DISA STIG Support

Cavirin DISA Security Technical Implementation Guide (STIG) support provides several new security baselines for assessing and securing mission critical workload. In addition, there are several value-adds to DISA STIG assessments that ease implementation and usability including browsing, as well as assessment and reporting.

DISA STIG - Browsing

DISA does not provide an easy to navigate mechanism for browsing the STIGs, requiring the user to work with XML and stylesheets. The Cavirin platform provides several enhancements:

  • Consolidation – The platform’s policy browser provides a consolidated view of the STIGs. All profiles are listed, and the operator may choose any profile to find out what policies are contained in each of them.
  • Classification - The security policies within the DISA STIGs are not categorized into control families from the source. Cavirin takes additional steps to categorize various security policies under respective control families, permitting the operator to pick and choose the relevant control family. The browser and permits expansion of a selected control family, describing individual tests.

DISA Security

  • Policy details and formatting – DISA STIGs do not provide any formatting to make it easy to read and differentiate text and code. Also, DISA SCAP content does not invlude details such as rationale, audit, or policy details. The Cavirin Platform combines SCAP and STIGs to present not only assessment status but also policy details: Rationale, Audit steps and Remediation Procedure. Also, each policy is well formatted to ease understanding of the desired actions.
DISA's ACAS

DISA STIG - Assessment and Reporting

The Cavirin Platform supports all Windows DISA STIGs as well as Red Hat 6. Windows DISA STIGs are segregated into 3 major device types –

  1. Domain Controllers,
  2. Member Servers and
  3. Workstations

The platform eliminates complexity by allowing the operator to discover the organization’s target machines and then create asset group(s). During assessment, one may choose an asset group and the platform automatically applies the suitable STIG based on the device type and the chosen profile. This eliminates the need to filter domain controllers from member servers or workstations.

Steps to DISA STIG Compliance

Once the assessment is complete, the platform presents the rolled-up risk score at the asset group level. It is a combined score of multiple resources (machines) in an asset group.

Once the assessment is complete, the platform presents the rolled-up risk score at the asset group level. It is a combined score of multiple resources (machines) in an asset group.

The above report shows risk scores segregated at the control family level. It also shows a breakup of low, medium and high severities as per DISA STIGs.

More on Cavirin

Watch Product Intro and Demo

Get GDPR Security Risk Score

SEE A 15 MINUTE LIVE DEMO

Cavirin provides security management across physical, public, and hybrid clouds, supporting AWS, Microsoft Azure, Google Cloud Platform, VMware, KVM, and Docker.