PURPOSE
Identify Security Technical Implementation Guide (STIG) requirements that do not have associated Common Control Identifiers (CCIs) or associated Risk Management Framework (RMF) Security Controls in the System Impact Level Baseline.
Correlate STIG CCIs to RMF Security Controls.
TERMS
- STIG – Security Technical Implementation Guide. Interchangeable with DISA STIG, DISA Checklist
- CCI – Common Control Identifiers. Unique identifier associated with an individual STIG requirement or RMF AP. The CCI provides traceability from the STIG requirement to the AP.
- AP – Assessment Procedure. Unique requirement associated with a Security Control
- Security Control – RMF requirement that provides high-level guidance. APs fall under Security Control to provide distinct requirements.
HOW IT WORKS
The tool parses the STIG/SCAP content to find the associated CCI, matches the CCI to the Security Control, determines if the Security Control is found within the System Impact Level Baseline, identifies unmapped CCIs and Security Controls, provides report of non-matches.
- Parse STIG/SCAP content and find associated CCI. If the STIG requirement contains an associated CCI, goto Step 2. If no CCI is found then processing is complete as further matches cannot be made. NOTE: Not all STIG requirements have an associated CCI.
- Perform lookup of the STIG CCI in the AP.XLSX file (STIG-CCI-ControlMapper\References). NOTE: This file is an export of all APs from the RMF Knowledge Service Security Control Browser.
- Determine if a CCI match is found. If Yes, correlate the Security Control associated with the CCI in the APS.XLSX file and goto Step 3. If No CCI match is found, populate the Requirements grid with a status of “Unmapped CCI”. NOTE: There are STIG CCIs that do not associate to any RMF Security Controls.
- Perform lookup of the matched CCI > Control from the APS.XLSX file to the CONTROLS.XLSX file (STIG-CCI-ControlMapper\References). NOTE: This file is an export of all Security Controls from the RMF Knowledge Service Security Control Browser. This step is required because the APS.XLSX file does not contain Impact Level mapping to Security Control.
- Determine if a Security Control match is found. If Yes, determine if the Security Control is present in the System Impact Level Baseline. If Yes, a match is complete and the Requirements grid is populated with the CCI to Security Control match. If No, the tool determines if the Security Control exists within the full Security Control Baseline and the mismatch occurs due to System Impact Level, or if the Security Control has not been allocated into any Impact Level. Possible results are:
- Yes. The Security Control associated with the STIG CCI is found in the selected System Impact Levels.
- No. The Security Control associated with the STIG CCI is NOT found in the selected System Impact Levels. NOTE: Usually due to the STIG CCI being associated with an Impact Level that is higher than the selected System Impact Level.
- Unmapped CCI. The STIG CCI does not have a correlating RMF Assessment Procedure, therefore it does not have an associated RMF Security Control.
- Unmapped Control. The STIG CCI does have a correlating RMF Assessment Procedure, however the Assessment Procedure does not have a correlating RMF Security Control.
- Determine if a Security Control match is found. If Yes, determine if the Security Control is present in the System Impact Level Baseline. If Yes, a match is complete and the Requirements grid is populated with the CCI to Security Control match. If No, the tool determines if the Security Control exists within the full Security Control Baseline and the mismatch occurs due to System Impact Level, or if the Security Control has not been allocated into any Impact Level. Possible results are: