By Kathryn M. Farrish, CISSP at BAI Inc.
One of the primary goals of the RMF life cycle is for a system to achieve and maintain compliance with a baseline of Security Controls in accordance with NIST SP 800-53 and CNSSI 1253. Security controls provide specific safeguards in numerous subject areas (aka. “families”), including access control, audit and accountability, identification and authentication, contingency planning, incident response, configuration and change management, physical and environmental security, etc.
Systems are also required to maintain compliance with applicable Security Technical Implementation Guides (STIGs). STIGs, published by DISA, provide configuration specifications for operating systems, database management systems, web servers, network devices, etc.
When confronted with these two major components of the RMF process, system owners may wonder if the Security Controls and STIGs are completely independent entities, or if there is some sort of relationship between them. As you might expect, Security Controls and STIGs are closely related.
To better understand the relationship, let’s take a look at one of the configuration settings in the Windows STIG.
Vulnerability ID: V-63461 Rule Title: The system must be configured to generate error reports Vulnerability Discussion: Enabling Windows Error Reporting generates information useful to system administrators and forensics analysts for diagnosing system problems and investigating intrusions. If Windows Error Reporting is turned off, valuable system diagnostic and vulnerability information may be lost.
This STIG setting requires the Windows Error Reporting feature to be enabled, and provides a specific procedure to check the status of this feature in the system services. If the specified service is not present or not running, this is a finding. The STIG then provides the following reference for this finding:
That is precisely the tie-in between STIGs and Security Controls that we’re looking for! What is tells us, in essence, is that if this STIG item is incorrectly set, CCI 001312 (part of Security Control SI-11) should be considered non-compliant.
This tie-in is not a new concept. For several years, each STIG item contained a reference to the corresponding DIACAP IA Control from DoDI 8500.2.
To say the least, it is challenging to find Security Controls or CCIs that precisely “map” to many of the STIG specifications. In such cases, the “catch-all” is to map these STIG specifications to CCI-000366, which is part of Security Control CM-6. CM-6 as a whole is concerned with the use of security configuration checklists. CCI-000366 specifically states:
The organization implements the security configuration settings.
Other CCIs within CM-6 specify the DISA STIGs and SRGs as the preferred source documents for security configuration specifications.
Historically, the “catch-all” for DIACAP control references was ECSC-1.
For some time now, DISA has been revising each of the STIGs to include CCI references; however, there still may be some legacy STIGs that do not include CCI references.
IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here.
A ton of other information can be found on the NIST web site.