Vendor-Generated STIGs Help DISA Accelerate New Technology Adoption
New technologies are introduced all the time, and every product vendor touts the advantages of its new products. But ensuring it’s safe to connect those new systems to secure military networks can be a dicey proposition.
That’s why the Defense Information Systems Agency issues STIGS – Security Technical Implementation Guides – for high-demand information technology products.
“A Security Technical Implementation Guide is a set of secure operationally configurable settings based on NIST 800-53 controls,” says Roger Greenwell, DISA’s director of Cybersecurity and its authorizing official for systems and applications used within the agency. “If a user has a STIG for a specific product, they have a guide to configure that product in a secure manner.”
STIGs do not represent DISA’s stamp of approval or official endorsement. Greenwell emphasizes it’s up to individual users to determine if the product has utility or value in a given application. Rather, they are instructions for safe use. A STIG guides installers and reviewers on the most secure implementation of a given product; so it might restrict certain services or capabilities, detail authentication requirements, or identify features that must be restricted only to administrators. Exactly what’s in the STIG depends on what the product itself actually does.
DISA issues only about 35-40 STIGs each year, far fewer than the number of products introduced to the market. But the agency no longer methodically develops every STIG itself. Instead, there are now three ways to develop a STIG – a major step to speeding up the process of getting approved guides for emerging technology products.
“We use three different methods now,” Greenwell said. “We can internally develop the STIG, do the research ourselves and write the STIG – how we started many years ago. We have a consensus effort [where] DISA partners with other entities, to include the vendor, in terms of working through what those requirements should be. Or we have Vendor-developed STIGs.”
Windows 10 is an example of a consensus effort, where DISA partnered with the Air Force and National Security Agency to develop an optimum safe configuration of the new operating system.
“The big thing we gain there,” Greenwell said, is “we get a product [into use] much faster, ultimately at lower cost to the tax payer.” Vendors can often work their STIGs in parallel with product development, so a STIG can be ready almost as soon as a new product is available. By contrast, a DISA-generated STIG can follow a product introduction by months or even longer.
VMware recently received a STIG for its NSX software-defined networking (SDN) solution – the first SDN solution to receive a STIG, DISA officials confirmed. Approved in July, the STIG establishes guidelines for implementing SDN on defense networks, a major development for an emerging technology.
NSX enables system managers to set up and tear down networks on the fly, enabling rapidly reconfigurable connections that can increase network security by reducing potential attack vectors. Take a mission planning environment that’s shared by a dozen or more coalition partners for an exercise or true operation.
Setting up multiple networks to support various levels of sharing across the group could take days or weeks and generate significant costs, only to be torn down weeks later when the event is over. But with SDN, the customer gets the same “communications path and tools they’re already familiar with from a compute standpoint,” VMware’s Federal VP Bill Rowan says, and a network that exists only in software. System managers, he explains, can “build and tear down on the fly, establishing different security parameters, as you need, for different partners.”
The result is increased security and a smaller attack surface.
“Software defined networking provides government users with new agility” said Scott Whitman, a Sr. Principal Analyst, Information Security, at General Dynamics IT. “Existing technology enables creating mission specific virtual communities but they still depend on integration with networks that are complex and often inflexible. With SDN technology, communities of interest can be set up based on mission needs and fully resourced with network connectivity, and then completely removed once that mission is complete. Security is paramount and SDN unites automation, networking and security into a tighter footprint enabling robust data governance which is at the heart of security in cloud based technology services.”
VMware made the investment to encourage adoption now, rather than waiting for the traditional STIG process to unfold by itself. “Most information assurance professionals in agencies and commands, they like the comfort of knowing a product has a STIG,” Rowan says. “It makes them feel that at least someone else has evaluated a product.”
With so many products hitting the market each year, DISA can’t possibly keep up. “Ideally, we would have a STIG for every product,” Greenwell says. Vendor-generated STIGs opens the door to more published solutions by shifting the workload from DISA’s limited personnel to vendors who are motivated to use the STIG to help generate sales.
“Vendors are given a framework and can develop the STIG themselves, with guidance as needed from DISA,” Greenwell says. “This enables us to ensure consistency in aligning to our configuration requirements while leveraging the vendor’s expertise with the product.”
Vendors are also better situated in most cases to do the necessary documentation and decision making quickly. Greenwell acknowledges they know their products best and are happy to work with DISA to provide the necessary documentation. Indeed, VMware is already looking ahead to future versions of NSX. “We’ve already started the next iteration of the STIG – as the product evolves, the STIG has to evolve with it.”