cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Viewer II

DISA STIG Management

To anyone that works in the DoD space... how can you take a .ckl file and add the new STIG requirements to that ckl file to be reviewed so that you can avoid having to review ALL of the STIG requirements every quarter?

3 Replies
Newcomer I

Re: DISA STIG Management

You can't. Welcome to DOD internal written software.

 

You will need to generate the new checklist and copy/paste any findings/comments back over, keeping an eye open for changed items. Not too difficult if you are lucky enough to do this on a SCAP scan, but that's limited to something like 8 checklists total.

 

Now if someone was willing to pay me, I could build a new checklist manager that can compare an old+new checklist, create a "combined" checklist with proper formatting & a list of what's new, but it will take about 6 months. I would also need to work it on personal time, so... yeah, never gonna happen.

Viewer II

Re: DISA STIG Management

Hey Samhain, actually DISA released the new version of STIG Viewer last week and it does exactly what I was asking. Maybe my back and forth with them got them to do it... I have no idea but I think it was released on Oct. 23. I've tested it and it works perfect. Basically you make a new checklist and then import in the previous checklist. You're left with the delta as not reviewed.
Newcomer I

Re: DISA STIG Management

Yep. They did fix that "little" issue finally. I saw the release on Friday, but hadn't pulled it down yet. We aren't due for a full STIG review until next month, so wasn't in a rush.

 

Now if I can just figure out how to work with the XCCDF files directly in my own apps, I'll be set. I really want to automate the IIS 8.5 STIG for our web servers. It's a real pain hand-checking every setting.