What is DISA STIG
September 17, 2019

What Is DISA STIG? Overview + STIG Security

Security & Compliance
Static Analysis

You need to ensure your software is secure — especially if it's developed for the Department of Defense. This is why it is important to use DISA STIG security guidelines. Here, we explain what is DISA STIG, how to implement it, and STIG security.

What Is DISA STIG?

DISA STIG refers to an organization (DISA — Defense Information Systems Agency) that provides technical guides (STIG — Security Technical Implementation Guide). 

DISA is part of the Department of Defense (DoD). It's a combat support agency that provides IT and communication support to all institutes and individuals working for the DoD. DISA oversees the IT and technological aspects of organizing, delivering, and managing defense-related information.

This includes STIG guidelines. These guides outline how an organization should handle and manage security software and systems.

What Is STIG Security?

STIGs (Security Technical Information Guides) are security guidelines from DISA. There are 100s of STIGs maintained and updated by DoD.

Complete STIG Security List

There's a complete STIG list that provides critical updates on the standards for DoD IA and IA-enabled devices/systems. Each STIG provides technical guidance to secure information systems/software that might otherwise be vulnerable.

The DoD regularly updates STIGs to ensure that developers are able to:

  • Configure hardware and software properly.
  • Implement security protocols.
  • Organize training processes.

You can use the STIG list to identify potential weaknesses in your code.

But the best way to use the STIG list is by pairing it with a SAST tool. SAST tools like Klocwork help you to identify security weaknesses faster. 

More on SAST >>

What Are DISA STIG Compliance Levels?

There are three DISA STIG compliance levels, called categories. The categories indicate the severity of the risk of failing to address a particular weakness.

From most to least severe, these are:

  • Category I.
  • Category II.
  • Category III.

Category I

Category I refers to any vulnerability that will directly and immediately result in loss of confidentiality, availability, or integrity. What’s more, these vulnerabilities can allow unauthorized access to classified data or facilities. This can lead to a denial of service or access.

These risks are the most severe. They may result in loss of life, damage to facilities, or a mission failure. If you don't address these risks, you won't be granted an Authorization to Operate.

The only exceptions are:

  • When the system is critical.
  • When a failure to use the system could lead to a failed mission.

Category II

Category II refers to any vulnerability that can result in loss of confidentiality, availability, or integrity.

Category II vulnerabilities can:

  • Lead to a Category I vulnerability.
  • Result in personal injury, damage to equipment or facilities.
  • Degrade a mission.

Category III

Category III refers to any vulnerability that degrades measures to protect against loss of confidentiality, availability, or integrity.

Category III vulnerabilities can:

  • Lead to a Category II vulnerability.
  • Delay in recovering from an outage.
  • Affect the accuracy of data and information.

Protect against the top 10 security vulnerabilities. Get the white paper to learn how. 

Get the White Paper

How to Implement DISA STIG

The best way to implement secure coding standards is to use a static code analyzer — like Klocwork.

1. Get Klocwork

Static code analyzers enforce coding rules and flag security violations. Klocwork comes with code security taxonomies to ensure secure software.

Each one includes:

  • Fully documented rule enforcement and message interpretation.
  • Fully configurable rules processing.
  • Compliance reports for security audits.

2. Use Klocwork to Check the STIG Security List

Running static analysis is an important part of the process of developing secure software. You can use it to comply with IEC 61508 requirements.

Klocwork can also check your code against the security weakness list. It automatically flags violations and enforces secure coding guidelines. Plus, Klocwork provides security reports on how well your code is compliant.

Ensure DISA STIG Security With Klocwork

DISA STIG security guidelines are important for software developed for the DoD. And using Klocwork can help you ensure your code is secure.

That's because Klocwork is the most trusted static analyzer for C, C++, C#, and Java coding languages.

See for yourself how Klocwork can help you ensure secure software and systems. Sign up for the next live demo of Klocwork. You'll see for yourself how Klocwork can ensure secure, high-quality code.

ENSURE SECURE SOFTWARE WITH Klocwork