The Defense Information Systems Agency (DISA) has migrated its Security Requirements Guides (SRGs) and Security Technology Implementation Guides (STIGs) to a new home.
DISA previously hosted these security configuration standards for Department of Defense (DoD) systems and software on the Information Assurance Support Environment (IASE) portal, https://iase.disa.mil, which the agency is no longer updating.
Sue Kreigline, Chief of DISA’s cyber standards branch, said the new DOD Cyber Exchange portal at cyber.mil, which is restricted to use by individuals with a DoD-issued Common Access Card (CAC), hosts:
- More than 350 security guides.
- Security content automation protocols.
- A STIG viewer capability, which enables offline data entry and provides the ability to view one or more STIGs in a human-readable format.
- A STIG applicability tool, which assists in determining what SRGs and STIGs apply to specific situations.
- A Windows 10 Secure Host Baseline download.
The cyber standards chief announced the change at AFCEA’s TechNet Cyber 2019 symposium in Baltimore. Maryland, on May 16, where she and other DISA Cyber Standards Branch representatives discussed SRGs and STIGs.
The Cyber Standards Branch — also announced a new STIG collaboration portal — enables technology discussions among subject matter experts. The collaboration portal is also restricted to CAC-holders and can be accessed via software.forge.mil/sf/go/proj2530?uri=/sf/go/proj2530.
According to Jason Mackanick, a DISA information technology (IT) specialist, the collaboration portal allows users to get answers to questions from their peers instead of working through the help desk. He said the collaboration portal grew partly from the questions his team received from mission partners inquiring about which STIGs applied to them and that the agency has the content and the tools that need to get out to the community in an earlier fashion to obtain feedback before the activation of the production side.
SRGs and STIGs play a vital role in helping government and commercial organizations safeguard their information systems, and DISA has played a role in developing them since 1998.
Kreigline added that DOD Directive 8500.01E gives DISA the authority to establish a cybersecurity program to protect and defend the department’s information technology. The directive gives the agency the authority to develop Control Correlation Identifiers (CCI), SRGs, and STIGs.”
Kreigline explained SRGs are a collection of requirements applicable to a given technology family, product category, or organization in general. They are non-product specific requirements used to mitigate common security vulnerabilities encountered across information technology systems and applications.
STIGs, she continued, are an operationally implementable compendium of DoD Information Assurance (IA) controls, security regulations, and best practices for securing IA or IA-enabled device operating systems, networks, applications, and software. Kreigline said STIGs provide security guidance for actions such as mitigating insider threats, containing applications, preventing lateral movements, and securing information system credentials.
SRGs and STIGs are developed from CCIs, which allow security requirements expressed in high-level policy frameworks to be decomposed and explicitly associated with the low-level security settings. The ability to trace a security requirement from its origin to its low-level implementation enables organizations to demonstrate compliance with multiple IA frameworks. CCIs also provide the means to objectively combine and compare related compliance assessment results across disparate technologies.
The agency employs three different methods to write STIGs: in-house, where DISA subject matter experts write the STIG; a consensus effort, during which DISA develops the STIG in partnership with other government organizations — including the National Security Agency (NSA) and Office of the DoD Chief Information Officer; and through a vendor effort.
Kreigline noted that if a vendor is interested in developing a STIG, [DISA guides them] to develop the STIG using the agency’s format — not every vendor gets a STIG. DISA must apply some limiting factors as to what receives a STIG. The biggest factor for determining whether a STIG is written is the [volume of the product’s usage] within DoD. It’s not the only factor, but it’s the biggest factor.
The agency releases STIGs on a quarterly basis, in addition to issuing ad-hoc releases for items requiring immediate fixes.
A copy of Kreigline’s presentation is located on DISA.mil.