What is a STIG Checklist?
A Security Technical Implementation Guide (STIG) checklist is used by different technology organizations to ensure and enhance security in their systems and their products. STIG checklists can also help maintain the quality of products and services.
Importance of a STIG Checklist
The primary reason behind using STIG checklists is to ensure cyber safety. Without STIGs and STIG checklists, the Defense Information Systems Agency (DISA) would find it difficult to standardize their cyber safety efforts, putting the government and military systems of the US at risk of malicious attacks.
Initially, the DISA, which is part of the US Department of Defense (DoD), created STIGs to guard and protect combatant and non-combatant government systems from cybersecurity threats and vulnerabilities. Currently, there are over a hundred STIGs in place, and these are updated regularly, depending on when their respective products and services are upgraded or revised. Having STIG checklists, therefore, helps ensure that government agencies are following the standards set by the DISA while eliminating the risk of any cyberattacks.
In the process of keeping an eye out for risks to cybersecurity, government agencies also conduct general inspections. In some cases, especially when dealing with hardware, the general inspection check is performed alongside the STIG inspection as inspectors consider the latter to be part of general maintenance.
In the private sector, STIG checklists are used in the same way. As cybersecurity threats evolve and grow more dangerous each day, private Information Technology (IT) products and services that are part of the DoD are now also required to follow STIGs. They are to use the same STIGs as the ones used by the government, which allows for their products and services to also be used by the public sector if needed.
Not only does the compliance of private IT products and services with STIG affect their license to sell and operate in the US, but it also affects their customers’ safety from the public and private sector alike. This can then affect the government’s operations and even place the country at risk of cyberattacks if they are non-compliant. The technological features that are most at risk for these kinds of threats are those related to keeping personal information such as mobile numbers and emails, as well as one’s geographical location history.
What is in a STIG Checklist?
There is no one way to create a universal STIG checklist as each checklist is specific to the product or service it’s made for. Generally, these checklists are meant to note the compliance of a certain product, process, or service in reference to the guides set by the DISA.
A typical STIG checklist would include the following elements:
- the name of the product or service being examined;
- the last upgrade or update to it, if applicable;
- a list of the important aspects of the product or service that can affect cybersecurity’;
- the actions to be taken to address said risks; and
- a metric to describe the importance of each risk to overall safety (such as high, medium, or low severity, which are also known as Category 1, 2, and 3, respectively).
The most commonly used and updated STIGs and STIG checklists are for software, hardware, and processes that are used in both the private and public sectors. The categories with the most STIGs are the following:
- Application Security – for applications focused on providing and maintaining security for hardware and software alike
- Network/Perimeter/Wireless – for the use and maintenance of wireless networks such as WiFi modems, routers, firewalls, and connectors
- Operating Systems – for the use, maintenance, and upgrading of operating systems such as Apple, Windows, Android, and Linux for computers, mobile devices, and wearable devices
However, while STIG checklists aim to ensure legal compliance and cyber safety, they may not be enough to conduct overall maintenance, quality, and safety checks. For this, some organizations prefer to double-check their inspections, creating their own checklists for it. Often based on the STIGs, these checklists are for their own use and are kept for purposes such as keeping a maintenance log or as proof of their compliance.