By Kathryn Daily, CISSP, RDRP
NIST 800-53, and specifically Security Control CM-6, requires an organization to
a. Establish and document configuration settings for information technology products employed within the information system using [Assignment: organizationdefined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implement the configuration settings;
c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organizationdefined information system components] based on [Assignment: organizationdefined operational requirements]; and
d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
Note that DoD has mandated the use of “DoD security configuration or implementation guidance, e.g., Security Technical Implementation Guides (STIGs)” as the “organization-defined security configuration checklists” cited in paragraph a, above. STIGs are published by the Defense Information Systems Agency (DISA) and cover a wide variety of information technology products and processes. Unfortunately, simply having the STIGs does not ensure compliance. There are numerous challenges, such as:
- Limited Resources to assess compliance with numerous requirements
- Understanding what documents apply (STIGs, Checklists, Bench marks, etc.)
- Identifying a process by which to implement STIG guidance
STIG 101 meets the challenges above and more in a one-day STIG Overview course. Topics such as STIG Content, STIG Development, STIG Tools, and Best Practices are discussed. Demonstrations of STIG Viewer, SCAP Compliance Checker (SCC), and STIG implementation will be conducted to provide the students with a real world understanding of the STIG process. The development process will also be covered to give students an idea of where STIGs come from, who creates them, and how they get published.
This one-day course is suitable for anyone wishing to gain insight into STIG content and process. It is ideally suited to those with limited exposure to STIGs … or even none at all!” The course will be taught via Online Personal ClassroomTM. This is a fully interactive, instructor-led experience. There will be an initial informational section that introduces the concepts and best practices then we will move to the screensharing capability to demo the various tools that are available. We’ll demo SCC, STIG viewer, and other tools while giving an overall approach to best practices. Specific pain points for students will be addressed, provided that it’s feasible and within the scope of the course.
The biggest benefit from the class will be getting a process down to manage the often-cumbersome task of ‘STIGing’ your machines from the initial configuration through the quarterly STIG update process.