What is a STIG?

As part of our nations effort to improve the security of information technology in use by both public and private entities, the Department of Defense (DOD), via the Defense Information Systems Agency (DISA), has produced a set of tools and reference information to help define and promote a uniform set of security standards for a wide variety of hardware and software products produced by several vendors. These standards are referred to as Security Technical Implementation Guides (STIGs).

Each available STIG contains a list of recommended controls for a specific product or technology. In the case of Microsoft, there are STIGs for Windows Server, Windows 10, Group Policy Objects and Active Directory, among others. There are STIGs for Android and Apple, Google and Red Hat. You can also find STIGs for network functions and hardware, including BIND, Cisco IOS, Palo Alto networks, and more. For a complete list of currently available STIGs, be sure to visit the:

STIG Document Library

Why Use a STIG?

The list of controls within each STIG are very comprehensive. They are not meant to be implemented in their entirety. Adopting a STIG as a security standard does not require implementation of every control, but rather that you have evaluated all listed controls, and considered the suitability of each one for your organization. Some of the controls may not even be applicable in certain environments. However, using a STIG to identify industry- and government-recommended controls to protect the integrity, availability and confidentiality of your information technology provides one of the more comprehensive and uniform methods of establishing a security baseline.

STIGs are closely aligned with, and consistently reference NIST 800-53. This document defines a methodology of categorizing and classifying various security controls that can be implemented by an organization. STIG’s reference the control families defined within NIST 800-53. These controls are referenced by other NIST documents, including NIST 800-171, which defines how to protect IT assets that are considered “Controlled Unclassified Information” and is specifically referenced by the IS-3 UC Electronic Information Security Policy.

Accessing a STIG

STIG files are required to comply with a specific data format standard defined by the Federal government, and as a result, are usually not consumable with common tools. In order to review the contents of any given STIG, you will need to download the STIG viewer provided by the DISA. The current version of the tool can be found on the Tools and Viewing Guidance page, where you can also find detailed instructions on how to use the viewer. It is recommended that you download the standalone viewer specific to your desired Operating System. The first file is a .JAR file that requires a licensed version of Java 8 SE.

You will also need to download one or more STIG files that will be imported into the STIG viewer. These files can be found in the Document Library linked above.