The Defense Information Systems Administration (DISA) is the agency that provides IT and communications support to both government and associated defense organizations. These include the President, Secretary of Defense, U.S. military services along with any person or organization associated with America’s defense initiatives. The DISA is a part of the Department of Defense (DoD).
The DISA has created and maintains a set of security guidelines for any computer systems or networks connected to the DoD. These guidelines are known as the Security Technical Implementation Guides (STIG) and are the primary security standards used by many DoD agencies. In addition to defining security guidelines, the STIG also stipulates how security training should proceed and when security checks should occur. Organizations must stay compliant with these guidelines or they risk having their access to the DoD terminated.
Understanding STIG Requirements
STIG guidelines are extensive, totaling approximately 400 documents. This information sets standards for configuring computers and software. It also dictates settings meant to secure data and prevent hackers from infiltrating operating systems, computers, networks and servers. There are also configurations for mobile devices and cloud computing systems. STIGs even define required processes for software development, testing and project management. Everything from password protection, file encryption methods, and rules for locking users out of accounts after failed login attempts are included. Complying with all these guidelines is an exhaustive process.
Compliance Levels Defined by the DISA
There are three categories of vulnerability detailed by the DISA. Each represents a certain level of risk associated with system or computer weakness. These are vulnerabilities that could result in the loss of confidentiality, availability or integrity. The levels include:
- Category I – These risks present the biggest threat. If an organization fails to address Category I risks, they will be denied permission to operate. The only exception is if failure to use a system could lead to a failed mission.
- Category II – These risks may be authorized if the weaknesses can be mitigated, which they usually can. However, Category II risks could lead to Category I vulnerability and possibly result in the compromising of sensitive data and materials.
- Category III – These risks won’t cause an organization to be denied access to operate, as they can be addressed and reversed. If ignored, these risks could damage the accuracy of information.
Any organization working with the DoD needs to understand these levels of compliance so they can ensure their systems are operating with the proper guidelines implemented.
Because STIGs are modified and added to an account for new technology, staying compliant can be difficult. Plus, any software updates or replacements could wipe out required settings. This is why organizations must take measures to monitor and adjust their systems when necessary. Furthermore, when a system takes on multiple roles, this means multiple STIGs must be adhered to. Once an organization determines which systems must follow compliance, STIG will need to be downloaded and configuration changes made. This can be an extremely time-consuming process. However, automated tools offer an alternative to staying compliant without the need for manual configuration.
To learn more about DISA and PhaseWare, head over to our DISA Compliance Page.