Analyzing the configuration of the system using STIG Viewer
5
Evaluate compliance to each STIG rule
6
Record findings and create draft remediation plan
7
Approval: Remediation Plan Review
8
Implement remediation actions as per plan
9
Re-evaluate compliance to each STIG rule post remediation
10
Documentation of successful remediations
11
If any non-compliant items remain, create a POA&M document
12
Submit for final review and approval
13
Approval: Compliance Review
14
Prepare system for certification process
15
Submit final report and supporting documentation
16
Conduct periodic reviews and updates as per DISA guidelines
Identify the system resources to be STIG reviewed
This task involves identifying the system resources that need to be reviewed for STIG compliance. These resources may include servers, databases, network devices, or other components of the system. The task plays a crucial role in determining the scope of the STIG review process and ensures that all relevant resources are included. The desired result is a comprehensive list of system resources to be reviewed. The task requires knowledge of the system architecture and understanding of the STIG requirements. Potential challenges may include identifying hidden or forgotten resources. To overcome this, consult system documentation, network diagrams, and engage with system owners or administrators. Required resources: system documentation, network diagrams, communication tools.
Installing STIG Viewer
This task involves installing the STIG Viewer tool, which is necessary for analyzing the system configuration against STIG rules. The installation of the tool is an essential step in the compliance process. It ensures that the system configuration can be assessed effectively. The desired result is a successfully installed STIG Viewer tool. To install the tool, follow the installation guide provided by DISA. Ensure that the system meets the hardware and software requirements specified in the guide. In case of any issues during the installation, refer to the troubleshooting section in the guide. Required resources: STIG Viewer installation guide, system meeting the hardware and software requirements.
Download relevant STIG checklist
This task involves downloading the relevant STIG checklist for the system resources identified earlier. The checklist provides a comprehensive list of STIG rules specific to the system resources. It serves as a reference for assessing the system's compliance. The desired result is the downloaded STIG checklist. To download the checklist, visit the DISA STIG website and navigate to the appropriate category and resource. Click on the download link provided for the checklist. Required resources: internet access, DISA STIG website.
Analyzing the configuration of the system using STIG Viewer
This task involves analyzing the system configuration using the STIG Viewer tool. The analysis helps identify any non-compliant configurations and potential security vulnerabilities. The task is critical in assessing the system's compliance to STIG rules. The desired result is a comprehensive analysis report highlighting the non-compliant configurations and vulnerabilities. To perform the analysis, open the STIG Viewer tool and import the system configuration. Run the analysis tool and review the generated report. Required resources: STIG Viewer tool, system configuration file.
Evaluate compliance to each STIG rule
This task involves evaluating the system's compliance to each STIG rule listed in the checklist. The evaluation helps assess the level of compliance and identify areas that require remediation. The task plays a crucial role in ensuring the system meets the required standards. The desired result is a comprehensive evaluation report with identified non-compliant items. To evaluate compliance, review each STIG rule listed in the checklist and assess the system's configuration accordingly. If a rule is found to be non-compliant, mark it as such in the evaluation report. Required resources: STIG checklist, evaluation report template.
Record findings and create draft remediation plan
This task involves recording the findings from the evaluation of non-compliant items and creating a draft remediation plan. Recording the findings helps ensure that all identified non-compliant items are properly documented. Creating a draft remediation plan provides a roadmap for addressing the non-compliant items. The desired result is a recorded findings document and a draft remediation plan. To record the findings, create a document or spreadsheet and list each non-compliant item along with relevant details. To create a draft remediation plan, identify the steps required to remediate each non-compliant item and document them in a structured format. Required resources: findings document template, remediation plan template.
Approval: Remediation Plan Review
Will be submitted for approval:
Record findings and create draft remediation plan
Will be submitted
Implement remediation actions as per plan
This task involves implementing the remediation actions identified in the draft remediation plan. The remediation actions aim to address the non-compliant items and bring the system into compliance with STIG rules. The task is crucial in ensuring that the necessary actions are taken to resolve the identified issues. The desired result is the successful implementation of the remediation actions. To implement the remediation actions, follow the steps outlined in the draft remediation plan. Ensure that all necessary changes are made to the system configuration. Test the system after implementing the changes to validate their effectiveness. Required resources: draft remediation plan, access to system resources for making configuration changes.
1
Apply security patches
2
Update system configurations
3
Disable unnecessary services
4
Configure access controls
5
Update user permissions
Re-evaluate compliance to each STIG rule post remediation
This task involves re-evaluating the system's compliance to each STIG rule after implementing the remediation actions. The re-evaluation helps ensure that the remediation actions have successfully addressed the non-compliant items. The task plays a crucial role in verifying the effectiveness of the remediation efforts. The desired result is a comprehensive re-evaluation report indicating the compliance status after remediation. To re-evaluate compliance, follow the same evaluation process used earlier. Review each STIG rule listed in the checklist and assess the system's configuration accordingly. Update the report with the new compliance status. Required resources: evaluation report template, updated system configuration.
Documentation of successful remediations
This task involves documenting the successful remediations that have brought the system into compliance with STIG rules. Documentation helps ensure that the remediation efforts are properly recorded and can be referenced in the future. The task is crucial for maintaining an accurate record of system compliance. The desired result is a comprehensive documentation of successful remediations. To document the successful remediations, update the findings document created earlier with the details of the remediated non-compliant items. Include information such as the actions taken, date of completion, and any supporting documentation. Required resources: findings document template, supporting documentation.
If any non-compliant items remain, create a POA&M document
This task involves creating a Plan of Action and Milestones (POA&M) document if any non-compliant items remain after the remediation efforts. The POA&M document outlines the specific steps that will be taken to address the remaining non-compliant items within a defined timeframe. The task is critical in ensuring that all non-compliant items are properly addressed and documented. The desired result is a completed POA&M document. To create the POA&M document, include the details of each remaining non-compliant item, proposed steps for remediation, responsible parties, and target completion dates. Required resources: POA&M document template, access to non-compliant item details.
Submit for final review and approval
This task involves submitting the completed documentation, including the findings, remediation plan, re-evaluation report, and POA&M (if applicable), for final review and approval. The final review and approval process ensures that all necessary documentation is accurate, complete, and compliant with DISA requirements. The desired result is the approval of the documentation for further certification processes. To submit for final review and approval, send the documentation to the designated reviewer or approval authority. Include a cover letter summarizing the documentation and any additional information required. Required resources: completed documentation, communication tools for submitting the documentation.
Documentation Submission - DISA STIG Compliance
Approval: Compliance Review
Will be submitted for approval:
Re-evaluate compliance to each STIG rule post remediation
Will be submitted
Prepare system for certification process
This task involves preparing the system for the certification process after obtaining the necessary approvals. The certification process confirms that the system meets the required STIG compliance standards. The task is critical in ensuring that the system is ready for official certification. The desired result is a system prepared according to certification requirements. To prepare the system for certification, ensure that all identified non-compliant items have been addressed and documented. Validate the system configurations against the STIG checklist. Gather any additional supporting documentation required for the certification process. Required resources: approved documentation, system configurations, supporting documentation checklist for certification.
Submit final report and supporting documentation
This task involves submitting the final report and supporting documentation for the completed STIG compliance process. The final report summarizes the entire process, including findings, remediation efforts, re-evaluation results, and approval status. Supporting documentation provides additional evidence of the system's compliance. The task ensures that all relevant information is compiled and submitted appropriately. The desired result is the successful submission of the final report and supporting documentation. To submit the final report and supporting documentation, compile all relevant documents into a single package. Include the final report, completed findings document, re-evaluation report, and any additional supporting documentation. Required resources: final report template, supporting documentation.
Conduct periodic reviews and updates as per DISA guidelines
This task involves conducting periodic reviews and updates to ensure continued compliance with DISA guidelines. Periodic reviews help identify any changes in STIG requirements or system configurations that may impact compliance. Updates are necessary to address any newly identified non-compliant items or vulnerabilities. The task plays a crucial role in maintaining ongoing STIG compliance. The desired result is a documented review and update process. To conduct periodic reviews and updates, assign responsible individuals or teams for the task. Schedule regular review intervals and follow the guidelines provided by DISA. Document any changes or updates made during the process for future reference. Required resources: DISA guidelines, communication tools for coordinating reviews and updates.