Understanding DISA and STIGS
The Defense Information Systems Agency (DISA) is responsible for providing all Information Technology (IT) and telecommunications to Warfighters, so those serving our country can stay connected to crucial systems at all times. Having rigorous security standards and guidelines is imperative to the safety of the Department of Defense (DoD) and the United States as a whole. This is why DoD agencies and contractors, like Trinity IT, apply the guidance documented in the Security Technical Implementation Guides (STIGs) when modernizing or developing new software systems.
What is a STIG?
According to DISA, a STIG is “a Compendium of DoD Policies, Security Regulations and Best Practices for Securing and Information Assurance (IA) or IA-enabled device (operating System, Network, Application Software, etc)”.
This guide is mandated in DODD 8500.1 and DODI 8500.2 to keep strong regulations around our nation’s defense information security. With a STIG in place, the goal is to detect and avoid potential intrusions and respond to emergency situations, aiding in the recovery of compromised information.
There are STIGs available across a multitude of software applications, including common applications like Microsoft, Mozilla FireFox and McAfee Antivirus. As the commercial versions of software applications change over the years, the STIGs are updated to keep pace with the up-to-date technology. Frequent software updates minimize the risk of data leaks and keep systems as secure as possible.
Breaking Down the STIG Development Cycle
Like software updates, STIGs are updated. The lifecycle of a STIG version update and a new STIG are the same - extremely thorough.
The planning phase involves meetings to review and incorporate any new or updated DoD policy, collect vendor documents, review any trouble tickets and enhance them, and incorporate Joint Task Force - Global Network Operations (JTF-GNO) publications. Then, foundational plans are made and sent for approval. If the DISA Field Security Office (FSO) leadership approves of the plan, the STIG development team moves forward to the next phase.
Next, the draft STIG is developed and sent for approval. If leadership denies the draft, the team will adjust and correct it until it gets approved and moves on to the next stage.
The draft is now the subject of a Technical Interchange Meeting (TIM). The TIM allows STIG users, vendors and program managers to make comments and suggestions.
Now, it’s time to revise the STIG to follow the advice of the shareholders. This final draft is then sent to be approved by the DISA FSO leadership.
After the FSO approves the final draft, the STIG review process changes hands and is sent to the Defense Security/Cybersecurity Authorization Working Group (DSAWG) for review.
Next, the STIG final draft must be approved by the DSAWG. If it is not approved, the cycle must move all the way back to the final drafting stage and make its way back through the FSO and DSAWG approval process. Once the DSAWG approves of the final draft with comments and suggestions from DSAWG members, the STIG final draft moves forward again.
The STIG development team must revise the draft again and consolidate comments from the DSAWG members before sending it for approval from the DISA Global Information Grid Operations (GIG-OPS) Director. Once approved, it’s time to publish the final STIG. Simultaneously, they must also activate the Virtual Machines (VMs) Requirements.
Clearly, the development of STIGs is incredibly thorough and includes shareholders from multiple departments to ensure the best quality guide. This long process occurs with each version update of a STIG.
That’s not all.
STIGs also must undergo Bi-Monthly Updates Release Cycles. This all goes to show that DISA leaves no stone unturned when it comes to safeguarding information systems for the DoD.
At Trinity IT, the software development contracts we support for the DoD require compliance with the DISA STIGs. Our team of experts is fully knowledgeable with applying the STIG controls, as well as understanding the overall STIG process. Just like DISA, Trinity IT is devoted to keeping IT and telecommunications safe, secure and reliable for the US warfighter and their systems.
Elizabeth Casalnova,
(267) 396-7901
elizabeth.casalnova@trinityit.biz