SPOT: Security Technical Implementation Guides (STIGs): Why are They Neglected by System Developers?
MORE THAN JUST NIST SECURITY CONTROLS
System hardening is the process of securing a computer system by reducing its attack surface and vulnerabilities. A critical aspect of system hardening is using Security Technical Implementation Guides (STIGs). STIGs are guidelines and recommendations for securing specific technologies or systems. They provide a systematic and thorough approach to ensuring a system by identifying and addressing known vulnerabilities and configuration issues.
System developers often neglect STIGs for a variety of reasons. One reason is that STIGs can be time-consuming to implement. STIGs are usually very detailed and may require significant time and effort to implement fully. This can be incredibly challenging for small organizations with limited resources.
SOUND CONFIGURATIONS ARE NEEDED
Another reason STIGs are often neglected is that they can be seen as overly restrictive. STIGs are designed to provide a high level of security, which may not be necessary or practical in all situations. For example, a STIG may require specific configurations or settings that may not be feasible for an organization due to business or operational constraints.
Another reason STIGs are often neglected is that system developers may not fully understand them. STIGs are usually written in technical language that may be difficult for non-technical individuals to understand. This can lead to confusion and misunderstandings about the requirements and recommendations contained within a STIG.
Despite these challenges, STIGs are an essential tool for securing computer systems. They provide a structured and comprehensive approach to addressing known vulnerabilities and configuration issues. By implementing STIGs, organizations can significantly reduce their attack surface and improve the overall security of their systems.
However, it is essential to note that STIGs should not be considered a one-size-fits-all solution. Each organization’s security needs are unique, and it is essential to consider an organization’s specific requirements and constraints when implementing STIGs. It may also be necessary to supplement STIGs with additional security measures or controls to address unique or specific security needs.
STIGs are a valuable tool for securing computer systems, but they are often neglected due to their time-consuming nature, perceived restrictiveness, and lack of understanding. Despite these challenges, the benefits of implementing STIGs far outweigh the costs, and organizations should make every effort to implement STIGs fully as part of their system-hardening efforts.
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.