DISA STIG Compliance for the Enterprise Network…Really?
When most enterprise network experts hear Defense Investigation Services Agency’s (DISA) Security Technical Implementation Guide (STIG), the immediate reaction tends to be “I’m not part of the federal government or Department of Defense, so it doesn’t impact me and has no value to me.” While the first part is correct that DISA STIG requirements are generally imposed on government entities, the second part is incorrect because DISA STIG best practices can provide huge value to enterprises.
While non-government organizations may not be forced to pass a DISA STIG audit, the majority have their own compliance standards or best practices they must follow. In the enterprise world, there are two broad types of requirements – external standards imposed on enterprises and internal best practices that are self-imposed.
- External standards imposed on enterprises – These are the most visible compliance standards because regulatory bodies place requirements on an organization based on certain criteria. Examples include standards like PCI DSS for organizations accepting credit cards or industry-specific mandates like HIPAA for the healthcare industry and NERC/FERC for the utility industry.
- Internal best practices that are self-imposed – Regardless of mandatory external standards applied to an organization, most successful enterprises have evolved a set of internal best practices that help maintain a safe, secure, and reliable network. Custom rules or policies should be created to ensure that goal.
Compliance – Love or Hate?
In a playful way, I tend to group compliance mandates with personal healthcare traits. Should I exercise more? Track what I eat better? Schedule preventive doctor appointments? We all say yes, yes, and yes, but many of us don’t do it well because we are too busy with other things and only think about it when we get sick.
Compliance can be the same thing: we know we should be tracking and monitoring continuously. But do we? Typically it’s something we put off because it’s a tedious, manual process for most IT teams for implementation – and we all are too busy already. As a result, we tend to ignore compliance measures until we can’t – either when something breaks (or is broken into) or when an audit is required.
There is a Better Way
While there are many nuances and details, there are three high-level processes that need to be followed for building and adhering to internal best practice policies and/or external mandates:
- Build the definition of what policy must be followed by which device.
- Implement the policies and ensure the current state of each device is compliant.
- Continuously monitor any change over time and ensure the policy isn’t violated.
Defining policies can be extremely challenging because organizations need to think about many different requirements and goals across the enterprise. Too often, the IT team is overworked with day-to-day requirements to set aside weeks or months to build detailed best practices and standards because there is often no clear starting point.
For many standards, policies are not well defined. What does “keep a safe and secure network” mean? How do I take that from a vision to something that can be implemented? Do I have the expertise in-house? Do I have budget to hire a consultant? I don’t have an audit coming up, so should I just ignore it?
Someone Else Already Did the Hard Work for You
This is where DISA STIG can help an enterprise or non-government organization – the building of definitions and policies for devices. From a network infrastructure point of view, the DISA STIG standards has hundreds of category 1, 2, and 3 rules/best practices for devices including:
- Infrastructure Layer 2 Switch
- Infrastructure Layer 3 Switch
- Infrastructure Router
- Network Devices
- Perimeter Layer 3 Switch
- Perimeter Router
The DISA STIG standards highlight many things IT and networking teams should be looking for with regard to standards and best practices, so it’s a great starting place for taking the first step of compliance – defining the individual policies for both internal and external mandates. Don’t guess and build from scratch when you have a well-defined blueprint available that can be tweaked for your needs.
When it comes to an audit, you’ll be much more successful if you can say “we are using the DISA STIG policies and rules as our standards” instead of “we’re good, trust me.”
It’s a Start, but There is More
When it comes to step 2 (initial deployment of policies) and step 3 (continuous monitoring of policies), this is where an automated network change and configuration management solution can come in handy. This type of solution helps automate many of the manual tasks typically associated with compliance monitoring.
If you’re looking to improve and automate network compliance or best practice monitoring, there are several things you should look for in a solution:
- Built-in policies and standards for common mandates (i.e. DISA STIG, PCI DSS, NSA, etc.) with automated updates
- Ability to easily modify policies and/or create new rules bases on your individual requirements
- Discovery of devices, device types, and operating systems because rules likely vary across different attributes
- Templates to build policies based on needs (i.e. vendor, device type, application, internal/external facing, etc.)
- Immediate comparison of current configuration against the rule
- Ongoing tracking of all configuration changes with the ability to compare new configurations to the rule templates
- Notification of rule violations with the ability to remediate immediately or on demand
- Reporting and documentation for both troubleshooting and auditing
While starting and defining an internal best practice or deciphering an external mandate can be overwhelming at first, don’t put your head in the sand and wait until there is a breach or an audit. There are steps you can take to make the process bite-sized and digestible. Leverage existing standards such as DISA STIG as a starting point and modify based on your requirements. Take advantage of automated network change and configuration management tools to eliminate the tedious, manual, repetitive processes.
Setting up policies for tracking and monitoring best practices or mandates isn’t binary or a flip of a switch. It’s an evolutionary process where you build the standards, start tracking, monitor over time, and make continuous tweaks based on your individual needs. Take advantage of what others have built to make your job easier.