The Defense Information Systems Agency (DISA) migrated its Security Requirements Guides (SRGs) and Security Technology Implementation Guides (STIGs) to a new home, https://cyber.mil/, earlier this month.
DISA previously hosted these security configuration standards for Department of Defense (DoD) systems and software on the Information Assurance Support Environment (IASE) portal, https://iase.disa.mil, which the agency is no longer updating.
Sue Kreigline, chief of DISA’s cyber standards branch, said the new DoD Cyber Exchange portal at cyber.mil, which is restricted to use by individuals with a DoD-issued Common Access Card (CAC), hosts:
- More than 350 security guides.
- Security content automation protocols.
- A STIG viewer capability, which enables offline data entry and provides the ability to view one or more STIGs in a human-readable format.
- A STIG applicability tool, which assists in determining what SRGs and STIGs apply to specific situations.
- A Windows 10 Secure Host Baseline download.
The cyber standards chief announced the change at AFCEA’s TechNet Cyber 2019 symposium in Baltimore May 16, where she and other DISA Cyber Standards Branch representatives discussed SRGs and STIGs.
New resource enables peers to collaborate on STIGs
The Cyber Standards Branch also announced a new STIG collaboration portal, which enables technology discussions among subject matter experts.
The collaboration portal is also restricted to CAC-holders and can be accessed via https://software.forge.mil/sf/go/proj2530?uri=/sf/go/proj2530.
According to Jason Mackanick, a DISA information technology (IT) specialist, the collaboration portal allows users to get answers to questions from their peers instead of working through the help desk.
Mackanick said the collaboration portal grew partly from the questions his team received from mission partners inquiring about which STIGs applied to them.
“We have content and tools that we’d like to get out to the community in an earlier fashion to get feedback before we go into the production side,” Mackanick said.
STIGs and SRGs: Safeguarding DoD information systems since 1998
SRGs and STIGs play a vital role in helping government and commercial organizations safeguard their information systems, and DISA has played a role in developing them since 1998.
“DoD Directive 8500.01E gives DISA the authority to establish a cybersecurity program to protect and defend the department’s information technology,” Kreigline said. “It gives the agency the authority to develop Control Correlation Identifiers (CCI), SRGs, and STIGs.”
Kreigline explained SRGs are a collection of requirements applicable to a given technology family, product category, or organization in general. They are non-product specific requirements used to mitigate common security vulnerabilities encountered across information technology systems and applications.
STIGs, she continued, are an operationally implementable compendium of DOD Information Assurance (IA) controls, security regulations, and best practices for securing IA or IA-enabled device operating systems, networks, applications, and software.
Kreigline said STIGs provide security guidance for actions such as mitigating insider threats, containing applications, preventing lateral movements, and securing information system credentials.
SRGs and STIGs are developed from CCIs, which allow security requirements expressed in high-level policy frameworks to be decomposed and explicitly associated with the low-level security settings.
The ability to trace a security requirement from its origin to its low-level implementation enables organizations to demonstrate compliance with multiple IA frameworks. CCIs also provide the means to objectively combine and compare related compliance assessment results across disparate technologies.
The agency employs three different methods to write STIGs: in-house, where DISA subject matter experts write the STIG; a consensus effort, during which DISA develops the STIG in partnership with other government organizations – including the National Security Agency and Office of the DoD Chief Information Officer; and through a vendor effort.
“If a vendor is interested in developing a STIG, [DISA guides them] to develop the STIG using the agency’s format,” said Kreigline. “[However], not every vendor gets a STIG. We have to apply some limiting factors to what gets a STIG. The biggest factor for determining whether a STIG gets written is the [volume of the product’s usage] within DoD. It’s not the only factor, but it’s the biggest factor,” she said.
The agency releases STIGs on a quarterly basis, in addition to issuing ad-hoc releases for items requiring immediate fixes.
STIG documents the agency no longer maintains are moved to a “sunset” list.
The agency places products on the sunset list for various reasons, such as: the vendor no longer supports the product, the agency releases a newer version of a STIG, or the document is no longer viable.
“Even if a document is on the sunset list, and you’re still using the product, you should continue using that document,” Kreigline said. “Just because it’s on the list, if you’re still running the product, you can still use that document.”
For more information about SRGs and STIGs, visit https://cyber.mil/. For more information about STIG collaboration, visit https://project.forge.mil/sf/sfmain/do/home.
A copy of Kreigline’s presentation is located on DISA.mil.