topic Hi Brad, in Network Security

Enable STIG Compliance

bradleelee — Tue, 12 Mar 2019 09:42:18 GMT

I have been looking for documentation that states exactly what is set when one uses the "Enable STIG Compliance" command on an ASA. I have been unable to find what is actually done on the system once this is implemented. Can anyone point me to the documentation that states what settings/constraints are placed on the system when this is set?

Hi Brad,

Aditya Ganjoo — Mon, 17 Jul 2017 04:00:05 GMT

Hi Brad,

I'm not aware of any STIG specific to ASA software but if you are using Firepower services on ASA then you can check this:

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/System-Policy.html#67083

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Thanks for the response. I

bradleelee — Mon, 17 Jul 2017 15:01:47 GMT

Thanks for the response. I am using Firepower and know that command. I have read the documentation that you have referenced which states the following:

For more information on these settings, see the STIG Release Notes for Version 5.4.1.

Where is the STIG Release Notes documentation? Specifically for the newer versions? 6+

Hi Brad,

Aditya Ganjoo — Mon, 17 Jul 2017 15:29:35 GMT

Hi Brad,

Currently, version 6.x + is not certified as STIG compliant. As such, there is currently no STIG documentation for this version.

Please keep in mind the following points before enabling it:

1. Cisco does not recommend enabling STIG compliance except to comply with Department of Defense security requirements, because this setting may substantially impact the performance of your system.

2. Enabling STIG compliance does not guarantee strict compliance to all applicable STIGs.

3. If you enable STIG compliance on any appliances in your deployment, you must enable it on all appliances. Non-compliant managed devices cannot be registered to STIG-compliant FireSIGHT Management Centers and STIG-compliant managed devices cannot be registered to non-compliant FireSIGHT Management Centers.

4. Applying a system policy with STIG compliance enabled forces appliances to reboot. If you apply a system policy with STIG enabled to an appliance that already has STIG enabled, the appliance does not reboot.

5. If you apply a system policy with STIG disabled to an appliance that has STIG enabled, STIG remains enabled and the appliance does not reboot. A User is unable to disable this setting without assistance from TAC.

Regards,

Aditya

Please rate helpful and mark correct answers

Firepower 6 STIGs Re: Hi Brad,

RobL18 — Fri, 25 May 2018 15:38:31 GMT

What is the present status for STIG compliance in FirePower 6? I did not see a STIG compliance option in Local>System Policy. The DISA approved products list specifies Firepower 6.2+; it would seem unusual for STIG compliance to be a feature limited to Firepower 5.