On May 31, 2023, FedRAMP released final baselines for the NIST SP 800-53r5 (Rev5) set of controls that are applicable to all Cloud Service Providers (CSP) that are already authorized or intending to be authorized by FedRAMP.
For the High, Moderate, and Low baselines, the requirement for CM-6 (Configuration Management) changed:
From: [Rev4] CM-6 (a) Requirement 1: “The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.”
To: [Rev5 High/Mod] CM-6 (a) Requirement 1: “The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.”
[Rev5 Low] CM-6 (a) Requirement 1: “The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;”
Key Definitions
Security Requirements Guides (SRGs)
SRGs are collections of requirements applicable to a given technology family. There are four core SRGs:
- Application SRG
- Network SRG
- Operating System SRG
- Policy SRG
Each addresses the applicable action items (sometimes called “checks”) in the context of the technology family. Subordinate to the core SRGs, Technology SRGs are developed to address the technologies at a more granular level. Examples include:
- The Database SRG is based on the Application SRG
- The Router SRG is based on the Network SRG
- The General Purpose Operating System (GPOS) SRG is based on the Operating System SRG
Security Technical Implementation Guides (STIGs)
STIGs provide product-specific information for validating and attaining compliance with requirements defined in the SRG for that product’s technology area. Some examples:
- The Microsoft SQL Server 2016 STIG is based on the Database SRG
- The Juniper Router STIG is based on the Router SRG
- The Microsoft Windows 11 STIG is based on the GPOS SRG
STIGs are eventually sunset (retired) when DoD no longer uses a specific product, or the product is no longer supported by the vendor. These STIGs remain available on the Public DoD Cyber Exchange for a short period.
CIS Guidelines (Benchmarks)
Similar to STIGs and SRGs, CIS Benchmarks are best practices for the secure configuration of a target system. CIS benchmarks consist of three different levels of implementation:
- The Level 1 profile is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact.
- The Level 2 profile provides “defense in depth” and is intended for environments where security is paramount.
- The STIG profile replaces the previous Level 3. The STIG profile provides all recommendations that are STIG specific.
Identifying Configuration Baseline(s)
Identifying the correct configuration baseline to apply to a product can be difficult, depending on what technology or vendor is in use for the product to be hardened. For products that are in use by DoD or those that are widely used, a simple search on the Public DoD Cyber Exchange or the CIS Benchmarks page can produce quick results for the correct set of configurations needed to be in compliance. For products that do not have an available STIG, options include searching for a sunset STIG, leveraging a CIS Benchmark, or leveraging the appropriate SRG.
STIG Selection
Searching the DoD Cyber Exchange STIG library can be conducted via a word search in the search bar or can be filtered by category. STIGs and SRGs are grouped into the following categories:
- Application Security
- Cloud Security
- DoD Cloud Computing Security (DCCS)
- Mobility
- Network/Perimeter/Wireless
- Operating Systems
- Sunset
- Other categories outside the scope of the post
When selecting a STIG, the included Overview pdf should be reviewed prior to implementation to ensure that the STIG is appropriate to the endpoint and that any associated STIGs are also selected. For example, the Network WLAN STIG zip file contains four sub-components: WLAN Access Point Enclave-NIPRNet, WLAN Access Point Internet Gateway, WLAN Bridge, and WLAN Controller. Each sub-component includes two STIGs: one based on the Network SRG and one based on NDM SRG. Both STIGs are needed for the full set of requirements for each component STIG.
Sunset STIG Selection
Sunset STIGs can be found in the Public DoD Cyber Exchange > Sunset Products or via UCF’s STIG Viewer. Implementers should first search DoD’s Cyber Exchange first before searching in STIG Viewer. Please note that the STIGs found in STIG Viewer are almost always out of date, and any accompanying information found in a DoD Cyber Exchange download, such as the Overview pdf, will not be included.
SRG Selection
SRGs can be found in the same location as STIGs and can be searched in the same manner. DISA currently has nineteen (19) active SRGs available for download. Similar to STIGs, the included Overview pdf should be reviewed to ensure, prior to implementation, that the SRG is appropriate to the product/technology. Implementors should be aware that some products/technologies may require multiple SRGs to be fully compliant. A good example of this would be network devices, as these devices generally operate on three planes: the Management Plane, the Control Plane, and the Data Plane.
- The Management Plane handles administration of the network device itself. This subject is addressed in the NDM SRG, and most all network devices require this.
- The Control Plane handles the routing and signaling functions. This is the focus of the Router SRG.
- The Data Plane handles traffic inspection and flow functions. This is addressed in the Firewall SRG, ALG SRG, IDPS SRG, etc.
Selecting Additional STIGs/SRGs to Apply
It is important to note that some individual endpoints may require multiple STIGs to be applied in order to be considered fully compliant. As an example, a single IIS based web server could have the following applicable STIGs:
- MS Windows Server 2022 STIG – applicable for the base operating system.
- MS Defender Antivirus STIG – if in use.
- MS Windows Firewall STIG and Advanced Security STIG – if in use.
- Microsoft .Net Framework 4.0 STIG – if installed.
- Microsoft IIS 10.0 STIG – applicable for the web server software.
- Application Security and Development STIG – catch all STIG applicable for any other software being served.
In addition to specific endpoint STIGs, implementers may be required to apply further STIGs to the environment. These STIGs may include checks that are manual in nature, such as ensuring multiple domain controllers exist in a High or Moderate environment or verifying that certain policies/procedures exist (in addition to the normal “-1” requirements). Examples include Active Directory Forest STIG, Active Directory Domain STIG, and Traditional Security Checklist.
Viewing STIG/SRG Content
All STIGs and SRGs sourced directly from DoD’s Cyber Exchange will be in a zip file. Each zip file will include at minimum:
- Overview.pdf – This document contains background and other important information that could not be stored in the XCCDF document.
- Revision_History.pdf – The Revision History contains the history of the changes to the SRG or STIG package.
- *Manual_SRG or Manual_STIG folder – These folders contain manual SRG and STIG content. They may be opened with STIG Viewer or viewed in a web browser.
- Manual-xccdf.xml – This is an XCCDF XML document that contains the manual content of the SRG or STIG.
- STIG_unclass.xsl or STIG_cui.xsl – This is an XSLT stylesheet that is used for converting the XCCDF document into HTML for viewing in a web browser.
- DoD-DISA-logos-as-JPEG.jpg – This is a JPEG image that contains the DOD and DISA logos that are displayed at the top of the document when viewed as HTML.
Manual View
All STIGs with XML content can be viewed in MS Edge via the Internet Explorer mode.
- Extract the downloaded zip file.
- Open the Manual_SRG/STIG folder.
- Right click the *.xml file and “Open with” MS Edge.
- Once loaded, open the menu and select “Reload in Internet Explorer mode”.
- If this option is not available, navigate to MS Edge Settings > Default browser > Allow sites to be reloaded in IE mode > select Allow
This view includes the following sub-parts for each check:
- Group ID (Vulid): Unique identifier
- Group Title: Unique identifier
- Rule ID: Unique identifier
- Severity: CAT I (High), CAT II (Medium), CAT III (Low)
- Rule Version (STIG-ID): Unique identifier
- Rule Title: Human readable unique identifier
- Vulnerability Discussion: Describes the check.
- Check Content: Describes what to look for.
- Fix Text: Describes how to fix the check.
STIG Viewer View
All STIGs with XML content can be viewed in DISAs STIG viewer. It can be found here SRG / STIG Tools – DoD Cyber Exchange. Please note that the steps listed below are for version 2.17. As of this writing, version 3.x is in beta and significantly changes the user interface.
- Download the appropriate version of the tool (OS based).
- Install or open the application.
- Import the downloaded zip file(s).
- Use the pane on the left to select the appropriate STIG (if more than one is loaded).
- Use the center pane to select a specific check.
- Use the right pane to view check content.
Vulnerator View
Vulnerator is a free tool sourced from GitHub that can be leveraged to view STIG content in a more consumable format, specifically in Excel. Use the following steps to view in Excel format:
- Download and install/open STIG Viewer from the Cyber Exchange.
- Import downloaded zip file(s).
- Using the left pane, check all STIGs to be used.
- Use the Checklist menu to create a checklist.
- Save the Checklist via the File menu.
- Download the latest Vulnerator package from GitHub via Releases · Vulnerator/Vulnerator (github.com).
- Open the Vulnerator executable.
- Select:
- System Package Type: RMF
- NIST SP 800-53 Revision: Revision 5
- Output Format:
- Check STIG Details to view STIG content of imported *.ckl files.
- Check POA&M/RAR to create an eMASS formatted POA&M and RAR based on imported *.ckl, *.csv, and/or *.nessus files.Check ACAS Scan Output to view content of imported *.csv or *.nessus files.
- See Using the Software · Vulnerator/Vulnerator Wiki · GitHub for other options and output.
- Click the Import CKL button.
- Click the Execute button.
- Open the resulting xlsx file.
By default, the resulting xlsx file will have some formatting, including column heads in bold text and grey fill. Enable filters to better read the content.
- Utilize the STIG Name column to filter if multiple STIGs were converted.
- Utilize the STIG Title column to identify individual checks.
- Utilize the Description, Check Content, and Solution columns to implement or validate checks are applied.
Implementing STIG/SRG Requirements
Now that you have the necessary information to identify and select appropriate STIGs or SRGs, and tools to view their content, next steps are to apply all applicable checks to the system’s components. If you find yourself struggling with this, contact 38North and we can help.
Frequently Asked Questions for Identifying and Selecting STIGs for FedRAMP’s Rev 5 CM-6 Requirement:
Question 1: Are there updates expected for STIGs that align with new cybersecurity standards, such as Zero Trust, within the FedRAMP framework?
While specific updates to STIGs are periodically released by the Defense Information Systems Agency (DISA), there is a general trend toward incorporating modern cybersecurity frameworks like Zero Trust into compliance requirements. Organizations should anticipate:
- Evolving Standards: Regular updates to STIGs that reflect the latest security best practices and threat landscapes.
- Zero Trust Principles: Increased emphasis on identity verification, least privilege access, and continuous monitoring within STIG guidelines.
- Proactive Adaptation: It’s advisable for organizations to start integrating Zero Trust concepts to stay ahead of compliance changes.
- Continuous Monitoring: Enhanced requirements for real-time security assessments and responsiveness to threats.
Question 2: What specific challenges are associated with implementing STIGs for multi-cloud or hybrid environments within FedRAMP’s framework?
Implementing STIGs in multi-cloud or hybrid environments introduces complexities such as inconsistent security features across different platforms, varying levels of support for compliance standards, and difficulties in maintaining uniform security policies. Specific challenges include:
- Diverse Configurations: Different cloud providers have unique configurations that may not align seamlessly with STIG requirements.
- Integration Issues: Ensuring that security controls work cohesively across on-premises and multiple cloud platforms can be problematic.
- Visibility and Monitoring: Achieving comprehensive monitoring and logging across all environments to meet compliance can be difficult.
- Resource Management: Allocating sufficient resources and expertise to manage compliance in a complex environment is often challenging.
Question 3: Are there any tools or methodologies that can assist in automating STIG selection and compliance?
Yes, several tools and methodologies can aid in automating STIG selection and compliance:
- Automation Frameworks: Tools like Ansible, Puppet, and Chef can automate the deployment of configurations that comply with STIGs.
- Compliance Scanners: Software such as SCAP Compliance Checker or OpenSCAP can automatically scan systems to identify compliance status against STIGs.
- Security Information and Event Management (SIEM): SIEM solutions help in continuous monitoring and can alert on deviations from compliance standards.
- Cloud Provider Tools: Many cloud providers offer native tools and services that assist in meeting compliance requirements through automated checks and managed services.
Question 4: How should organizations prioritize the selection of STIGs when dealing with limited resources for compliance tasks?
When resources are constrained, organizations should prioritize STIGs based on:
- Risk Assessment: Identify checks that mitigate the highest risks to critical assets and data.
- Regulatory Requirements: Focus on checks that are mandatory for compliance with laws and regulations pertinent to your industry.
- Impact Analysis: Implement checks that offer the greatest security benefit relative to the effort required.
- Incremental Implementation: Plan a phased approach to address the most critical checks first, gradually expanding compliance over time.
Question 5: What role do third-party assessments play in validating that the correct STIGs have been implemented effectively for FedRAMP?
Third-party assessments are integral to the FedRAMP authorization process. Third-Party Assessment Organizations (3PAOs) conduct independent evaluations to verify that cloud service providers have effectively implemented the necessary STIGs. They:
- Validate Compliance: Ensure that the security controls meet FedRAMP requirements.
- Identify Gaps: Detect areas where controls are insufficient or improperly implemented.
- Provide Assurance: Offer an unbiased confirmation of security posture to stakeholders and regulators.
- Facilitate Authorization: Their assessments are essential for achieving and maintaining FedRAMP authorization.
Staying informed about updates from DISA and FedRAMP will help organizations remain compliant and secure in a rapidly changing cybersecurity environment.
About the Author
