Understanding DISA STIG Compliance Requirements

Information security is one of the most important tasks a federal IT pro undertakes.

It’s also one of the most complex—particularly as it relates to compliance requirements.

While the National Institute for Standards and Technology (NIST) provides reference guidance across the federal government, and the Federal Information Security Management Act (FISMA) provides guidance for civilian agencies, Department of Defense (DoD) systems have yet another layer of requirements promulgated by the Defense Information Systems Agency (DISA).

Federal IT security pros within the DoD must comply with the technical testing and hardening frameworks known by the acronym STIG, or Security Technical Implementation Guide. According to DISA, STIGs “are the configuration standards for DOD [information assurance, or IA] and IA-enabled devices/systems…The STIGs contain technical guidance to ‘lock down’ information systems/software that might otherwise be vulnerable to a malicious computer attack.”

To date, DoD has released 461 STIGs, and continues to release more on a semi-regular basis.

While meeting so many requirements may seem daunting, DISA provides both requirements and tools for validating and implementing the security requirements. There are several common testing tools that implement STIGs. Some, like Assured Compliance Assessment Solution (ACAS), were developed by industry specifically for DISA. Others, like the Security Content Automation Protocol (SCAP) Compliance Checker (SCC) were developed by the U.S. Navy for use by Defense agencies. There are even tools that have been developed to encompass a particular category of system components, such as network components, or a particular functional process, such as log aggregation and analysis.

Testing Tools

While the DoD has made managing risk easier by providing an enormous variety of hardened baselines for operating systems, system components, and network devices through STIGs, there are still additional compliance requirements that will require further effort.

That said, the additional effort is highly manageable, especially with automation.

SolarWinds® Network Configuration Manager (NCM) is designed specifically to automate the task of managing network configuration and compliance. NCM can help federal IT pros deploy standardized configurations, detect out-of-process changes, audit configurations, and even correct compliance violations. NCM can even integrate with the National Vulnerability Database to help more easily identify and eliminate known vulnerabilities. NCM is also built to:

  • Inventory network device configurations, assess configurations for compliance, and automate change and configuration management
  • Implement configuration of security controls and help assure effectiveness
  • Produce FISMA and DISA STIGs reports from configuration templates
  • Produce audit documentation and reports

Federal IT pros can get more information on NCM here.

Most system components covered by a STIG can generate logs. System logs, event logs, error logs, messages, and the like can quickly grow to tremendous size and, taken together, can present an equally tremendous effort to review the logs for anomalous behavior that may indicate compromise of the system’s confidentiality, integrity, and availability. Many federal IT teams address this challenge by implementing a Security Information and Event Management (SIEM) solution.

An SIEM tool may be configured to consume logs across the environment, analyze the logs, and identify potential vulnerabilities or anomalous behavior. An SIEM tool can even triage these findings in a prioritized manner for action by the federal IT security team. Taking that one step further, a properly configured and tuned SIEM tool can automate that entire process, helping ease the load of an already heavily-tasked federal security team.

SolarWinds SIEM tool, Security Event Manager (LEM), is the perfect example. SEM can simplify STIG requirements by automating compliance and—just as important—reporting on that compliance.

Federal IT pros can get more information on SEM here.


For DoD Federal IT pros, STIG compliance is a requirement. And, there are hundreds of possible STIGs, each of which can contain dozens to hundreds of technical controls that must be tested for compliance. Most Federal IT teams already have a full plate. This is where tools like NCM and SEM shine, helping the entire Federal IT team achieve compliance and compliance reporting with the support of automated tools that can lighten the whole team’s load.

Last but not least, let’s remember that STIGs apply to DoD agencies. However, FISMA compliance and the NIST Risk Management Framework (RMF) guide all agencies.

For more information on the NIST Risk Management Framework, a range of additional federal security compliance information, and leveraging configuration management, download the Daily Federal Compliance and Continuous Cybersecurity Monitoring white paper.

SolarWinds Government Customers