January 30, 2020
The Defense Information Systems Agency (DISA) is a combat support agency of United States Department of Defense (DoD). Their scope is to provide information technology and communications support to defense and federal agencies, government and coalition partners.
As different organizations can have varying configurations in their respective environments, these can also vary in terms of security posture. To achieve consistently secure configurations across these environments DISA has created security standards that must be met by all IT assets before they are allowed to connect and operate on DoD networks. Failure to stay compliant with standards issued by DISA can result in an organization being denied access to DoD networks.
The guidelines are used by many DoD entities, but they can also be implemented in the critical infrastructure of other security sectors or segments. Their purpose is to secure information systems and software that might be vulnerable to a malicious computer attack.
To simply define STIG, the standards created by DISA are known as Security Technical Implementation Guides (STIGs). They are a set of rules, “created and maintained based on the cybersecurity methodology for standardizing security protocols within networks, servers, computers, and logical designs to enhance overall security. These guides, when implemented, enhance security for software, hardware, physical and logical architectures to further reduce vulnerabilities.”
The number of STIGs policies is high and covers multiple layers: application, cloud, mobility, network, operating systems... and the list continues.
The full list of STIGs is available on Information Assurance Support Environment (IASE) website.
“DISA is supporting and sustaining Information Assurance Support Environment (IASE) which provides one-stop access to cybersecurity information, policy, guidance and training for cybersecurity professionals throughout the DoD.”
All organizations that connect to DoD systems in any way must comply with DISA STIGs standards. They should follow the guidelines and update them as soon as DISA introduces new rules or modifies the existing ones. If compliance is not met or is compromised, organizations can lose access and authorization to operate inside DoD networks.
Although DISA STIGs is aimed at well-defined entities based on their specific organizational profile or government, a variety of institutions from other sectors may also follow these standards, improving their security level and standardizing their environments.
The number of STIG policies is large and still continues to grow. Each STIG contains thousands of checks. Their complexity and description vary a lot, which makes compliance reporting a very difficult task.
Manually performing all the checks requires a tremendous effort. STIG rules are added and updated periodically and the infrastructure configuration is changing through time in its dynamic operation. To be compliant at any moment in time is a hard goal to reach, especially if monitoring violations and misconfigurations are not automated.
Ideal STIG compliance tools use automation for audits, ensuring point-in-time compliance, to achieve compliance continuously over time against a DISA STIG compliance checklist.
Runecast Analyzer is a unique automation tool which helps your DISA STIG compliance. It scans your specific configuration and provides a fit-gap analysis report based on DoD STIG security checks for VMware (including vSphere and NSX).
Runecast Analyzer is a lightweight virtual appliance which is deployed on VMware environments. It proactively compares the infrastructure against VMware Knowledge Base articles, offering the prevention of known issues. It also includes compliance reports for Best Practices and Security Profiles.
Once the DISA STIG 6 profile is enabled from the Security Compliance section under the Settings page, it will become available for DISA patch management analysis and reporting.
The security policies displayed in DISA STIG 6 section are taken from the official Information Assurance Support Environment (IASE) website. The profile is divided into three categories and each contains DoD STIG policies for vSphere vCenter, ESXi and Virtual Machine. Runecast also includes the standards for NSX (NSX Manager, Distributed Logical Router, and Distributed Firewall).
The policy severity differs based on the type of DoD STIG security check:
The policy complexity varies considerably, from checking infrastructure configuration settings to confirming manual user verifications (e.g. that verified ESXi installation media was used). For each type of policy, Runecast Analyzer will display different states, depending on if the check was fully automated (in case of configuration checks Example 1) or if user intervention is required to confirm DISA STIG checklist compliance. (Example 2).
Analysis results can be:
If some of the rules are not included in your organization’s security policy, there is an option to customize the displayed DISA STIG checklist by filtering out those that are not applicable to your organization’s security policy.
DISA STIGs cover VMware's vSphere and NSX. Runecast Analyzer fully supports both to automate DISA-STIG compliance checks.
Ionut Radu is Co-Founder and primary Data Engineer at Runecast. Before Runecast, he spent more than eight years at IBM, with his last two as a VMware engineer, designing and implementing virtual infrastructures and disaster recovery solutions. Ionut has been recognized as a vExpert for the past several years, holding also several industry-level certifications, including VCAP-DCV. Beyond the office, he is a proud father of two boys and enjoys family time, reading, traveling, and playing tennis, football and basketball.