Runecast | DISA patch management & DoD STIG security

Table of Contents

• What is DISA?
• What are STIGs?
• Who should use DISA STIGs
• How Runecast can help you with DISA STIG compliance

​What is DISA?

The Defense Information Systems Agency (DISA) is a combat support agency of United States Department of Defense (DoD). Their scope is to provide information technology and communications support to defense and federal agencies, government and coalition partners. 

As different organizations can have varying configurations in their respective environments, these can also vary in terms of security posture. To achieve consistently secure configurations across these environments DISA has created security standards that must be met by all IT assets before they are allowed to connect and operate on DoD networks. Failure to stay compliant with standards issued by DISA can result in an organization being denied access to DoD networks.

The guidelines are used by many DoD entities, but they can also be implemented in the critical infrastructure of other security sectors or segments. Their purpose is to secure information systems and software that might be vulnerable to a malicious computer attack.

What are STIGs?

To simply define STIG, the standards created by DISA are known as Security Technical Implementation Guides (STIGs). They are a set of rules, “created and maintained based on the cybersecurity methodology for standardizing security protocols within networks, servers, computers, and logical designs to enhance overall security. These guides, when implemented, enhance security for software, hardware, physical and logical architectures to further reduce vulnerabilities.” 

The number of STIGs policies is high and covers multiple layers: application, cloud, mobility, network, operating systems... and the list continues.

The full list of STIGs is available on Information Assurance Support Environment (IASE) website.

“DISA is supporting and sustaining Information Assurance Support Environment (IASE) which provides one-stop access to cybersecurity information, policy, guidance and training for cybersecurity professionals throughout the DoD.”

Who should use DISA STIGs

All organizations that connect to DoD systems in any way must comply with DISA STIGs standards. They should follow the guidelines and update them as soon as DISA introduces new rules or modifies the existing ones. If compliance is not met or is compromised, organizations can lose access and authorization to operate inside DoD networks.

Although DISA STIGs is aimed at well-defined entities based on their specific organizational profile or government, a variety of institutions from other sectors may also follow these standards, improving their security level and standardizing their environments.

How Runecast can help you with DISA STIG compliance

The number of STIG policies is large and still continues to grow. Each STIG contains thousands of checks. Their complexity and description vary a lot, which makes compliance reporting a very difficult task.

Webinar: How to implement DISA STIG - a practical step-by-step walk-through guide

‍

‍

Manually performing all the checks requires a tremendous effort. STIG rules are added and updated periodically and the infrastructure configuration is changing through time in its dynamic operation. To be compliant at any moment in time is a hard goal to reach, especially if monitoring violations and misconfigurations are not automated.

Ideal STIG compliance tools use automation for audits, ensuring point-in-time compliance, to achieve compliance continuously over time against a DISA STIG compliance checklist.

Runecast Analyzer is a unique automation tool which helps your DISA STIG compliance. It scans your specific configuration and provides a fit-gap analysis report based on DoD STIG security checks for VMware (including vSphere and NSX).

Runecast Analyzer is a lightweight virtual appliance which is deployed on VMware environments. It proactively compares the infrastructure against VMware Knowledge Base articles, offering the prevention of known issues. It also includes compliance reports for Best Practices and Security Profiles.  

Once the DISA STIG 6 profile is enabled from the Security Compliance section under the Settings page, it will become available for DISA patch management analysis and reporting.

The security policies displayed in DISA STIG 6 section are taken from the official Information Assurance Support Environment (IASE) website. The profile is divided into three categories and each contains DoD STIG policies for vSphere vCenter, ESXi and Virtual Machine. Runecast also includes the standards for NSX (NSX Manager, Distributed Logical Router, and Distributed Firewall). 

The policy severity differs based on the type of DoD STIG security check:

• Low Severity: Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.
• Medium Severity: Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity.
• High Severity: Any vulnerability, the exploitation of which will directly and immediately result in loss of Confidentiality, Availability, or Integrity.

The policy complexity varies considerably, from checking infrastructure configuration settings to confirming manual user verifications (e.g. that verified ESXi installation media was used). For each type of policy, Runecast Analyzer will display different states, depending on if the check was fully automated (in case of configuration checks Example 1) or if user intervention is required to confirm DISA STIG checklist compliance. (Example 2).

Example 1

Example 2

Analysis results can be:

• Fail: Will be displayed in case there is even one object (host, vCenter, VM) in an infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of affected objects. No Manual check is involved.
• Pass: Will be displayed when all objects are found compliant. No Manual check is involved.
• Manual: A user intervention is required to ensure compliance.
• Fail (M): Will be displayed in case there is even one object in an infrastructure that is not compliant with a specific security check. The list of non-compliant objects can be viewed in the details of affected objects. Manual check is involved.
• Pass (M): Will be displayed in case that no object is found as not compliant. Manual check is involved.

If some of the rules are not included in your organization’s security policy, there is an option to customize the displayed DISA STIG checklist by filtering out those that are not applicable to your organization’s security policy.

DISA STIGs cover VMware's vSphere and NSX. Runecast Analyzer fully supports both to automate DISA-STIG compliance checks.

Ionut Radu

Data Scientist Engineer


Test our DISA STIG compliance checks or contact us for a technical deep-dive.