STIGs (System Technical Implementation Guides) are a library of documents that outline how to secure computers, software programs and other IT equipment. Each STIG details how an organization should configure hardware or software in order to minimize risk and protect against cyber criminals gaining unauthorized access. While STIGs were originally created by the Department of Defense (DoD), other government agencies and private IT companies that work with sensitive data may benefit from these guidelines as well.

All organizations connecting to DoD networks must comply with DISA guidelines, failing which they could lose access and Authorization to Operate (ATO).

These guidelines, known as DISA STIGS, offer detailed technical guidance to secure systems and software potentially susceptible to security vulnerabilities. They are published semi-regularly by Defense Information Systems Agency (DISA).

What is a STIG?

Security Technical Implementation Guidelines, or STIGs, are configuration standards set by the Department of Defense (DoD). Designed by DISA, these STIGs aim to protect DoD information and systems against cybersecurity threats while simultaneously ensuring all hardware, software and network systems are correctly configured.

Compliance with STIGs isn’t optional if your organization works with DoD, but getting compliant doesn’t have to take weeks of tedious manual work – Runecast offers an efficient STIG compliance checker which quickly evaluates your current state and shows what needs to be done to reach compliance within minutes.

Runecast uses automated scans and best-practice checks to help identify compliance gaps with DISA STIGs or other configuration standards, quickly creating an easily filterable report for comparison against historical configuration data. Runecast makes identifying and solving security breaches or compliance violations much faster so as to minimize costs quickly.

Compliance with STIGs is of critical importance whether in the public or private sector, and compliance is an easy and efficient way to protect IT infrastructure against unauthorized access from cyber criminals. For IT vendors selling products and services to DoD networks or sensitive information without adhering to DISA security standards is both mandatory and vital for their brand reputation.

What is a STIG Checklist?

Many IT teams are familiar with government compliance standards like NIST reference guides, FISMA, SOX and PCI; however, the Department of Defense also has its own set of requirements known as STIGs which empower IT teams to secure hardware, software and network systems by following stringent configuration standards known as hardening. Hardening prevents malicious actors from infiltrating government networks by forcing them into more restrictive configurations.

STIGs aim to strengthen commercially available software, servers and devices available off-the-shelf by placing restrictions on how they should be configured. They are developed either internally at DISA or more often directly by product vendors themselves and designed to reduce attack vulnerability on devices or applications, while at the same time remain flexible enough to adapt as security threats change and vulnerabilities emerge.

A STIG is composed of several sections, one for each component being reviewed, with fields to record reviewer findings pertaining to that component and its vulnerabilities. Furthermore, STIGs include an identifying field that can help users pinpoint specific types of vulnerability – these vulnerabilities are categorized as Category I, II or III depending on their potential impact.

Category I vulnerabilities pose the highest risks, posing serious threats to confidentiality, availability or integrity – they may allow unauthorizaiton to classified information or facilities or even lead to loss of life. Although Category II vulnerabilities have similar repercussions as Category 1 vulnerabilities, their impact may not be immediate and may take more time before their effects manifest themselves fully. Finally, Category III vulnerabilities compromise measures designed to safeguard against loss of confidentiality availability or integrity.

At the completion of a STIG review, a system administrator should import XCCDF or OVAL files generated by their SCAP scanner into the STIG Viewer to create a checklist file used to track and report on findings. This checklist file will contain various columns containing information related to each vulnerability in question such as its identification number, description, checking content status and discussion thread.

What is a STIG Policy?

A STIG policy describes how hardware, software or network systems should be configured in order to reduce vulnerability and avoid attacks. A typical STIG would provide requirements for configuring desktop computers or enterprise servers such as how many ports should remain open on the internet and locking down applications; more advanced STIGs might include instructions for designing corporate networks with routers, databases, firewalls and domain name servers as necessary.

STIGs can be created internally by DISA or collaboratively with federal agencies and departments or externally by vendor-based teams of security experts; regardless of its source, however, STIGs serve to define security requirements to meet government cybersecurity standards.

STIGs exist to strengthen federal systems’ security and defend against attacks. Because government IT handles sensitive information, breaches could have grave repercussions for national security. By standardizing how hardware, software, and networks are configured in federal IT environments, STIGs make federal IT less vulnerable to attackers.

Implementing a STIG can be challenging. There may be hundreds of controls that must be put in place, creating additional work for federal IT professionals. Any change can alter the security profile of a system; thus it is crucial that a SIEM tool track compliance and report violations.

Puppet Comply integrates with CIS-CAT Pro, the compliance assessment tool from the Center for Internet Security (CIS), to conduct scans against a set of profiles provided by CIS and detect violations automatically triaged for action by federal IT teams.

As a result, federal IT teams that previously relied on manually triaging all findings from vulnerability scanners can speed up this process significantly and free up time for other tasks, like monitoring and responding to threat activity or performing comprehensive testing/penetrating analysis of their environments that would otherwise be impossible using manual methods alone.

What is a STIG Update?

Defense Information Systems Agency (DISA) offers IT support to individuals and organizations working for the Department of Defense. One service provided by DISA is Security Technical Implementation Guides (STIGs). STIGs serve as configuration standards that help lower risks associated with cybersecurity threats and breaches by ensuring hardware, software, databases, operating systems are secured properly – therefore staying current with new versions is vital in avoiding breaches that expose sensitive or confidential data.

STIG updates are revised versions of an existing STIG that add or alter configuration requirements. They typically are released quarterly and may be based on new vulnerabilities, threat modeling data or other factors; changes can include adding or eliminating checks that were found not as effective in their original form; they also take into account vendor version changes which can alter configuration requirements.

In order to reduce the risk of breaches that could compromise national security, it’s essential that DoD networks use STIG requirements when deploying new hardware, software and network systems. These standards make commercially available servers, devices and off-the-shelf software as secure as possible by setting minimum requirements for setting them up; additionally they offer guidance for implementing protocols and reducing physical design flaws that might compromise overall security.

DISA releases updates to existing STIGs as well as brand new versions. A DISA update to an existing STIG could involve any number of modifications, from modifications to the rules or group and rule IDs affecting compliance checks to changes to definitions of terms or acronyms used throughout it. New updates could also add information that was recently added or expanded upon in existing guidance documents.

RedSeal can automatically validate compliance with DISA STIGs and SRGs by matching RuleIDs from new RuleIDs with existing automatic compliance checks in our product, giving you a comprehensive view of your DISA compliance status. To learn more, download our datasheet entitled Automatically Validate DISA STIGs & SRG Compliance.


DISA stands for Defense Information Systems Agency and is an organization that creates configuration documents for US Department of Defense. DISA creates standards known as STIGs that help safeguard government from cyber security attacks and threats, and many businesses utilize STIG checklists from DISA to ensure their IT systems meet DISA’s requirements – thus permitting them to work with US federal agencies without incurring penalties or fines due to noncompliance.

Security Technical Implementation Guidelines, or STIG, checklists are designed to assist IT professionals in hardening their system configuration against potential security breaches and hacks which could compromise sensitive data leading to identity theft or other serious consequences. These requirements were established by Defense Information Systems Agency; all those working with them must abide by these requirements.

STIGs standardize devices, software and databases to reduce cyber threats, breaches and attacks. Their purpose is to safeguard the Department of Defense Information Network (DoDIN), ensure privacy for its users (US military personnel included) as well as maintain its integrity and protect its security. Private IT products or services which do not comply with STIGs could lose their license to operate within the US; their customers could become vulnerable to attacks from malicious actors.

An STIG checklist typically enumerates hundreds of compliance-related requirements that need to be met for an IT system to become compliant, from operating systems and software versions used on devices to physical security measures like firewalls and routers. Unfortunately, such requirements can be tediously long.

Assessing STIG compliance without the help of tools can be time-consuming and complex. But there are tools that offer automated and rapid analysis of computer security posture and vulnerabilities – helping businesses quickly evaluate their level of DISA compliance as well as take steps to remedy any areas needing improvement.

Automated tools like Invicti can make the task of attaining DISA compliance much simpler. The tool provides an overview of your IT security, including its compliance level with DISA and CIS Benchmarks, while results of scans will then be displayed on a central dashboard, making it easy to track progress as adjustments are made.

Maintaining compliance with DISA or CIS benchmarks may seem impossible, but automating the assessment and repair of STIG and CIS vulnerabilities can make the entire process much more manageable for your team. Invicti can scan your IT environment to locate vulnerabilities requiring fixes before providing an easy-to-read report that allows your team to focus on other important tasks without neglecting compliance issues. That is why having an automated tool such as Invicti as part of their security strategy is so critical.

Sam is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.