Industry is not required to STIG their systems. However, they must identify their baseline standards within their system security authorization package (e.g. NIST, NSA, STIG). DCSA as the Security Control Assessor (SCA) and NISP authorization authority will leverage the DISA STIGs for assessment of the implementation of RMF technical security controls.

If the system cannot be assessed using the specified scanning tools, Industry must document the justification and process for assessing the system in the system security authorization package. The assessment will then be conducted in accordance with the system security authorization package.

The ISSP (SCA) and Authorizing Official with oversight of the system can utilize any STIG deemed applicable in their official assessment of the NISP system, however the compliance or non-compliance of each individual control must be validated against any STIG findings.

There is no "requirement" for a specific set of STIGs to be implemented.  Prepared by NISP Authorization Office (NAO) 7/22/2019 v1.0 they serve as a benchmark from which the SCA's assessment of security controls can begin. All applicable security controls (according to the security categorization and risk assessment) must be addressed, and residual risk from vulnerabilities mitigated to the satisfaction of the Authorizing Official.

Remember,

• The DISA “STIG Master List” provides a repository of all current STIG resources available.
• If STIGs are not developed for a particular system or application, organizations can substitute a Security Requirements Guide (SRG).
• There may be cases when a STIG is not available for a current hardware, firmware, operating system, or application.

100 + NIST 800-53 Templates Available for Download for Cleared Industry

The solution for cleared industry is the Arlington Security Portal (ASP), an online repository of world-class, industry leading security and privacy policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on NIST SP 800-53, Revision 5.

 From Beginning to End, Complete Project Management for NIST RMF A&A within eMASS

With Arlington, we can manage your entire NIST RMF A&A process within eMASS from beginning to end (i.e., from the initial NIST RMF eMASS scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Completion of eMASS Export Control Spreadsheets
• Continuous Monitoring (ConMon) Services

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at arlingtonintel.com.