DISA Announces Changes to STIG Vulnerability Identifiers

In order to provide increased flexibility for the future, DISA is updating the systems that produce Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs). The initial modification is changing Group and Rule IDs (Vul and Subvul IDs). The previous Group and Rule IDs will be retained through the update as “legacy” IDs, presented as XCCDF ident elements. See the below example:

<Group id="V-204392">
   <Rule id="SV-204392r85825_rule" weight="10.0" severity="high">
      <title>The Red Hat Enterprise Linux operating system must be 
      configured so that the file permissions, ownership, and group membership 
      of system files and commands match the vendor values.</title>
      <ident system="http://cyber.mil/legacy">SV-86473</ident>
      <ident system="http://cyber.mil/legacy">V-71849</ident>
      <ident system="http://cyber.mil/cci">CCI-001494</ident>
      <ident system="http://cyber.mil/cci">CCI-001496</ident>
      <ident system="http://cyber.mil/cci">CCI-002165</ident>
      <ident system="http://cyber.mil/cci">CCI-002235</ident>

These updates will necessitate a new version number for every STIG as it is converted to the new format. For example, if the old version/release of a STIG is V2R6, the updated version/release will be V3R1.

DISA will make two manual STIGs (Microsoft Windows Server 2019 and Red Hat Enterprise Linux 7) available in the new format, along with associated automated benchmarks. A new XSL stylesheet is included to handle the “legacy” identifiers. The next release of STIG Viewer will also be able to handle the “legacy” identifiers.