DISA STIG Compliance

You are here:

Home
Solutions
DISA STIG Compliance

Overview

Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG) provide configurable operational security guidance for products being used by the DoD. STIGs, along with vendor documentation, provide a basis for assessing compliance with Cybersecurity controls/control enhancements which supports system Assessment and Authorization (A&A) under the DoD Risk Management Framework (RMF).

Since 2005, I-Assure has played a critical role enhancing the security posture of DoD’s security systems by applying over 4.5 million STIG requirements to DoD systems. We have developed automated tools and scripts to support STIG remediation, however our primary tool is our People. There is no “magic button” to press to achieve STIG compliance. Our DISA STIG Compliance service includes the following:

Compliance without negatively impacting functionality
Enterprise approach that leverages existing technologies
Personnel matrix that provides an expert for each technology
Quick, reliable turnaround

Process

Our DISA STIG Compliance services are process driven and have been executed successfully for multiple DoD Agencies.

Discover

We review hardware and software lists, diagrams and perform interviews to determine the baseline STIGs applicable to the environment.

Assess

We use DISA-provided automated tools, i.e. ACAS and SCAP, locally developed tools and manual reviews to determine and document the current compliance state.

Analyze

We perform a gap analysis with our customer to identify quick fixes, potential problems and provide a go-forward strategy for achieving compliance.

Remediate

We utilize the strategy defined in the Analyze Phase to execute fixes. Regression and functional testing will occur to ensure that security changes do not negatively impact operations. All results will be documented.

Mitigate

For items that could not be remediated due to operational constraints, a Plan of Actions and Milestones (POA&M) is created to identify the vulnerability and the mitigations associated with lowering the raw risk.

Automation is the key to standardized execution in a cost and schedule confined project. We do not take days or weeks to get you compliant – we can do it in minutes or hours. Couple our automated tools with our fully qualified engineers and you will have a successful engagement.