Showing results for 
Search instead for 
Did you mean: 
Create Post

Details on DISA’s Infrastructure “Hardening” Rules

Level 13

Omar Rafik, SolarWinds Senior Manager, Federal Sales Engineering

Here’s an interesting article by Brandon Shopp about DoD’s not-so-secret weapon against cyberthreats. DISA has created technical guidelines that evolve to help keep ahead of threats, and this blog helps demystify DISA STIGs.

The Defense Information Systems Agency (DISA) has a set of security regulations to provide a baseline standard for Department of Defense (DoD) networks, systems, and applications. DISA enforces hundreds of pages of detailed rules IT pros must follow to properly secure or “harden” the government computer infrastructure and systems.

If you’re responsible for a DoD network, these STIGs (Security Technical Implementation Guides) help guide your network management, configuration, and monitoring strategies across access control, operating systems, applications, network devices, and even physical security. DISA releases new STIGs at least once every quarter. This aggressive release schedule is designed to catch as many recently patched vulnerabilities as possible and ensure a secure baseline for the component in operation.

How can a federal IT pro get compliant when so many requirements must be met on a regular basis? The answer is automation.

First, let’s revisit STIG basics. The DoD developed STIGs, or hardening guidelines, for the most common components comprising agency systems. As of this writing, there are nearly 600 STIGs, each of which may comprise hundreds of security checks specific to the component being hardened.

A second challenge, in addition to the cost of meeting STIG requirements, is the number of requirements needing to be met. Agency systems may be made up of many components, each requiring STIG compliance. Remember, there are nearly 600 different versions of STIGs, some unique to a component, some targeting specific release versions of the component.

Wouldn’t it be great if automation could step in and solve the cost challenge while saving time by building repeatable processes? That’s precisely what automation does.

  • Automated tools for Windows servers let you test STIG compliance on a single instance, test all changes until approved, then push out those changes to other Windows servers via Group Policy Object (GPO) automation. Automated tools for Linux permit a similar outcome: test all changes due to STIG compliance and then push all approved changes as a tested, secure baseline out to other servers
  • Automated network monitoring tools digest system logs in real time, create alerts based on predefined rules, and help meet STIG requirements for Continuous Monitoring (CM) security controls while providing the defense team with actionable response guidance
  • Automated device configuration tools can continuously monitor device configurations for setting changes across geographically dispersed networks, enforcing compliance with security policies, and making configuration backups useful in system restoration efforts after an outage
  • Automation also addresses readability. STIGs are released in XML format—not the most human-readable form for delivering data. Some newer automated STIG compliance tools generate easy-to-read compliance reports useful for both security management and technical support teams

If you’re a federal IT pro within a DoD agency, you have an increasing number of requirements to satisfy. Let automation take some of the heavy lifting when it comes to compliance, so you and your team can focus on more pressing tasks.

Find the full article on Government Technology Insider.

The SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.

Level 12

Thanks, this is good info even for non-DOD shops.

Level 14

Thanks for the article!

Level 12

This is useful for all of us, not just DoD workers.


Thanks for the article.

Level 16

Thanks for the write up

Level 13

thanks for the article

Level 13

if only we could create an automated user that doesn't click malicious links...

Level 15

Interesting article.  I like the concept of automation and repeatable deployment methods.  

Level 11

there were a few terms that I needed to look up but thanks for the peek.  

Level 20

I use the tools every day... Orion, SEM, Syslog Server all to help with maintaining our security stance and being ready to pass DCMA audits.  As you know most recently trying to get so I can use SEM on smaller Information Systems to help satisfy that one ultimate goal of RMF - Continuous Monitoring!  SEM keeps getting better and better now that flash is getting more and more distant in the rear view mirror!


Level 14
I agree that automation is the key to running a lot of STIGs quickly and efficiently. Our team has created a powershell script that covers most Windows flavored STIGS. Radix is a tool available to Gov/Mil CAC holders as well. Radix is a Unix\Linux tool that makes short work of those STIGs. It won't address every Vkey, but it will cover about 80%. I use it for RedHat regularly. Be sure to use the latest version, which will align with the latest STIG drop.
Level 20

I'll have to look up that radix @network_defender .  We use Security Center aka ACAS for scanning these days.  We tried using a product for windows/linux call SteelCloud with some success to remediate automatically but it's not cheap.  Every quarter it's new STIG's and new changes on way or another.

I found a publicly reachable site too: