Defense Information Systems Agency’s (DISA) STIG Viewer program makes it simple and affordable to create and manage STIGS checklists to reduce open vulnerabilities, while providing customizable preferences so the user interface fits perfectly with your own individual preferences.
Understanding XCCDF formatted STIGs may not be straightforward, but it is still doable. Here are a few tips to get you started:
Security Technical Implementation Guides (STIGS)
Defense Information Systems Agency (DISA) offers security technical implementation guides (STIGS), which companies can utilize to strengthen their IT systems and ensure military networks and systems from cyberattacks. STIGS include configuration settings for applications, servers, network devices, workstations and printers; they should be implemented properly so as to protect sensitive data. Companies authorized by DODIN or contracting to DoDIN networks or systems can utilize them.
STIGs come in multiple formats, such as XCCDF and OVAL, but most STIGs are typically provided via the DoD Public Cyber Exchange in an easily navigable graphical viewer known as the STIGS Viewer. This tool enables users to easily browse XCCDF-formatted STIGS without any difficulty through an intuitive human-readable interface.
Viewing a STIG, the viewer displays this information:
STIGS Viewer displays both the name of each STIG as well as a brief description, along with the number of STIGS found on a target system, their status (such as not reviewed, reviewed or in review) as well as date of last modification of each checklist.
Most STIGS included in the STIGS Viewer are also compatible with Security Content Automation Protocol (SCAP), an automated method for scanning systems for compliance. To make this possible, the viewer is integrated with SCAP scanner tool and provides access to an array of available benchmarks that can be used to scan local or remote systems for compliance.
DISA also offers an open source tool called PowerSTIG (Home * Microsoft/PowerStig Wiki & GitHub), which generates PowerShell Desired State Configuration MOFs for most STIGS Viewer solutions, making reviewing and deploying them much simpler. Finally, those without access to or comfort with using SCAP scanner tools may benefit from DISA providing starter group policies for domain-joined Windows systems as well as automation content for non-Windows OSes, containers and network devices via Ansible and Chef.
Downloading STIGs
Defense Information Systems Agency (DISA) maintains a set of standard STIG requirements which must be fulfilled for systems to be deployed into DOD networks. These STIGs serve to safeguard DOD IT network systems against cyber threats by providing guidance regarding system configuration and other security-related matters.
Download XCCDF formatted STIGs using the STIG Viewer, an easy-to-use, human-readable graphical user interface designed specifically to read them. Compatible with all DISA STIGs published, users can utilize it to comprehend and review them before applying one directly onto their system. Once downloaded, STIGs can be imported directly into this viewer for use on it.
If you have access to a Collection, using the Review Workspace allows you to view and modify all Reviews and Statuses assigned to an STIG for all assets assigned within it. This makes assessing compliance easy. Furthermore, Collection Owners or Managers can “Pin” specific Revisions so all future Review Workspaces for this Collection will automatically open with it (please refer to User Guide section on Pinning Revisions for further guidance).
Import an existing collection of XCCDF-formatted STIGs from a local folder into the STIG Viewer to create a Local Data Cache on the system and automatically reloading them whenever you open up.
Once you pin a Revision of a STIG, all new Review Workspaces for that Collection will display and calculate Metrics against it. This can be particularly helpful when conducting an RMF process and want to ensure all reviews and statuses generated against this specific revision of a STIG.
The STIG Viewer allows you to use Splunk automatically import any STIG or SRG checklist file, providing an audit trail of all your efforts in tracking STIG compliance over time and saving time by editing comments, finding details and status for multiple checklists at once from within its interface.
Importing STIGs
Defense Information Systems Agency offers companies an array of Security Technical Implementation Guides (STIGS), which they can utilize to secure their IT systems. STIGS offer system configuration recommendations that help mitigate vulnerabilities across applications, network devices, workstations and servers – unlike CIS Benchmarks designed specifically for DoD networks like CIS Benchmarks. STIG Viewer can be downloaded free of charge to view these XML guides available on DoD Cyber Exchange.
Learn the XML format before diving in with STIG Viewer if you want the maximum benefit out of this tool, though its user interface makes this straightforward and user-friendly. Upon login, users are presented with two panels – Navigation Tree on the left side and Content Panel on the right – where clicking any Collection opens up its Dashboard, providing access to various Workspaces associated with each STIGS.
Each Workspace contains different sections that can be clicked to reveal additional details of STIGS. Each section offers an overview of each STIGS along with an easy-to-read breakdown of how it operates, along with marking it completed, incomplete or unclassified as appropriate. In addition, the Status field displays how much of each STIGS has been completed as well as any outstanding issues and actions being taken towards completion.
As the user browses through STIGS, they can create checklists for each one to track progress or set deadlines for compliance reporting or simply take notes about its current state. Each STIGS will have its own individual checklist that can easily be exported and saved for future reference.
Create a STIGS checklist is as straightforward as selecting your preferred STIGS, clicking “Create Checklist,” and filling out the form that appears. When finished, your checklist will appear under “Checklists” tab for easy future reference.
Reviewing STIGs
As IT teams are more and more accustomed to compliance standards like NIST reference guides, FISMA, SOX, HIPAA and PCI regulations, the Defense Information Systems Agency (DISA) introduces another set of requirements known as STIGs that is unique for their security configuration recommendations across hardware, software and network devices that could leave companies vulnerable. Cybersecurity professionals use STIGs as an invaluable way of making sure their company’s hardware and software remain up-to-date, secure, compliant and compliant with DISA regulations.
The STIG Viewer app allows users to import existing STIGS into the software or create their own. Once imported, the software will update XML files automatically and display rules for every device connected. You may also change preferences in the Preferences menu such as font size changes and visual style modifications.
Once created, checklists can be saved and opened at any time, giving engineers the flexibility they need to document the status of an asset. Saved versions appear as tabs in the content panel – even after closing a tab it remains on the Collection Dashboard until either another checklist opens in that tab or until either its owner opens another checklist in that same tab or refreshes their Collection Dashboard.
Each checklist provides a Findings section that lists vulnerabilities associated with the component being hardened. This list may contain up to 100 or more findings, each having an ID, severity level, title and description field. These Findings are then classified according to company management policies: either High (CAT 1) or Medium (CAT 2) must be resolved immediately while those classified as Low or CAT 3 and 4 findings can be addressed at the engineer responsible for that device’s discretion.
While STIGS can be useful in mitigating open vulnerabilities and tracking security reviews of technology assets, their implementation can often be cumbersome to use. Luckily, human-friendly tools exist that make the process more manageable and less painful for cybersecurity professionals. One such human-friendly tool is Disa Stig Viewer; with its user-friendly interface that makes reviewing vulnerabilities a less tedious experience.