Back to Glossary
Security

Security Technical Implementation Guide(STIG)

Configuration standards published by DISA for securing information systems and software against known vulnerabilities.

Overview

Security Technical Implementation Guides (STIGs) are configuration standards developed by the Defense Information Systems Agency (DISA) that define how to securely configure operating systems, applications, network devices, and other IT components. STIGs provide specific, actionable hardening guidance to reduce the attack surface of DoD information systems.

Why It Matters in GovCon

Contractors delivering or managing IT systems for DoD must comply with applicable STIGs as a condition of obtaining an Authority to Operate. STIG compliance is verified through automated scanning tools and manual checklists, and non-compliance findings can delay system deployment or result in security waivers.

Key Details

  • DISA Published: DISA maintains and publishes STIGs for hundreds of products, from Windows Server to Oracle databases.
  • CAT Levels: Findings are categorized as CAT I (high severity), CAT II (medium), or CAT III (low) based on risk.
  • SCAP: Many STIGs have companion Security Content Automation Protocol benchmarks for automated scanning.
  • Waivers: Organizations can request waivers for STIG requirements that cannot be met due to operational necessity.
  • Update Frequency: STIGs are updated quarterly to address new vulnerabilities and product versions.

Related Terms

  • Defense Information Systems Agency (DISA)
  • Authority to Operate (ATO)
  • Risk Management Framework (RMF)
  • NIST SP 800-53

More Security Terms

Contracting Officer (CO)

The government official with the authority to enter into, administer, and terminate contracts on behalf of the U.S. government.

Contracting Officer's Representative (COR)

A government employee designated by the contracting officer to monitor contractor performance and serve as the technical point of contact.

Federal Information Security Management Act (FISMA)

Federal law establishing a framework for securing federal information systems and protecting government data.

FedRAMP

A government-wide program that provides a standardized approach to security assessment and authorization for cloud services.

For Official Use Only (FOUO)

A sensitivity designation for unclassified information that requires protection from unauthorized disclosure.

Identity and Access Management (IAM)

Policies and technologies that control who can access systems and data and what they can do.

Ready to Win More Contracts?

Use GovCon Data to find opportunities matched to your business and generate winning proposals with AI.

Start Free TrialBrowse Glossary