Application Security and Development STIG
Question:
Are all applications subject to the Application Security and Development STIG?
Answer:
The most direct path to your answer appears in the DoD Directive 8500.1 as follows:
- The directive applies to all applications: Section 2 (Ability and Scope) Paragraph 2.1.2: All DoD-owned, or controlled information systems that receive, process, store, display, or transmit DoD information, regardless of mission assurance category, classification or sensitivity ...
- The directive also states as policy: Section 4 (Policy) paragraph 4.1: IA requirements will be identified and included in the design, acquisition, installation, operation, upgrade, or replacement of all DOD information systems ...
Section 4 (Policy) paragraph 4.13: All DoD information systems shall be certified and accredited in accordance with DoD instruction 5200.40 (reference (U)).
Section 4 (Policy) then goes on to address IA-enabled entities as a separate item.
Enclosure 2 (definitions) contains definitions for Application, DoD Information System, and other terms used in this document.
To summarize, the FSO and DISA consensus has always been that the 8500.1 directive applies to all DoD compute assets, unless specifically exempted (such as weapons systems for war fighters).
The Application Security and Development STIG The second consideration is the Application Security and Development STIG itself. The Authority section does quote specifics surrounding AI-enabled applications, which are defined as having specific AI considerations and impacts. An argument could be made that the STIG text in the Authority section could be made more complete, with better alignment to the 8500.1 language. However, absence of text stating authority for other application developments should not be used to supersede or exempt any application development from being subject to the 8500.1 guidance. I have recommended this language update to the Authority paragraph for future releases of STIGs.
The Scope section of the Application Security and Development STIG does specifically go on to state that this guidance is a requirement for all DoD developed, architected, and administered applications and systems connected to DoD networks. Later in the same paragraph it does specifically call out custom developed systems. It is the Scope paragraph that makes the connection back to the 8500.1 language.
I hope this helps you in your justification and position that all DoD application are subject to AI guidance as they are developed or acquired.
A further note surrounding IA controls. The 8500.2 containing IA controls referenced in the STIG are in process of being assimilated into the 800-53, which will be the next authoritative source of IA control content. The 800-53A will contain validation steps and clarifications for each 800-53 control, to aid in making sure they are appropriately applied. Both can be found under the DoD DIACAP Knowledge service at https://diacap.iaportal.navy.mil (NIPR ONLY).
Microsoft SQL Server 2008
Question:
Is there currently a STIG for Windows SQL 2008?
Answer:
The SQL Server 2005 STIG should be used for SQL Server 2008. When building your asset posture in VMS, select the SQL Server Installation 2008 (2005 Guidance) and SQL Server Database 2008 (2005 Guidance) elements. Then, record the finding statuses, POA&Ms/DRAs, comments, etc. in the finding records that VMS generates for these elements.
The SQL 2005 STIG can be found at the following location on IASE:
http://iase.disa.mil/stigs/sunset/applications/Pages/index.aspx
The SQL Server 2012 STIG should be used for SQL Server 2008 R2. When building your asset posture in VMS, select the SQL Server Installation 2008 R2 and SQL Server Database 2008 R2 elements. Then, record the finding statuses, POA&Ms/DRAs, comments, etc. in the finding records that VMS generates for these elements.
The SQL 2012 STIG can be found at the following location on IASE:
http://iase.disa.mil/stigs/app-security/database/Pages/sql.aspx
MySQL
Question:
What STIG should be use for MySQL ?
Answer:
The Database SRG should be used when stiging MySQL.
Smartphone
Question:
Where can I find STIGs on Android, Windows Phone 8, BlackBerry 10, and other smartphones and tablets?
Answer:
STIGs for these devices, when available, can be found at Link. If a STIG is not listed, it may be under development.
STIG
Question:
May I deploy a product if no STIG exists?
Answer:
Yes, based on mission need and with DAA approval.
Question:
What do I use if there is no STIG?
Answer:
DISA FSO developed Security Requirement Guides (SRGs) to address technology areas. In the absence of a STIG, an SRG can be used to determine compliance with DoD policies. If there is no applicable SRG or STIG, industry or vendor recommended practices may be used. Examples include Center for Internet Security Benchmarks, Payment Card Industry requirements or the vendor's own security documentation.
Question:
Does DISA FSO certify products for use in the DoD?
Answer:
No. DISA FSO certifies Information Systems for use in DISA. DISA FSO not does certify products for DoD use. SRGs/STIGs are designed to assist in implementing the secure deployment of products.
STIG Style sheet
Question:
Where are other style sheet choices?
Answer:
There is a style sheet package located on IASE. If one of those does not satisfy your needs submit a request to the FSO support desk. Your request will be submitted for consideration as an addition style sheet choice.
Question:
Will there be other style sheet choices?
Answer:
There is a style sheet package located on IASE. If one of those does not satisfy your needs submit a request to the FSO support desk. Your request will be submitted for consideration as an addition style sheet choice.
Tablet
Question:
Where can I find STIGs for tablets?
Answer:
If the tablet is using Windows 7 or Windows 8, use the STIG for those operating systems. Windows STIGs can be found at Link. Windows RT devices are not authorized to connect to DoD networks or process DoD data. STIGs for iOS or Android tablets can be found at Link
VMWare ESXi and VSphere
Question:
Does the current VMWare ESXi guidance work for the newer release? Is newer VMWare ESXi Vsphere guidance available, and when will it be available?
Answer:
VMWare ESX3 - Use the ESX Server STIG/Checklist located at this link.
VMWare ESX4 - FSO will not be releasing a STIG for ESX4. The ESX 3 STIG and the ESXi 5 Server STIGs can be used in conjunction to enhance security on ESX4 systems.
VMWare ESX5 - Use the ESXi 5 Server STIGs located at this link.
Windows 2008 R2 OS
Question:
Will there be a Microsoft Server 2008 R2 STIG?
Answer:
The Windows Server 2008 R2 STIG has been released and is available on IASE at Link.
XCCDF STIGs - How to Open
Question:
How do I open XCCDF STIGs?
Answer:
Save the STIG zip file package to your local PC drive and extract it to a folder. Extract the files from the zip package that ends with MANUAL_STIG into a new folder. Open the folder with the extracted files, locate and open the .xml file using a web browser. For requestors who want PDF interactive checkboxes, etc.
PDF formats have been an interim step for STIG publication, and are being phased out. There is currently no plan to develop updatable PDF formats for STIGs. The future format for STIG publication is XCCDF output. The conversion process has begun for XCCDF, to enable STIG consumption by tools where both compliance and configuration remediation can be automated with the addition of OVAL code. Several operating system STIGs appear on the IASE web site today in the XCCDF format.
The XCCDF format of STIG is made human readable by using a style sheet, which will be bundled with each STIG. It is not in our current plan to create interactive checkbox functionality for XCCDF format STIGs.
XCCDF STIGs - MS Excel
Question:
How to load .XCCDF file into Excel and store STIG in .xlsx spreadsheet format?
Answer:
- Invoke Microsoft Excel
- Click “Disable Macros” if prompted
- Within Excel menu bar select: File-->Open-->Name of XML XCCDF file you wish to load into Excel
- Open .xml file (XCCDF file)
- A set of radio buttons will appear.
- a. Click the 2nd button (open the file with the following stylesheet applied). The name of the style sheet should appear. b. Then Click OK
- Wait a few seconds for the transformation to be applied. You may get the following error message but you can ignore it by typing “yes”. "The file you are trying to open “name of file”, is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now? ”Click “YES”
- To store the file as an Excel .xlsx document: a) From the menu bar, click "File", then "Save as"
- At the bottom of the page, save file as type: a) Excel Workbook
- Transformation/STIG should now be stored as an .xlsx Word document.
XCCDF STIGs - MS Word
Question:
How to load .xml XCCDF file into Microsoft Word and store as a .doc file?
Answer:
- Invoke Microsoft Word
- Within Word menu bar select: File Open Provide name of the .XML file you wish to load into Word
- Open .XML file (.XCCDF file)
- A box comes up asking whether you want to install an XML expansion pack.
a) Click the "NO" box
- On the right side of the screen there is an XML data view box.
a) Double click: STIG_unclass.xsl or STIG_fouo.xsl depending on which name comes up
[in the case of Windows Office 2007 you may not need to double-click at all]
Wait a few seconds for the XSL transformation to complete. The STIG/Checklist should appear on the screen similar to how it would appear in the Internet Explorer or Firefox browser.
- To store the file as a Word document:
a) From the menu bar, click File, then Save As
- At the bottom of the page, save file as type:
a) Word 2007 document
- The stylized STIG should now be stored as a Word document (extension .doc).