Security Technical Implementation Guides (STIG)

Evaluate your product against the DoD’s requirements for secure deployable solutions

Security Technical Implementation Guides (STIG)

Evaluate your product against the DoD’s requirements for secure deployable solutions

What is a STIG?

Security Technical Implementation Guides (STIGs) are configuration standards consisting of cybersecurity requirements for a specific product with the intent to enhance security for software, hardware, physical and logical architectures to further reduce vulnerabilities.

Corsec’s end-to-end STIG support guides companies through the DoD’s process, navigating the nuances and difficulties of the program seamlessly and efficiently for clients.

Have Questions? Talk to a FIPS 140-3 Expert

DoD STIG Compliance Helps

Address DoD Requirements

Increase Product Security

Improve Competitive Advantage

DISA’s Risk Management Executive (RME) developed a process whereby original product developers/vendors can write Security Technical Implementation Guides (STIGs) for their products, these STIGs identify solutions that can be trusted by the DoD to address government security concerns.

The DoD requirement for compliance to STIGs and SRGs is mandated by DoDI 8500.01.

Speak with the Experts

Speak directly with the DoD Experts who are working with and supporting products through the testing and verification program.

Schedule a Discussion

Addressing DoD STIG Requirements

STIG Hardening Guide:

Provides specific, technical guidance on how to configure the vendor’s product correctly in a DoD environment and to meet DISA cybersecurity and Unified Capabilities requirements. Identifies areas of non-conformance with DoD requirements (applicable STIGs, SRGs, and UCR) for the vendor to address.

STIG Authoring:

Development of a custom Security Technical Implementation Guide (STIG) for the vendor’s product. The STIG provides DoD customers a detailed configuration standard for operation of the product in a DoD environment in compliance with DISA standards for cybersecurity, including addressing applicable SRGs.

STIG Listing:

Submission of a custom authored STIG to DISA’s Risk Management Executive. Testing and design adjustments/augmentations are required for listing as a named STIG.

Corsec’s STIG & DoD Assessment

Corsec’s STIG Assessments go beyond technical checks—it’s a strategic session designed to evaluate your product’s readiness and align your team around what’s needed to succeed in the DoD.

DoD STIG Assessment

What Happened to the DoDIN APL?

As of July 18th, the Approved Products Certification Office (APCO) will no longer assign new work to any of the APL distributed test labs (DISA/JITC, USAF/TSSAP, US Navy/NIWC).

Key DoDIN APL Dates:

Sept 30, 2025: The DoDIN APL program officially sunsets
Dec 31, 2025: JITC IO testing concludes for vendors already in process
FY 2026: DISA will maintain the repository of approved DoDIN APL products through this date. Any work that cannot be completed by that time will be returned to the vendor.

Moving forward, cybersecurity requirements will transition to the DISA RME Vendor Security Technical Implementation Guides (STIG) program. Interoperability (IO) requirements will be identified by a soon to be updated Unified Capabilities Requirements (UCR)-CORE document and enforced through
contractual provisions

Addressing New DoD Mandates

The DoD states that all DoD-owned or controlled information systems that receive, process, store, display, or transmit DoD information, regardless of mission assurance category, classification, or sensitivity” are subject to DoD Directive 8500.1.

A recent DoD memo states “this guidance bridges the gap between the National Institute of Standards and Technology Special Publication 800-53 and risk management framework (RMF)”.

Overall, STIGs are designed to improve application and network security.

STIG FAQs

Are there prerequisites to attaining a STIG?

Yes – a Listed STIG will still require a Sponsor and conformance to FIPS 140-3 is mandated.

Will addressing CAC and PKI be required?

Yes – STIG compliance still necessitates addressing Common Access Card (CAC) and Public Key Infrastructure (PKI) requirements.

Are there requirements for IPv6?

IPv6 will now be required on a case by case basis based on contractual requirement from each individual DoD vendor. However, it will no longer be a requirement for STIGs specifically.

Do I need my own corporate listed STIG?

Not necessarily. Some companies are able to either test against a specific list of STIGs or create a custom STIG which is not listed by RME. Your product and business drivers will dictate which path is best for you and your product.

Will other certifications now carry more weight in lieu of the APL listing?

Without the DoDIN APL program, a named STIG, conformance to the UCR, a Common Criteria certificate, and/or a FIPS 140-3 validation will carry more weight, especially within the DoD. These will be the tools that are left to demonstrate the security of a product.

MORE RESOURCES