Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4460
Views
5
Helpful
4
Replies

Enable STIG Compliance

bradleelee
Level 1
Level 1

‎07-16-2017 01:32 PM - edited ‎03-12-2019 02:42 AM

I have been looking for documentation that states exactly what is set when one uses the "Enable STIG Compliance" command on an ASA.  I have been unable to find what is actually done on the system once this is implemented.  Can anyone point me to the documentation that states what settings/constraints are placed on the system when this is set?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-16-2017 09:00 PM

Hi Brad,

I'm not aware of any STIG specific to ASA software but if you are using Firepower services on ASA then you can check this:

http://www.cisco.com/c/en/us/td/docs/security/firesight/541/firepower-module-user-guide/asa-firepower-module-user-guide-v541/System-Policy.html#67083

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

bradleelee
Level 1
Level 1
In response to Aditya Ganjoo

‎07-17-2017 08:01 AM

Thanks for the response.  I am using Firepower and know that command.  I have read the documentation that you have referenced which states the following:

For more information on these settings, see the STIG Release Notes for Version 5.4.1.

Where is the STIG Release Notes documentation?  Specifically for the newer versions? 6+

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to bradleelee

‎07-17-2017 08:29 AM

Hi Brad,

Currently, version 6.x + is not certified as STIG compliant. As such, there is currently no STIG documentation for this version.

Please keep in mind the following points before enabling it:

1. Cisco does not recommend enabling STIG compliance except to comply with Department of Defense security requirements, because this setting may substantially impact the performance of your system.

2. Enabling STIG compliance does not guarantee strict compliance to all applicable STIGs.

3. If you enable STIG compliance on any appliances in your deployment, you must enable it on all appliances. Non-compliant managed devices cannot be registered to STIG-compliant FireSIGHT Management Centers and STIG-compliant managed devices cannot be registered to non-compliant FireSIGHT Management Centers.

4. Applying a system policy with STIG compliance enabled forces appliances to reboot. If you apply a system policy with STIG enabled to an appliance that already has STIG enabled, the appliance does not reboot.

5. If you apply a system policy with STIG disabled to an appliance that has STIG enabled, STIG remains enabled and the appliance does not reboot. A User is unable to disable this setting without assistance from TAC.

Regards,

Aditya

Please rate helpful and mark correct answers

RobL18
Level 1
Level 1
In response to Aditya Ganjoo

‎05-25-2018 08:38 AM

What is the present status for STIG compliance in FirePower 6?   I did not see a STIG compliance option in Local>System Policy.  The DISA approved products list specifies Firepower 6.2+; it would seem unusual for STIG compliance to be a feature limited to Firepower 5.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card