STIGs Frequently Asked Questions

• Microsoft SharePoint 2007 – No STIG was released for Microsoft SharePoint 2007.  The Microsoft SharePoint 2010 STIG should be used and can be found here: Link
• Oracle 12c Release 2 Database STIG – There are no current plans to develop a STIG. Please use Oracle 12c Database STIG which can be found here: Link
• Oracle 18c Release 3 Database STIG – There are no current plans to develop a STIG. Please use Oracle 12c Database STIG which can be found here: Link
• Tomcat AS 6.x STIG – There are no current plans to develop a STIG. Please use the Application Server SRG which can be found here: Link
• Tomcat AS 7.x STIG – There are no current plans to develop a STIG. Please use the Application Server SRG which can be found here: Link
• Tomcat AS 8.x STIG – There are no current plans to develop a STIG. Please use the Application Server SRG which can be found here: Link

Where are 8500.2 Checklists?

The source of IA control information should now be obtained from the DoD RMF/DIACAP Knowledge service at https://rmfks.osd.mil (NIPR ONLY).

Are all applications subject to the Application Security and Development STIG?

The most direct path to your answer appears in the DoD Directive 8500.1 as follows:

• The directive applies to all applications: Section 2 (Ability and Scope) Paragraph 2.1.2: All DoD-owned, or controlled information systems that receive, process, store, display, or transmit DoD information, regardless of mission assurance category, classification or sensitivity …
• The directive also states as policy: Section 4 (Policy) paragraph 4.1: IA requirements will be identified and included in the design, acquisition, installation, operation, upgrade, or replacement of all DOD information systems …

Section 4 (Policy) paragraph 4.13: All DoD information systems shall be certified and accredited in accordance with DoD instruction 5200.40 (reference (U)).

Section 4 (Policy) then goes on to address IA-enabled entities as a separate item.

Enclosure 2 (definitions) contains definitions for Application, DoD Information System, and other terms used in this document.

To summarize, DISA consensus has always been that the 8500.1 directive applies to all DoD compute assets, unless specifically exempted (such as weapons systems for war fighters).

The Application Security and Development STIG The second consideration is the Application Security and Development STIG itself. The Authority section does quote specifics surrounding AI-enabled applications, which are defined as having specific AI considerations and impacts. An argument could be made that the STIG text in the Authority section could be made more complete, with better alignment to the 8500.1 language. However, absence of text stating authority for other application developments should not be used to supersede or exempt any application development from being subject to the 8500.1 guidance. I have recommended this language update to the Authority paragraph for future releases of STIGs.

The Scope section of the Application Security and Development STIG does specifically go on to state that this guidance is a requirement for all DoD developed, architected, and administered applications and systems connected to DoD networks. Later in the same paragraph it does specifically call out custom developed systems. It is the Scope paragraph that makes the connection back to the 8500.1 language.

I hope this helps you in your justification and position that all DoD application are subject to AI guidance as they are developed or acquired.

Will DISA be releasing an SCAP benchmark for Debian?

Although the SCC tool does support Debian SCAP benchmarks DISA will not be releasing a benchmark for Debian.

Where are FTP and TELNET checks?

FTP and Telnet have been moved to the OS STIGs. If you are using FTP and Telnet on a UNIX/Linux Server, they are now covered under the UNIX STIG. If you are using FTP and Telnet on a Windows Operating System, they are now covered under the Windows STIGs. Also refer to the Enclave Security STIG section on “FTP and Telnet for detailed information on its use.

Microsoft has produced a security guide for Hyper-V, the links are provided below. However, due to funding constraints, this is listed on the unfunded STIG development list. When a STIG does not exist, organizations may use a vendor developed guide to use to configure their systems. Organizations using the Hyper-V software need to also review the appropriate Windows Server STIG when setting up their Hyper-V system.

For Server 2012: https://technet.microsoft.com/en-us/library/dn741280(v=ws.11).aspx

For server 2016: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-hyper-v-security-in-windows-server​

Where is the iPad and iPhone STIG?

The current Apple iOS STIG can be found at Link.

Where can I get information concerning the Risk Management Framework?

For information concerning the Risk Management Framework, please see RMF Knowledge Service Web site at https://rmfks.osd.mil/rmf/Pages/default.aspx (NIPR Only)

Why are files missing from the benchmarks in the SCAP 1.2 format?

SCAP 1.2 benchmarks are published using the data stream XML format. The traditional XCCDF, OVAL, CPE-OVAL, and CPE-Dictionary components of a DISA Benchmark are bundled together as a single data stream file, which is then ZIPped for delivery. The data stream format adds the capability to sign SCAP content, which may be utilized in future releases of DISA Benchmarks.

May I deploy a product if no STIG exists?

Yes, based on mission need and with DAA approval.

What do I use if there is no STIG?

Determine if a STIG has been published for an earlier version of the same product. Many checks and fixes in earlier versions of STIGs can be applied to the new version of the product. If a STIG for an older version of the product is available, review the check and fix procedures to determine which of these work with the new product version. Where possible, use the checks and fixes that work directly with the new version. The remainder of checks and fixes that no longer work with the new product version will need to be evaluated and proper check and fix procedures will need to be determined for each requirement. New product features and configuration settings must also be accounted for based on the relevant SRG.

If there is no related STIG, the most relevant SRG can be used to determine compliance with DoD policies.

In fulfilling a requirement, be it from an SRG or an earlier version of a STIG, vendor documentation may be followed for configuration guidance.

Does DISA certify products for use in the DoD??

No. DISA certifies Information Systems for use in DISA. DISA not does certify products for DoD use. SRGs/STIGs are designed to assist in implementing the secure deployment of products.

Why are certain STIGs and SRGs designated “Sunset” and what does that mean to me?

Sunset products are older SRGs, STIGs, Checklists, or Tools (i.e., DISA Products) that MAY be relevant to the vendor products they address, but are no longer supported by DISA for various reasons. The most common reason for this lack of DISA support is that the vendor product is outdated, superseded by a newer vendor product, or may be vendor non-support.

The lack of DISA support means that there is no active maintenance of the DISA product, thus no updates of the product will be published. Lack of DISA maintenance means that any new vulnerability in the vendor’s product WILL NOT be captured for mitigation, thus the DISA product either is, or will quickly become, out of date. Since DISA is no longer maintaining a given product, a SME responsible for, and knowledgeable about, the product may not be available, thus customer support questions will most likely not be answerable.

A list of sunset STIGs can be found here: Link

Where can I find STIGs for tablets?

If the tablet is using Windows 7 or Windows 8, use the STIG for those operating systems. Windows STIGs can be found at Link. Windows RT devices are not authorized to connect to DoD networks or process DoD data. STIGs for iOS or Android tablets can be found at Link.

How do I get a product added to the UC APL?

The DSAWG provides the IA approval for a product to be added to the UC APL. JITC provides the interoperability approval for the product. Both approvals are needed for a product to be added to the UC APL.

The APL site is https://disa.mil/Network-Services/UCCO/ (NIPR ONLY)

The UCR is https://disa.mil/Network-Services/UCCO (NIPR ONLY)

Download the Vendor STIG Acronym List

How do I open XCCDF STIGs?

Save the STIG zip file package to your local PC drive and extract it to a folder. Extract the files from the zip package that ends with MANUAL_STIG into a new folder. Open the folder with the extracted files, locate and open the .xml file using a web browser. For requestors who want PDF interactive checkboxes, etc.

PDF formats have been an interim step for STIG publication, and are being phased out. There is currently no plan to develop updatable PDF formats for STIGs. The future format for STIG publication is XCCDF output. The conversion process has begun for XCCDF, to enable STIG consumption by tools where both compliance and configuration remediation can be automated with the addition of OVAL code. Several operating system STIGs appear on the DoD Cyber Exchange web site today in the XCCDF format.

The XCCDF format of STIG is made human readable by using a style sheet, which will be bundled with each STIG. It is not in our current plan to create interactive checkbox functionality for XCCDF format STIGs.

How to load .XCCDF file into Excel and store STIG in .xlsx spreadsheet format?

1. Invoke Microsoft Excel
2. Click “Disable Macros” if prompted
3. Within Excel menu bar select: File–>Open–>Name of XML XCCDF file you wish to load into Excel
4. Open .xml file (XCCDF file)
5. A set of radio buttons will appear.
6. a. Click the 2nd button (open the file with the following stylesheet applied). The name of the style sheet should appear.                                                                                                                                                        b. Then Click OK
7. Wait a few seconds for the transformation to be applied. You may get the following error message but you can ignore it by typing “yes”.                                                                                                                              “The file you are trying to open “name of file”, is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now? ”Click “YES”
8. To store the file as an Excel .xlsx document:                                                                                                  a) From the menu bar, click “File”, then “Save as”
9. At the bottom of the page, save file as type:                                                                                                   a) Excel Workbook
10. Transformation/STIG should now be stored as an .xlsx Word document.

How to load .xml XCCDF file into Microsoft Word and store as a .doc file?

1. Invoke Microsoft Word
2. Within Word menu bar select: File Open Provide name of the .XML file you wish to load into Word
3. Open .XML file (.XCCDF file)
4. A box comes up asking whether you want to install an XML expansion pack.
   a) Click the “NO” box
5. On the right side of the screen there is an XML data view box.
   a) Double click: STIG_unclass.xsl or STIG_fouo.xsl depending on which name comes up
   [in the case of Windows Office 2007 you may not need to double-click at all]
   Wait a few seconds for the XSL transformation to complete. The STIG/Checklist should appear on the screen similar to how it would appear in the Internet Explorer or Firefox browser.
6. To store the file as a Word document:
   a) From the menu bar, click File, then Save As
7. At the bottom of the page, save file as type:
   a) Word 2007 document
8. The stylized STIG should now be stored as a Word document (extension .doc).