DISA Risk Management Executive (RME) developed a process whereby original product developers/vendors can write Security Technical Implementation Guides (STIGs) for their products. Vendor STIGs must be written against a published DoD Security Requirements Guide (SRG).
To initiate the process, a product vendor must fill out the Vendor STIG Intent Form available under Guidance Documents. The completed form is submitted to disa.stig_spt@mail.mil.
A representative from the Risk Management Executive STIG team will follow-up with the vendor to initiate the process.
Technology specific SRGs reflect what a technology family SHOULD be capable of, in order to be secured. The STIG author (vendor) will assess the SRG controls against a product with one of four potential outcomes.
Not Applicable – the feature does not exist in the product, and therefore cannot be exploited.
Applicable – configurable – may or may not meet requirement based on settings.
Applicable – inherently meets – not configurable, but meets the requirement by default.
Applicable – does not meet – not configurable, and does not meet the requirement.
Upon completion of the SRG spreadsheet, the data is transformed into a STIG. The STIG, once written, will reflect what a specific product CAN do, in a specific release and possible patch level. Published STIGs will only contain requirements that fall into the “applicable and configurable” category.