What is STIG Compliance?
STIG stands for Security Technical Implementation Guide. These guides are created by Defense Information Systems Agency (DISA) for Department of Defense (DOD) systems.
DISA defines STIGs as, “the configuration standards for DOD information assurance (IA) and IA-enabled devices/systems…The STIGs contain technical guidance to ‘lock down’ information systems/software that might otherwise be vulnerable to a malicious computer attack.”
DISA has three different levels of compliance known as categories. These categories going from least to most severe are as follows:
- Category III
- Category II
- Category I
Any vulnerability that degrades measures to protect against the loss of confidentiality, availability, or integrity. Category III can lead to a Category II vulnerability, delay in recovering from an outage, and/or affect the accuracy of data and information.
Any vulnerability that can result in loss of confidentiality, availability, or integrity. Category II can lead to a Category I vulnerability, result in personal injury and/or damage to equipment or facilities, and/or degrade mission capability.
Any vulnerability that will directly and immediately lead to the loss of confidentiality, availability, or integrity. This vulnerability could result in unauthorized access to classified data or facilities and can lead to a denial of service or access.
These risks are the most severe as they may result in loss of life, damage to facilities, or a mission failure.
Why Use STIG Compliance?
The basic answer to this question is that if you maintain, manage, operate, or connect to a DoD information system then it is a requirement; otherwise it is to ensure that your network, systems, applications, cloud and data are secured and protected.
One of the great things about STIG compliance is that while it may seem like a daunting task to apply the STIG requirements, DISA maintains and updates the STIG requirements and provides tools for validating and implementing them.