September 17, 2019

DISA STIG for Secure Software and Systems— An Overview

Security & Compliance
Static Analysis


As part of the Department of Defense (DoD), the Defense Information Systems Agency (DISA) is a combat support agency that provides IT and communication support to all institutes and individuals working for the DoD. DISA oversees the IT and technological aspects of organizing, delivering, and managing defense-related information.

The guidelines that DISA provides organizations are called Security Technical Implementation Guides (STIGs). These guides outline how an organization should handle and manage security software and systems.

Complete DISA STIG List

The Security Technical Implementation Guide (STIG) are the standards for DoD IA and IA-enabled devices/systems. Each STIG provides technical guidance to secure information systems/software that might otherwise be vulnerable.

The DoD regularly updates STIGs to ensure that developers are able to properly configure hardware and software, implement security protocols, and organize training processes.

You can use a STIG to identify potential weaknesses in your code. Using a static analyzer, such as Klocwork, helps you to identify DISA STIG security weaknesses faster.

DISA STIG Compliance Levels

There are three categories of vulnerability that indicate the severity of the risk of failing to address a particular weakness.

Category I

Category I refers to any vulnerability that will directly and immediately result in loss of confidentiality, availability, or integrity. What’s more, these vulnerabilities can allow unauthorized access to classified data or facilities, and can lead to a denial of service or access.

These risks are the most severe, as they may result in loss of life, damage to facilities, or a mission failure. If an organization doesn’t address them, it will not be granted an Authorization to Operate. The only exceptions are as follows:

  • When the system is critical.
  • When a failure to use the system could lead to a failed mission.

Category II

Category II refers to any vulnerability that can result in loss of confidentiality, availability, or integrity. What’s more, these vulnerabilities can lead to a Category I vulnerability, result in personal injury, damage to equipment or facilities, and degrade a mission.

Category III

Category III refers to any vulnerability that degrades measures to protect against loss of confidentiality, availability, or integrity. What’s more, these vulnerabilities can lead to a Category II vulnerability, delay in recovering from an outage, or affect the accuracy of data and information.

DISA STIG Compliance With Klocwork

Running static analysis is an important part of the process of developing secure software and is a tool to use when complying with IEC 61508 requirements. Klocwork can check your code against the DISA STIG list of security weaknesses automatically to flag violations and enforce secure coding guidelines. To make compliance easier, Klocwork provides security reports on how well your code is DISA STIG compliant.

How to Implement Secure Software and Systems

The best way to ensure secure software and systems is to use a static code analyzer.

Static code analyzers enforce coding rules and flag security violations. Klocwork comes with code security taxonomies — DISA STIG, MISRA, AUTOSAR, CERT, and CWE — to ensure secure software.

Each one includes:

  • Fully documented rule enforcement and message interpretation.
  • Fully configurable rules processing.
  • Compliance reports for security audits.

Klocwork Helps to Ensure DISA STIG Compliance

See for yourself how Klocwork helps you ensure secure software and systems.