How to be DISA STIG-compliant with Runecast Analyzer

What is DISA?

The Defense Information Systems Agency (DISA) is a combat support agency of United States Department of Defense (DoD). Their scope is to provide information technology and communications support to defense and federal agencies, government and coalition partners. 

As different organizations can have varying configurations in their respective environments, these can also vary in terms of security posture. To achieve consistently secure configurations across these environments DISA has created security standards that must be met by all IT assets before they are allowed to connect and operate on DoD networks. Failure to stay compliant with standards issued by DISA can result in an organization being denied access to DoD networks.

The guidelines are used by many DoD entities, but they can also be implemented in the critical infrastructure of other security sectors or segments.

What are STIGs?

The standards created by DISA are known as Security Technical Implementation Guides (STIGs). They are a set of rules, “created and maintained based on the cybersecurity methodology for standardizing security protocols within networks, servers, computers, and logical designs to enhance overall security. These guides, when implemented, enhance security for software, hardware, physical and logical architectures to further reduce vulnerabilities.” 

The number of STIGs policies is high and covers multiple layers: application, cloud, mobility, network, operating systems... and the list continues.

The full list of STIGs is available on Information Assurance Support Environment (IASE) website.

“DISA is supporting and sustaining Information Assurance Support Environment (IASE) which provides one-stop access to cybersecurity information, policy, guidance and training for cybersecurity professionals throughout the DoD.”

Who should use DISA STIGs

All organizations that connect to DoD systems in any way must comply with DISA STIGs standards. They should follow the guidelines and update them as soon as DISA introduces new rules or modifies the existing ones. If compliance is not met or is compromised, organizations can lose access and authorization to operate inside DoD networks.

Although DISA STIGs is aimed at well-defined entities based on their specific organizational profile or government, a variety of institutions from other sectors may also follow these standards, improving their security level and standardizing their environments.

How Runecast can help you stay compliant

The number of STIG policies is large and still continues to grow. Each STIG contains thousands of checks. Their complexity and description vary a lot, which makes compliance reporting a very difficult task.

Manually performing all the checks requires a tremendous effort. STIG rules are added and updated periodically and the infrastructure configuration is changing through time in its dynamic operation. To be compliant at any moment in time is a hard goal to reach, especially if monitoring violations and misconfigurations are not automated.

The desired solution uses automation tools for audits, ensuring point-in-time compliance, and ideally to achieve compliance continuously over time.

Runecast Analyzer is a unique automation tool which helps you stay compliant. It scans your specific configuration and provides fit-gap analysis report based on STIGs security checks for VMware (including vSphere and NSX).

Runecast Analyzer is a lightweight virtual appliance which is deployed on VMware environments. It proactively compares the infrastructure against VMware Knowledge Base articles, offering the prevention of known issues. It also includes compliance reports for Best Practices and Security Profiles.  

Once the DISA STIG 6 profile is enabled from Security Compliance section under Settings page, it will become available for analysis and reporting.

The security policies displayed in DISA STIG 6 section are taken from the official Information Assurance Support Environment (IASE) website. The profile is divided in three categories, each contains all STIG policy for vSphere vCenter, ESXi and Virtual Machine. The latest version of Runecast (v1.8) also includes the standards for NSX (NSX Manager, Distributed Logical Router, and Distributed Firewall). 

The policy severity differs based on the type of security check:

  • Low Severity: Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.
  • Medium Severity: Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.
  • High Severity: Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity.

The policy complexity varies considerably, from checking infrastructure configuration settings to confirming manual user verifications (e.g. that verified ESXi installation media was used). For each type of policy, Runecast Analyzer will display different states, depending on if the check was fully automated (in case of configuration checks Example 1) or if user intervention is required to confirm compliance. (Example 2).

Example 1

Example 2

Analysis results can be:

  • Fail: Will be displayed in case there is even one object (host, vCenter, VM) in an infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of affected objects. No Manual check is involved.
  • Pass: Will be displayed when all objects are found compliant. No Manual check is involved.
  • Manual: A user intervention is required to ensure compliance.
  • Fail (M): Will be displayed in case there is even one object in an infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of affected objects. Manual check is involved.
  • Pass (M): Will be displayed in case that no object is found as not compliant. Manual check is involved.

If some of the rules are not included in your organization’s security policy, there is an option to customize the displayed security checks by filtering out those that are not applicable to your organization’s security policy.

DISA's STIGs cover VMware's vSphere and NSX. Runecast Analyzer fully supports both to automate DISA-STIG compliance checks.


Ionut Radu

Data Scientist Engineer