On May 31, 2023, FedRAMP released final baselines for the NIST SP 800-53r5 (Rev5) set of controls that are applicable to all Cloud Service Providers (CSP) that are already authorized or intending to be authorized by FedRAMP.
For the High, Moderate, and Low baselines, the requirement for CM-6 (Configuration Management) changed:
From: [Rev4] CM-6 (a) Requirement 1: “The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.”
To: [Rev5 High/Mod] CM-6 (a) Requirement 1: “The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available.”
[Rev5 Low] CM-6 (a) Requirement 1: “The service provider shall use the DoD STIGs or Center for Internet Security guidelines to establish configuration settings;”
Key Definitions
Security Requirements Guides (SRGs)
SRGs are collections of requirements applicable to a given technology family. There are four core SRGs:
- Application SRG
- Network SRG
- Operating System SRG
- Policy SRG
Each addresses the applicable action items (sometimes called “checks”) in the context of the technology family. Subordinate to the core SRGs, Technology SRGs are developed to address the technologies at a more granular level. Examples include:
- The Database SRG is based on the Application SRG
- The Router SRG is based on the Network SRG
- The General Purpose Operating System (GPOS) SRG is based on the Operating System SRG
Security Technical Implementation Guides (STIGs)
STIGs provide product-specific information for validating and attaining compliance with requirements defined in the SRG for that product’s technology area. Some examples:
- The Microsoft SQL Server 2016 STIG is based on the Database SRG
- The Juniper Router STIG is based on the Router SRG
- The Microsoft Windows 11 STIG is based on the GPOS SRG
STIGs are eventually sunset (retired) when DoD no longer uses a specific product, or the product is no longer supported by the vendor. These STIGs remain available on the Public DoD Cyber Exchange for a short period.
CIS Guidelines (Benchmarks)
Similar to STIGs and SRGs, CIS Benchmarks are best practices for the secure configuration of a target system. CIS benchmarks consist of three different levels of implementation:
- The Level 1 profile is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact.
- The Level 2 profile provides “defense in depth” and is intended for environments where security is paramount.
- The STIG profile replaces the previous Level 3. The STIG profile provides all recommendations that are STIG specific.
Identifying Configuration Baseline(s)
Identifying the correct configuration baseline to apply to a product can be difficult, depending on what technology or vendor is in use for the product to be hardened. For products that are in use by DoD or those that are widely used, a simple search on the Public DoD Cyber Exchange or the CIS Benchmarks page can produce quick results for the correct set of configurations needed to be in compliance. For products that do not have an available STIG, options include searching for a sunset STIG, leveraging a CIS Benchmark, or leveraging the appropriate SRG.
STIG Selection
Searching the DoD Cyber Exchange STIG library can be conducted via a word search in the search bar or can be filtered by category. STIGs and SRGs are grouped into the following categories:
- Application Security
- Cloud Security
- DoD Cloud Computing Security (DCCS)
- Mobility
- Network/Perimeter/Wireless
- Operating Systems
- Sunset
- Other categories outside the scope of the post
When selecting a STIG, the included Overview pdf should be reviewed prior to implementation to ensure that the STIG is appropriate to the endpoint and that any associated STIGs are also selected. For example, the Network WLAN STIG zip file contains four sub-components: WLAN Access Point Enclave-NIPRNet, WLAN Access Point Internet Gateway, WLAN Bridge, and WLAN Controller. Each sub-component includes two STIGs: one based on the Network SRG and one based on NDM SRG. Both STIGs are needed for the full set of requirements for each component STIG.
Sunset STIG Selection
Sunset STIGs can be found in the Public DoD Cyber Exchange > Sunset Products or via UCF’s STIG Viewer. Implementers should first search DoD’s Cyber Exchange first before searching in STIG Viewer. Please note that the STIGs found in STIG Viewer are almost always out of date, and any accompanying information found in a DoD Cyber Exchange download, such as the Overview pdf, will not be included.
SRG Selection
SRGs can be found in the same location as STIGs and can be searched in the same manner. DISA currently has nineteen (19) active SRGs available for download. Similar to STIGs, the included Overview pdf should be reviewed to ensure, prior to implementation, that the SRG is appropriate to the product/technology. Implementors should be aware that some products/technologies may require multiple SRGs to be fully compliant. A good example of this would be network devices, as these devices generally operate on three planes: the Management Plane, the Control Plane, and the Data Plane.
- The Management Plane handles administration of the network device itself. This subject is addressed in the NDM SRG, and most all network devices require this.
- The Control Plane handles the routing and signaling functions. This is the focus of the Router SRG.
- The Data Plane handles traffic inspection and flow functions. This is addressed in the Firewall SRG, ALG SRG, IDPS SRG, etc.
Selecting Additional STIGs/SRGs to Apply
It is important to note that some individual endpoints may require multiple STIGs to be applied in order to be considered fully compliant. As an example, a single IIS based web server could have the following applicable STIGs:
- MS Windows Server 2022 STIG – applicable for the base operating system.
- MS Defender Antivirus STIG – if in use.
- MS Windows Firewall STIG and Advanced Security STIG – if in use.
- Microsoft .Net Framework 4.0 STIG – if installed.
- Microsoft IIS 10.0 STIG – applicable for the web server software.
- Application Security and Development STIG – catch all STIG applicable for any other software being served.
In addition to specific endpoint STIGs, implementers may be required to apply further STIGs to the environment. These STIGs may include checks that are manual in nature, such as ensuring multiple domain controllers exist in a High or Moderate environment or verifying that certain policies/procedures exist (in addition to the normal “-1” requirements). Examples include Active Directory Forest STIG, Active Directory Domain STIG, and Traditional Security Checklist.
Viewing STIG/SRG Content
All STIGs and SRGs sourced directly from DoD’s Cyber Exchange will be in a zip file. Each zip file will include at minimum:
- Overview.pdf – This document contains background and other important information that could not be stored in the XCCDF document.
- Revision_History.pdf – The Revision History contains the history of the changes to the SRG or STIG package.
- *Manual_SRG or Manual_STIG folder – These folders contain manual SRG and STIG content. They may be opened with STIG Viewer or viewed in a web browser.
- Manual-xccdf.xml – This is an XCCDF XML document that contains the manual content of the SRG or STIG.
- STIG_unclass.xsl or STIG_cui.xsl – This is an XSLT stylesheet that is used for converting the XCCDF document into HTML for viewing in a web browser.
- DoD-DISA-logos-as-JPEG.jpg – This is a JPEG image that contains the DOD and DISA logos that are displayed at the top of the document when viewed as HTML.
Manual View
All STIGs with XML content can be viewed in MS Edge via the Internet Explorer mode.
- Extract the downloaded zip file.
- Open the Manual_SRG/STIG folder.
- Right click the *.xml file and “Open with” MS Edge.
- Once loaded, open the menu and select “Reload in Internet Explorer mode”.
- If this option is not available, navigate to MS Edge Settings > Default browser > Allow sites to be reloaded in IE mode > select Allow
This view includes the following sub-parts for each check:
- Group ID (Vulid): Unique identifier
- Group Title: Unique identifier
- Rule ID: Unique identifier
- Severity: CAT I (High), CAT II (Medium), CAT III (Low)
- Rule Version (STIG-ID): Unique identifier
- Rule Title: Human readable unique identifier
- Vulnerability Discussion: Describes the check.
- Check Content: Describes what to look for.
- Fix Text: Describes how to fix the check.
STIG Viewer View
All STIGs with XML content can be viewed in DISAs STIG viewer. It can be found here SRG / STIG Tools – DoD Cyber Exchange. Please note that the steps listed below are for version 2.17. As of this writing, version 3.x is in beta and significantly changes the user interface.
- Download the appropriate version of the tool (OS based).
- Install or open the application.
- Import the downloaded zip file(s).
- Use the pane on the left to select the appropriate STIG (if more than one is loaded).
- Use the center pane to select a specific check.
- Use the right pane to view check content.
Vulnerator View
Vulnerator is a free tool sourced from GitHub that can be leveraged to view STIG content in a more consumable format, specifically in Excel. Use the following steps to view in Excel format:
- Download and install/open STIG Viewer from the Cyber Exchange.
- Import downloaded zip file(s).
- Using the left pane, check all STIGs to be used.
- Use the Checklist menu to create a checklist.
- Save the Checklist via the File menu.
- Download the latest Vulnerator package from GitHub via Releases · Vulnerator/Vulnerator (github.com).
- Open the Vulnerator executable.
- Select:
- System Package Type: RMF
- NIST SP 800-53 Revision: Revision 5
- Output Format:
- Check STIG Details to view STIG content of imported *.ckl files.
- Check POA&M/RAR to create an eMASS formatted POA&M and RAR based on imported *.ckl, *.csv, and/or *.nessus files.Check ACAS Scan Output to view content of imported *.csv or *.nessus files.
- See Using the Software · Vulnerator/Vulnerator Wiki · GitHub for other options and output.
- Click the Import CKL button.
- Click the Execute button.
- Open the resulting xlsx file.
By default, the resulting xlsx file will have some formatting, including column heads in bold text and grey fill. Enable filters to better read the content.
- Utilize the STIG Name column to filter if multiple STIGs were converted.
- Utilize the STIG Title column to identify individual checks.
- Utilize the Description, Check Content, and Solution columns to implement or validate checks are applied.
Implementing STIG/SRG Requirements
Now that you have the necessary information to identify and select appropriate STIGs or SRGs, and tools to view their content, next steps are to apply all applicable checks to the system’s components. If you find yourself struggling with this, contact 38North and we can help.
