the logs, and identify potential vulnerabilities or anomalous behavior. An SIEM tool can triage these findings in a prioritized manner for action by the federal IT security team. A properly configured and tuned SIEM tool can automate the entire process, helping ease the load of an already heavily tasked federal security team.

SolarWinds SIEM tool Security Event Manager (SEM) can simplify STIG requirements by automating compliance and—just as important—reporting on that compliance.

Federal IT pros can get more information on SEM here.

Conclusion

For DoD federal IT pros, STIG compliance is a requirement. There are hundreds of possible STIGs, each of which can contain dozens to hundreds of technical controls that must be tested for compliance. Most federal IT teams already have a full plate. This is where tools like NCM and SEM shine, helping the entire federal IT team achieve compliance and compliance reporting with the support of automated tools that can lighten the whole team’s load.

STIGs apply to DoD agencies. However, FISMA compliance and the NIST Risk Management Framework (RMF) guide all agencies.

For more information on the NIST Risk Management Framework, a range of additional federal security compliance information, and leveraging configuration management, download the Daily Federal Compliance and Continuous Cybersecurity Monitoring whitepaper.