Security Technical Implementation Guide (STIG)

A Security Technical Implementation Guide (STIG) is a configuration standard developed by DISA that specifies exactly how a particular technology — an operating system, application, network device, or database — must be configured to meet DoD security requirements. STIGs contain hundreds of specific settings, each categorized as a finding severity (CAT I, CAT II, CAT III).

Every piece of technology running on a DoD network must be configured according to its applicable STIG. This means specific registry keys, group policy settings, file permissions, service configurations, and feature enablement/disablement — all prescribed in detail.

STIG compliance is verified through automated scanning tools like SCAP and manual checklist review. Non-compliance findings must be documented and remediated or formally accepted through a risk acceptance process.