DISA Team Develops New STIG Process
American Forces Press Service
Fort George G. Meade, Md., May. 24, 2013 While recent spotlights have focused on the Defense Information Systems Agency's Field Security Operations approval of Security Technical Implementation Guides (STIGs) for the latest in enterprise technologies, one approval stands out by representing a paradigm shift in the agency's business processes.
Developed ahead of its commercial release, the Samsung Knox STIG showcases the increased efficiencies, delivered through close partnerships of government and industry, for bringing new devices into the DOD enterprise to meet department-wide needs.
"The Knox Android STIG was a highly successful effort demonstrating how industry and DOD can work together to create rigorous security guidance quickly, enabling DOD to benefit from new technology as soon as it is commercially available," said Terry Sherald, chief of DISA’s Information Assurance Standards Branch, and the architect behind developing and fostering the new process.
Working with Samsung and their partners in producing the STIG greatly facilitated communication throughout the project because each company had extensive experience with DOD information assurance requirements and processes. Constant communication enabled Samsung developers to make changes to its Knox code more rapidly to meet DoD requirements. DISA plans to share general lessons learned from this effort to assist subsequent vendors writing STIGs.
"We are excited to continue working with other commercial mobile device providers to support a diverse and competitive multi-vendor environment," Sherald said.
Sherald's idea had a lot of support. As part of the DOD Commercial Mobile Device Implementation Plan, released in February 2013, DISA was tasked to develop a new process for approving mobile devices "to ensure that DOD will have access to the latest mobile technologies in a timely manner by maximizing vendor participation."
Previously, new technologies would enter the marketplace and the department would have to wait until DISA could develop a STIG, outlining required technical controls and settings, before introduction and integration to the enterprise. The rate at which technology was turning over, usually every six to nine months, the department was continually behind the IT power curve.
"A device would become obsolete, and literally off the market, by the time we were able to render it secure enough for DOD networks," Sherald said.
Sherald's team created the process enabling vendors to develop STIGs for their respective products based on DOD Security Requirements Guides developed by FSO, and submit full documentation and evidence for DISA's final validation. This new process is established for mobile devices, but Sherald and the team plans to expand the effort to other technology areas as well.
"For the mobility world, a new process was critical. The market moves too fast, and this was the only way to meet the mobility needs," Sherald said. "We knew that if we could partner with vendors from the start, in their development cycle, and provide them with our Security Requirements Guides, we could get out in front of the market and deliver leading edge capabilities to the department as soon as the technologies are commercially available."
The DOD Chief Information Office's plan boosted the department's direction, but the idea for change actually started back in 2008, when DISA FSO and Sherald's team was facing several major changes. First was a change from 8500 Information Assurance controls to the National Institute of Standards and Technology 800-53 controls. Next was a new DISA Campaign Plan requirement to "automate" STIGs, followed by the need to provide STIGs more quickly. Finally, the team was seeing the growing demand in the IA community for more and more STIGs.
"We took the changes in pieces and worked them methodically to get the components in place to enable our new process. We took the new controls and broke them down into single, actionable, measurable items that lend themselves to automation," Sherald said.
Sherald’s team developed the CORE Security Requirements to provide a "first-of-its-kind" true list of technical IA requirements that could be used to write a guide or develop a system. Next they took those CORE SRGs and started applying them to technology areas to further "refine" the list of requirements for the technology area.
"We 'pilot tested' the concept using a STIG update to validate the new process at each step along the way," Sherald said. "It's been a learning and refining process for the whole team, but we've grown a lot. I could not ask for a better team of people to develop this process."
Sherald realizes that the DOD has come to depend on the STIGs. The team is working very hard to ensure that new vendor-developed documents are developed with the same due diligence and rigor with which FSO-developed STIGS traditionally met commercial technology.
"As with all progressive development, we have to adapt methods and processes to best support our customers," Sherald said. "Ultimately, the warfighters depend on our adaptability."
Since 1998, DISA's FSO has played an integral role to enhance the security posture of DOD's security systems by providing STIGs, which contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack.