DISA Security Technical Implementation Guides (STIGs)
DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs), published by the Defense Information Systems Agency via the DoD Cyber Exchange. SRGs are technology-family security-requirement sets derived from NIST SP 800-53 (via Control Correlation Identifiers); STIGs are product-specific hardening guides implementing the applicable SRG, each comprising findings categorised CAT I/II/III, assessed using STIG Viewer and SCAP-validated tools and tracked in eMASS. This node represents the STIG/SRG program structure (technology families, severity categories, assessment tooling and governance lifecycle); the per-product STIG findings are a catalog (hundreds of STIGs) and are not enumerated here.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (5)
DISA STIG: Assessment and Automation
| Code | Title |
|---|---|
| STIG-ASSESS-IV | Independent validation of STIG findings |
| STIG-ASSESS-SCAP | SCAP automated benchmark scanning |
| STIG-ASSESS-VIEWER | STIG Viewer checklist execution |
DISA STIG: Exceptions and Governance
| Code | Title |
|---|---|
| STIG-GOV-CCI | CCI and NIST SP 800-53 traceability |
| STIG-GOV-EMASS | eMASS integration and reporting |
| STIG-GOV-EXC | Exception and risk acceptance (POA&M) |
| STIG-GOV-TRAIN | STIG-aware personnel training |
DISA STIG: Program and Applicability
| Code | Title |
|---|---|
| STIG-PGM-1 | STIG/SRG applicability determination and baseline |
| STIG-PGM-2 | STIG and SRG currency and release management |
| STIG-PGM-3 | Change control and configuration-drift prevention |
DISA STIG: Severity and Remediation
| Code | Title |
|---|---|
| STIG-SEV-CAT1 | Category I (high severity) finding remediation |
| STIG-SEV-CAT2 | Category II (medium severity) finding remediation |
| STIG-SEV-CAT3 | Category III (low severity) finding remediation |
DISA STIG: Technology-Family Requirements (SRGs)
| Code | Title |
|---|---|
| STIG-SRG-APP | Application and application server STIG |
| STIG-SRG-BROW | Browser STIG |
| STIG-SRG-CLD | Cloud, virtualization and container STIG |
| STIG-SRG-DB | Database STIG |
| STIG-SRG-EPP | Endpoint protection (antivirus/EDR) STIG |
| STIG-SRG-MOB | Mobility and mobile device STIG |
| STIG-SRG-NET | Network device STIG hardening |
| STIG-SRG-OS | Operating system STIG hardening |
| STIG-SRG-WEB | Web server STIG |
Your Compliance Coverage
If you comply with DISA Security Technical Implementation Guides (STIGs), you already cover:
Maps to 3 other frameworks
Frequently Asked Questions
What is DISA Security Technical Implementation Guides (STIGs)?
DISA Security Technical Implementation Guides (STIGs) is a compliance framework from United States with 5 domains and 22 controls. DISA Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs), published by the Defense Information Systems Agency via the DoD Cyber Exchange. SRGs are technology-family security-requirement sets derived from NIST SP 800-53 (via Control Correlation Identifiers); STIGs are product-specific hardening guides implementing the applicable SRG, each comprising findings categorised CAT I/II/III, assessed using STIG Viewer and SCAP-validated tools and tracked in eMASS. This node represents the STIG/SRG program structure (technology families, severity categories, assessment tooling and governance lifecycle); the per-product STIG findings are a catalog (hundreds of STIGs) and are not enumerated here. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does DISA Security Technical Implementation Guides (STIGs) have?
DISA Security Technical Implementation Guides (STIGs) has 22 controls organised across 5 domains. The largest domains are DISA STIG: Technology-Family Requirements (SRGs) (9 controls), DISA STIG: Exceptions and Governance (4 controls), DISA STIG: Assessment and Automation (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does DISA Security Technical Implementation Guides (STIGs) map to?
DISA Security Technical Implementation Guides (STIGs) maps to 3 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (23% coverage), CMMC 2.0 (14% coverage), CIS Controls v8 (5% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with DISA Security Technical Implementation Guides (STIGs) compliance?
Start your DISA Security Technical Implementation Guides (STIGs) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about DISA Security Technical Implementation Guides (STIGs) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 22 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.
Get Started Free →Free forever — no credit card required