Security Technical Implementation Guide (STIG) Checklists

Know what a STIG checklist is, its role in cybersecurity, and why it’s important.

STIG checklist

Published 16 Mar 2022

What is a STIG Checklist?

A Security Technical Implementation Guide (STIG) checklist is used by different technology organizations to ensure and enhance security in their systems and their products. STIG checklists can also help maintain the quality of products and services.

This article briefly discusses:

Importance of a STIG Checklist

The primary reason behind using STIG checklists is to ensure cyber safety. Without STIGs and STIG checklists, the Defense Information Systems Agency (DISA) would find it difficult to standardize their cyber safety efforts, putting the government and military systems of the US at risk of malicious attacks.

Initially, the DISA, which is part of the US Department of Defense (DoD), created STIGs to guard and protect combatant and non-combatant government systems from cybersecurity threats and vulnerabilities. Currently, there are over a hundred STIGs in place, and these are updated regularly, depending on when their respective products and services are upgraded or revised. Having STIG checklists, therefore, helps ensure that government agencies are following the standards set by the DISA while eliminating the risk of any cyberattacks.

In the process of keeping an eye out for risks to cybersecurity, government agencies also conduct general inspections. In some cases, especially when dealing with hardware, the general inspection check is performed alongside the STIG inspection as inspectors consider the latter to be part of general maintenance.

In the private sector, STIG checklists are used in the same way. As cybersecurity threats evolve and grow more dangerous each day, private Information Technology (IT) products and services that are part of the DoD are now also required to follow STIGs. They are to use the same STIGs as the ones used by the government, which allows for their products and services to also be used by the public sector if needed.

Not only does the compliance of private IT products and services with STIG affect their license to sell and operate in the US, but it also affects their customers’ safety from the public and private sector alike. This can then affect the government’s operations and even place the country at risk of cyberattacks if they are non-compliant. The technological features that are most at risk for these kinds of threats are those related to keeping personal information such as mobile numbers and emails, as well as one’s geographical location history.

What is in a STIG Checklist?

There is no one way to create a universal STIG checklist as each checklist is specific to the product or service it’s made for. Generally, these checklists are meant to note the compliance of a certain product, process, or service in reference to the guides set by the DISA.

A typical STIG checklist would include the following elements:

  • the name of the product or service being examined;
  • the last upgrade or update to it, if applicable;
  • a list of the important aspects of the product or service that can affect cybersecurity’;
  • the actions to be taken to address said risks; and
  • a metric to describe the importance of each risk to overall safety (such as high, medium, or low severity, which are also known as Category 1, 2, and 3, respectively).

The most commonly used and updated STIGs and STIG checklists are for software, hardware, and processes that are used in both the private and public sectors. The categories with the most STIGs are the following:

  1. Application Security – for applications focused on providing and maintaining security for hardware and software alike
  2. Network/Perimeter/Wireless – for the use and maintenance of wireless networks such as WiFi modems, routers, firewalls, and connectors
  3. Operating Systems – for the use, maintenance, and upgrading of operating systems such as Apple, Windows, Android, and Linux for computers, mobile devices, and wearable devices

However, while STIG checklists aim to ensure legal compliance and cyber safety, they may not be enough to conduct overall maintenance, quality, and safety checks. For this, some organizations prefer to double-check their inspections, creating their own checklists for it. Often based on the STIGs, these checklists are for their own use and are kept for purposes such as keeping a maintenance log or as proof of their compliance.

iAuditor for STIG Compliance

To help ensure your compliance with STIGs, consider using iAuditor by SafetyCulture. iAuditor is a digital checklist app that allows you to create checklists and perform inspections. All your accomplished forms will be stored in the app and can be accessed from all iOS and Android devices, allowing you to work on the go. iAuditor offers three ways to use checklists.

  • Use one of our free pre-made checklist templates for your STIG requirements. These checklists are easily customizable to fit your organization’s needs, and can be exported in different formats.
  • Create your own checklist template with the help of the Template Editor; and
  • Upload any existing checklists you may have in Excel, Word, or PDF format to the app and convert them for use in iAuditor, allowing you to store all your inspections in one place where everyone can access and edit it.

You can also report problems through Issues and assign Actions to specific people through the app, ensuring all problems are addressed, leading to better quality assurance and legal compliance. You can also choose to raise them through the app’s Heads Up feature, which allows you to notify the whole organization or a specific team as well, promoting a system of open communication in your workplace.

roselin manawis safetyculture content specialist

SafetyCulture Content Specialist

Roselin Manawis

Roselin Manawis is a content writer and researcher for SafetyCulture. She has experience in news writing and content marketing across different fields of discipline. Her background in Communication Arts enables her to leverage multimedia and improve the quality of her work. She also contributed as a research assistant for an international study and as a co-author for two books in 2020. With her informative articles, she aims to ignite digital transformation in workplaces around the world.

Roselin Manawis is a content writer and researcher for SafetyCulture. She has experience in news writing and content marketing across different fields of discipline. Her background in Communication Arts enables her to leverage multimedia and improve the quality of her work. She also contributed as a research assistant for an international study and as a co-author for two books in 2020. With her informative articles, she aims to ignite digital transformation in workplaces around the world.

Featured Template