mod1SRGs and STIGsmod1SRGs and STIGsSRGs and STIGslinksReadOnlyTextpageLocationPage x of yhelpBtnHelpHelpButtonClickedexitBtnExitExitButtonClickedresourcesBtnResourcesResourcesButtonClickedhideCCBtnHide CaptionsHideCCButtonClickedshowCCBtnShow CaptionsShowCCButtonClickedturnAudioDescriptionsOffBtnTurn Audio Descriptions OffAudioDescriptionsOffButtonClickedturnAudioDescriptionsOnBtnTurn Audio Descriptions OnAudioDescriptionsOnButtonClickedskipReverseBtnSkip BackwardSkipReverseButtonClickedskipForwardBtnSkip ForwardSkipForwardButtonClickedreplayBtnReplayReplayButtonClickedtranscriptBtnTranscriptShowTextButtonClickedpauseBtnPausePauseButtonClickedresumeBtnResumeResumeButtonClickedpreviousPgBtnBackPreviousButtonClickednextPgBtnContinueNextButtonClickedIntroductionCourse Startdisastig01_001Welcome to Security Requirements Guides, SRGs, and Security Technical Implementation Guides, STIGs.Please take a moment to review the interface features available to you. Closed captioning is currently on. To turn it off,select CC. For an audio description of the visuals on each screen, select the audio description feature. To view afull transcript of the audio for a screen, select Transcript. If you need any assistance with navigation, technical issues, orassistive technology, select Help. At the conclusion of each screen, select next to continue. Select Next now to proceed.Overviewdisastig01_012IA, Information AssuranceSRG, Security Requirements GuideSTIG, Security Technical Implementation GuideInformation system security is crucial, but rapidly changing technology and sophisticated hackers have made itincreasingly complex. If you are a stakeholder in Department of Defense, or DoD, Cyber Security, how do you protectyour systems from intruders and configure your systems for maximum security? If a security breach happened, would youknow how to respond? How do you set up your systems so that they will be certified to handle DoD information? How do youassess your systems for continued compliance with government information assurance, or IA, requirements?If you are developing new software applications, how can you be sure they will meet DoD IA requirements? To ensurethat all information systems meet specific IA standards, the DoD has mandated that systems be configured inaccordance with DoD-approved security guidelines. You can find these guidelines in security requirements guides, or SRGs,and in security technical implementation guides, or STIGs. Remember, the use of an SRG or STIG is mandatoryaccording to DoD policy; these are not simply recommendations. By the end of this course, you will be ableto identify the purpose of SRGs and STIGs, and will understand when to use each one.SRGs and STIGsWhat are SRGs and STIGs?disastig01_023SRG, Security Requirements GuideSTIG, Security Technical Implementation Guidedisastig01_02_013SRGThere are four Core SRGs. These provide general security guidelines for operating systems, network infrastructure,applications, and non-technical policy controls. These four Core SRGs are the highest level SRGs and govern specifictechnology and policy areas. Core SRGs contain all security requirements for their technology and policy areas.Technology SRGs are subordinate to the Core SRGs. Technology SRGs do not refer to a specific product or productversion, but contain all requirements that have been flagged as applicable from the parent level Core SRGs. Thetechnology SRGs provide the basis for product-specific STIGs. In this way, SRGs compile overarchingtechnology-specific security settings to help provide assurance that DoD information systems operate at anacceptable level of risk. Note that the Core SRGs are not intended for use in assessments. STIGs, or, ifnecessary, Technology SRGs will be used for assessments.disastig01_02_023STIGSTIGs document DoD policies and security requirements for specific technical products, as well as best practices forconfiguration. You can find specific STIGs that cover widely used operating systems, infrastructure services, andsupport applications. There are also STIGs that cover general topics such as remote or wireless computing andnetworking. Note that STIGs have not yet been created for specific mission applications.So what are SRGs and STIGs? Who needs them and how can they help you secure your information systems? SRGsprovide general security compliance guidelines. They serve as source guidance documents for STIGs. STIGsdocument applicable DoD policies and security requirements for specific technical products, as well asbest practices and configuration guidelines. Select SRG or STIG to learn more about each.<![CDATA[What's in a STIG?]]>disastig01_034SCAP, Security Content Automation ProtocolBecause STIGs can help you detect, or even avoid intrusions, respond to and recover from security breaches, andimplement specific security policies for technical products incorporated into your information system, your systemis more likely to operate at an acceptable level of risk. A STIG is more than just a text document. STIGs includedetailed guidelines to configure systems for security and compliance, such as benchmarks, which are specificversions of STIG content with code to perform automated assessment checks. STIGs also include guidance documentsthat you can use to configure your system manually. In order to standardize the automation of compliance reporting, thecode in these benchmarks is compatible with the Security Content Automation Protocol, or SCAP. Note that in the past,STIGs and their associated checklists were separate documents, but they are now included in a single documentthat contains both content you can use to configure systems for security and compliance and content you can use to checksystems for security and compliance. Although conversion efforts began in 2009, you may still encounterolder STIGs with checklists that are separate documents.Where do STIGs come from?disastig01_045DISA, Defense Information Systems AgencyFSO, Field Security Operationshttp://iase.disa.mil/stigs/vendor_process/index.html; For an active link to this website, go to the Resources page.DSAWG, Defense IA/Security Accredidation Working GroupCIAE, Chief Information Assurance Executivedisastig01_04_015The STIG CommunityDISA, Defense Information Systems AgencyNSA, National Security AgencyOSD, Office of the Secretary of DefenseNIST, National Institute of Standards and Technologyhttp://iase.disa.mil/stigs/news.html; For an active link to this website, go to the Resources page.Anyone who uses a STIG becomes a member of the STIG community and has a role to play in the development andmaintenance of STIGs. The standing STIG community includes representatives from DISA, the National SecurityAgency, or NSA, the Office of the Secretary of Defense, or OSD, Combatant Commands, Military Services, the NationalInstitute of Standards and Technology, or NIST, and other organizations. You may become a member of the STIGcommunity and participate in the STIG development process by subscribing to STIG NEWS.A wide variety of STIGs are currently available and new STIGs are released each year. But where do STIGs comefrom? How are STIGs developed and what role do you have in their development? Each September, DefenseInformation Systems Agency, or DISA, Field Security Operations, or FSO, decides which new STIGs should bewritten and which existing STIGs should be updated. It bases these decisions on market trends, technological changes,customer requirements, and DoD policy and guidance. Vendors who wish to develop a STIG for their product need tocomplete a Vendor Intent form and return it to the DISA FSO STIG Customer Support Desk. After FSO creates a new STIG,it disseminates it to the STIG community in a draft form. You may become a member of the STIG community and participatein the STIG development process. The STIG community evaluates and comments on the draft STIG during a two-weekcomment period and a one-day technical interchange meeting. After the comment period and meetings are completed, thedraft STIG is presented to the Defense IA Security Accreditation Working Group, or DSAWG, for endorsement ofused. If you become a member of the STIG community, you should continue to provide feedback that can beincorporated into the STIG the next time it is updated. Select STIG Community to learn more about the various roles in thedevelopment and maintenance of STIGs, as well as how to join the STIG community.Using SRGs and STIGsdisastig01_056http://iase.disa.mil; For an active link to this website, go to the Resources page.Whether operating a current system or implementing a new system, STIGs and SRGs provide important securityguidelines and configuration resources for both system operators and developers. The check content presented inSTIGs will allow you to assess whether your current systems are in compliance with the STIGs, while the fix textcontent in the STIGs will help you configure new and existing products so they meet compliance requirements.Vendors should use STIG guidelines for both new and existing products during research and developmentefforts. But what if an appropriate STIG does not exist? If there is no product-specific STIG for your product,you should use an appropriate SRG to guide you in implementing the appropriate security requirements. WhileFSO primarily uses SRGs as the basis for writing product-specific STIGs, vendors may use SRGs to build more secureproducts that comply with DoD security standards. SRGs, STIGs, benchmarks, and other information security-relatedprovide instructions on how to use and apply the guidance it contains.Review ActivityReview Activity 1disastig01_067Knowledge Check1500425then select Submit.]]>DoD policy recommends - but does not require - the use of SRGs and STIGs.TrueFalseCorrect. DoD requires the use of SRGs and STIGs.Incorrect. DoD requires the use of SRGs and STIGs.If there is no existing STIG to perform an assessment for a product then that product may not be used.TrueFalseCorrect. If there is no existing STIG, Technology SRGs may be used instead to perform an assessment on that product.Incorrect. If there is no existing STIG, Technology SRGs may be used instead to perform an assessment on that product.SRGs should be used to develop new products when specific STIGs do not exist.TrueFalseCorrect. When specific STIGs do not exist, you should use SRGs to develop new products.Incorrect. When specific STIGs do not exist, you should use SRGs to develop new products.Now take a moment to check your understanding.Course ConclusionConclusiondisastig01_078http://iase.disa.mil; For an active link to this website, go to the Resources page.By now you should be able to identify the purpose of Core SRGs, Technology SRGs, and STIGs, and you should knowwhen to use them. Remember, Core SRGs provide general security compliance guidelines. Based on Core SRG guidance,Technology SRGs are used by developers to build STIGs, which themselves document applicable DoD policies andsecurity requirements for specific technical products. STIGs also include best practices and configurationguidelines. STIGs are created by DISA in partnership with the STIG user community. DISA encourages communityfeedback on both existing and potential new SRGs and STIGs. Remember, also, when to use SRGs and STIGs. You shoulduse Core SRGs for general security compliance guidance. Both Core SRGs and Technology SRGs will provideguidance for product development. You can use STIGs to assess whether your current systems are compliantwith DoD security requirements and configuration guidance and, also, to determine how to configure new products. If thereis no product-specific STIG for your product then you should make use of a technology-specific SRG and use itsguidelines to perform your certification or security assessment. Finally, remember that all of these resources areCertificate of Completiondisastig01_089To print a certificate of completion, enter your name in the space provided, and select Print Certificate.