Security Technical Implementation Guides (STIGs) – DoD Cyber Exchange

For anyone interested in compliance and hardening, here's some links to the DOD/US GOV standards for information systems. This information is available to the public.

Security Technical Implementation Guides (STIGs)

This is a document that has recommended settings, methods, etc to make a product the most secure it can reasonably be. STIGs break things or turn off features people might be accustomed to. You have to do testing and figure out how to either make something work with STIG settings applied, or do exceptions. These are similar to Internet Security (CIS) Benchmarks.

STIG Viewer

The STIG viewer is a Java app that basically makes the list into a checklist where you can track applying settings.

SCAP

Going farther with automation, Security Content Automation Protocol (SCAP) can be used to conduct automated checked against systems to determine compliance with a setting. Install the SCAP tool, load the automated checks into it, and then take the results from SCAP tool and import them into the STIG viewer. It will knock out anything that could be checked automatically. The remaining checks would be things that are manually checked.

Compare

Here's a good article that compares STIGs and CIS benchmarks: https://nira.com/stig-vs-cis/#:~:text=The Center for Internet Security offers a tool similar to,robust than the STIG tool.

Download STIGs for products: https://public.cyber.mil/stigs/downloads/

STIG Viewer: https://public.cyber.mil/stigs/srg-stig-tools/

Security Content Automation Protocol (SCAP) content: https://public.cyber.mil/stigs/scap/

https://public.cyber.mil/stigs/supplemental-automation-content/