DISA Risk Management Executive (RME)  developed a process whereby original product developers/vendors can write Security Technical Implementation Guides (STIGs) for their products. Vendor STIGs must be written against a published DoD Security Requirements Guide (SRG).

To initiate the process, a product vendor must fill out the Vendor STIG Intent Form available under Guidance Documents. The completed form is submitted to disa.stig_spt@mail.mil.

A representative from the Risk Management Executive STIG team will follow-up with the vendor to initiate the process.

Technology specific SRGs reflect what a technology family SHOULD be capable of, in order to be secured. The STIG author (vendor) will assess the SRG controls against a product with one of four potential outcomes.

Not Applicable – the feature does not exist in the product, and therefore cannot be exploited.

Applicable – configurable – may or may not meet requirement based on settings.

Applicable – inherently meets – not configurable, but meets the requirement by default.

Applicable – does not meet – not configurable, and does not meet the requirement.

Upon completion of the SRG spreadsheet, the data is transformed into a STIG. The STIG, once written, will reflect what a specific product CAN do, in a specific release and possible patch level. Published STIGs will only contain requirements that fall into the “applicable and configurable” category.

Vendor Process Downloads

  Title Size Updated
Vendor STIG Intent Form Vendor STIG Intent Form
88.47 KB 2019 07 24