Skip to main content

Insights

DoD STIG Hardening: What It Is and How to Pass Your Next Audit

By Kevin Kirk · · 7 min read

If you handle Department of Defense work or sell to federal customers, you will eventually be told your systems must be STIG-compliant. The phrase sounds heavier than the work actually is. Here is what it means and how to get through the audit without surprises.

What is a STIG?

A Security Technical Implementation Guide (STIG) is a configuration standard published by the Defense Information Systems Agency (DISA). Each STIG is a hardening checklist for a specific product — Windows Server, RHEL, Cisco IOS, a browser, a database. The full library is free at public.cyber.mil.

Every check, called a rule, carries a severity category:

  • CAT I — high risk. A finding here can directly lead to compromise.
  • CAT II — medium risk. The bulk of most STIGs.
  • CAT III — low risk. Hardening polish.

Who actually needs them?

You need STIG compliance if you run systems on a DoD network, handle Controlled Unclassified Information (CUI), or contract for agencies that require it. Plenty of regulated commercial environments adopt STIGs too, simply because they are a free, battle-tested baseline that maps cleanly to other frameworks.

How compliance is measured

Auditors do not eyeball settings. They scan. The usual flow:

  1. Run a SCAP scan (for example, DISA's SCAP Compliance Checker) against each system using the matching benchmark.
  2. Review results in STIG Viewer, which maps findings to rules.
  3. Mark each rule Open, Not a Finding, Not Applicable, or Not Reviewed.
  4. For anything you cannot fix, write a POA&M (Plan of Action and Milestones) documenting the risk and a remediation timeline.

How to pass your next audit

  1. Start from the baseline, not the audit. Apply the STIG when you build the system, not the week before review.
  2. Automate it. Pair SCAP content with configuration management — Ansible, Group Policy, or scripts — so hardening is repeatable and drift is caught.
  3. Document exceptions honestly. A clean POA&M for a justified exception beats a hidden open finding every time.
  4. Map to NIST 800-53. STIG findings roll up to NIST 800-53 controls. Keeping that mapping makes RMF and ATO paperwork far less painful.
  5. Re-scan continuously. Configuration drifts. Monthly scans catch regressions before an auditor does.

Common pitfalls

  • Hardening a system so aggressively that the application breaks, then quietly rolling it back.
  • Using "Not Applicable" as a dumping ground without written justification.
  • Leaving CAT I findings open with no POA&M — the fastest way to fail.

Frequently asked

How long does it take?

For a single, well-understood system, a first pass is days. A fleet with application dependencies is weeks, because the real work is testing that hardening does not break what runs on top of it.

Do I need expensive tools?

No. The STIGs, the SCAP content, and STIG Viewer are all free from DISA. The cost is the engineering time to apply, test, and document.

STIG work is methodical, not mysterious — runbook, scan, remediate, document, repeat. If you would rather hand the sprint to someone who does it day to day, that is exactly the kind of defined-window engagement I take on.

Need this handled for your business? Get in touch — new clients start with a free site audit.

← All posts