By Kathryn M. Farrish, CISSP
Security Technical Implementation Guides (STIGs) are published periodically by the Defense Information Systems Agency (DISA). STIGs contain very detailed lists of security settings for commonly used IT system components, such as operating systems, database management systems, web servers, network devices, etc.
Compliance with applicable STIGs is one of the key requirements of the RMF Assessment and Authorization (A&A) process. Applying and reviewing multiple STIGs across numerous information system components can present a daunting administrative challenge. A number of tools have been developed to assist system owners and their support staff.
DISA itself publishes a tool called the STIG Viewer. This is an application that runs on a Windows workstation. STIGs, published by DISA in XML format, can be uploaded into this tool and used to create checklists into which assessment results can be entered and managed. Additional features allow for searching of individual STIGs (or multiple STIGs) for particular subject areas or keywords.
Completely separate, but similarly named, is www.stigviewer.com. This is a web-based service provided by a company called Unified Compliance. It provides access to Unclassified STIG content, along with various searching and reporting functions. It is regularly updated as DISA releases new STIG content.
IT Dojo offers a comprehensive course on the transition from DIACAP to RMF. Please take a look at our RMF training courses here.
Here is a link to a great book on RMF that we highly recommend.
A ton of other information can be found on the NIST web site.