07-16-2017 01:32 PM - edited 03-12-2019 02:42 AM
I have been looking for documentation that states exactly what is set when one uses the "Enable STIG Compliance" command on an ASA. I have been unable to find what is actually done on the system once this is implemented. Can anyone point me to the documentation that states what settings/constraints are placed on the system when this is set?
07-16-2017 09:00 PM
Hi Brad,
I'm not aware of any STIG specific to ASA software but if you are using Firepower services on ASA then you can check this:
http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/System-Policy.html#67083
Regards,
Aditya
Please rate helpful posts and mark correct answers.
07-17-2017 08:01 AM
Thanks for the response. I am using Firepower and know that command. I have read the documentation that you have referenced which states the following:
For more information on these settings, see the STIG Release Notes for Version 5.4.1.
Where is the STIG Release Notes documentation? Specifically for the newer versions? 6+
07-17-2017 08:29 AM
Hi Brad,
Currently, version 6.x + is not certified as STIG compliant. As such, there is currently no STIG documentation for this version.
Please keep in mind the following points before enabling it:
1. Cisco does not recommend enabling STIG compliance except to comply with Department of Defense security requirements, because this setting may substantially impact the performance of your system.
2. Enabling STIG compliance does not guarantee strict compliance to all applicable STIGs.
3. If you enable STIG compliance on any appliances in your deployment, you must enable it on all appliances. Non-compliant managed devices cannot be registered to STIG-compliant FireSIGHT Management Centers and STIG-compliant managed devices cannot be registered to non-compliant FireSIGHT Management Centers.
4. Applying a system policy with STIG compliance enabled forces appliances to reboot. If you apply a system policy with STIG enabled to an appliance that already has STIG enabled, the appliance does not reboot.
5. If you apply a system policy with STIG disabled to an appliance that has STIG enabled, STIG remains enabled and the appliance does not reboot. A User is unable to disable this setting without assistance from TAC.
Regards,
Aditya
Please rate helpful and mark correct answers
05-25-2018 08:38 AM
What is the present status for STIG compliance in FirePower 6? I did not see a STIG compliance option in Local>System Policy. The DISA approved products list specifies Firepower 6.2+; it would seem unusual for STIG compliance to be a feature limited to Firepower 5.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide