What is DISA STIG?
September 17, 2019


Security & Compliance
Static Analysis

Ensuring that software is secure is essential, which is why it is important for you to use DISA STIG to ensure the quality of code. Here, we explain what is DISA STIG and what are DISA STIG compliance levels.

What is DISA STIG?

As part of the Department of Defense (DoD), the Defense Information Systems Agency (DISA) is a combat support agency that provides IT and communication support to all institutes and individuals working for the DoD. DISA oversees the IT and technological aspects of organizing, delivering, and managing defense-related information.

The guidelines that DISA provides organizations are called Security Technical Implementation Guides (STIGs). These guides outline how an organization should handle and manage security software and systems.

Complete DISA STIG List

The Security Technical Implementation Guide (STIG) are the standards for DoD IA and IA-enabled devices/systems. Each STIG provides technical guidance to secure information systems/software that might otherwise be vulnerable.

The DoD regularly updates STIGs to ensure that developers are able to properly configure hardware and software, implement security protocols, and organize training processes.

You can use a STIG to identify potential weaknesses in your code. Using a SAST tool, such as Klocwork, helps you to identify DISA STIG security weaknesses faster.

Learn More About How SAST Helps to Ensure Secure Code >>

What Are DISA STIG Compliance Levels?

There are three categories of vulnerability that indicate the severity of the risk of failing to address a particular weakness.

Category I

Category I refers to any vulnerability that will directly and immediately result in loss of confidentiality, availability, or integrity. What’s more, these vulnerabilities can allow unauthorized access to classified data or facilities, and can lead to a denial of service or access.

These risks are the most severe, as they may result in loss of life, damage to facilities, or a mission failure. If an organization doesn’t address them, it will not be granted an Authorization to Operate. The only exceptions are as follows:

  • When the system is critical.
  • When a failure to use the system could lead to a failed mission.

Category II

Category II refers to any vulnerability that can result in loss of confidentiality, availability, or integrity. What’s more, these vulnerabilities can lead to a Category I vulnerability, result in personal injury, damage to equipment or facilities, and degrade a mission.

Category III

Category III refers to any vulnerability that degrades measures to protect against loss of confidentiality, availability, or integrity. What’s more, these vulnerabilities can lead to a Category II vulnerability, delay in recovering from an outage, or affect the accuracy of data and information.

DISA STIG Compliance With Klocwork

Running static analysis is an important part of the process of developing secure software and is a tool to use when complying with IEC 61508 requirements. Klocwork can check your code against the DISA STIG list of security weaknesses automatically to flag violations and enforce secure coding guidelines. To make compliance easier, Klocwork provides security reports on how well your code is DISA STIG compliant.

How to Implement Secure Software and Systems

The best way to ensure secure software and systems is to use a static code analyzer — like Klocwork.

Static code analyzers enforce coding rules and flag security violations. Klocwork comes with code security taxonomies — DISA STIG, MISRA, AUTOSAR, CERT, and CWE — to ensure secure software.

Each one includes:

  • Fully documented rule enforcement and message interpretation.
  • Fully configurable rules processing.
  • Compliance reports for security audits.

Klocwork Helps to Ensure DISA STIG Compliance

Klocwork is the most trusted static analyzer for C, C++, C#, and Java coding languages. See for yourself how Klocwork can help you ensure secure software and systems.