The Top Ten STIGs

  1. Top 10 STIGs

Article by Annette Leonard

The Defense Information Systems Agency (DISA) is responsible for developing security guidance for configuring DoD information systems. An extensive collection of Security Technical Implementation Guides (STIGs) is published at https:// STIGs contain detailed configuration guidance (settings) for commonly-used software products and other system components. Most of these documents are updated on a regular basis.

CCI-000363 (part of security control CM- 6) states “The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed.” The assessment procedure for this CCI goes on to state “DoD has defined the security configuration checklists as DoD security configuration or implementation guidance, e.g., STIGs, SRGs…”

Our “Top Ten” list in this issue highlights the STIGs (or families of STIGs) that DoD information system owners are most likely to encounter.

10. Application Security and Development STIG.

This STIG is a little different than most because it concerns the software development process rather than configuration of a particular system component. Any system where there is software development activity going on will need to comply.

9. Remote Desktop STIGs.

This family of STIGs covers remote desktop technologies such as Citrix, which will be applicable to any system utilizing such technologies.

8. Network STIGs.

This is an extensive family of STIGs that cover everything from specific network devices, such as routers and firewalls, to network design features such as infrastructure and DMZ. Systems encompassing networks, such as data centers, will need to pay attention to STIGs in this family.

7. Office Automation STIGs.

Many systems (not just workstations) include office automation products such as Microsoft Office (Word, Excel, etc.). There are available STIGs for numerous versions of these products.

6. Host Based Security System (HBSS) STIGs.

DoD policy requires HBSS on all information systems. These STIGs provide configuration specifications for numerous HBSS modules.

5. Antivirus STIGs.

All systems are required to incorporate antivirus technologies and there are STIGs available to cover the most popular commercial products, such as Symantec and McAfee.

4. Web Browser STIGs.

Systems that include web browsers will need to pay attention to this family of STIGs that covers products such as Internet Explorer, Mozilla Firefox and Netscape.

3. Web Server and Application Server STIGs.

Modern information systems rely on at least some web technology. This family includes STIGs for popular web servers such as Apache and Microsoft Internet Information Server (IIS), as well as application servers such as Tomcat and JBoss.

2. Database STIGs.

Most systems rely on database technology. The STIGs in this family cover the most popular commercial database management systems (DBMS), including Oracle and Microsoft SQL Server. A more general Database Security Requirements Guide (SRG) is available to cover other DBMS.

1. Operating System STIGs.

Nearly every system owner will need to be concerned about the STIGs that pertain to the specific operating systems in use within the system boundary. STIGs in this family include Windows (numerous versions for both servers and workstations), UNIX/LINUX (numerous versions), Mainframe, Mac, and Virtualization (VMware).


IT Dojo offers a comprehensive course on the transition from DIACAP to RMF.  Please take a look at our RMF training courses here.

Here is a link to a great book on RMF that we highly recommend.

A ton of other information can be found on the NIST web site.