Compliance Suite Introduction
DISA Security Technical Implementation
A Security Technical Implementation Guide (STIG) is a configuration standard for United States Department of Defense (DoD) Information Assurance (IA) and IA-enabled devices/systems published by the United States Defense Information Systems Agency (DISA). Since 1998, DISA has played a critical role enhancing the security posture of DoD’s security systems by providing the STIGs. The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.
Importantly, compliance with the STIG guidance requires only open source software and documentation. The PostgreSQL STIG is based on open source, unmodified PostgreSQL used in conjunction with certain open source PostgreSQL extensions – most notably, pgaudit.
DISA PostgreSQL STIG Automation
Developed to support the National Geospatial-Intelligence Agency (NGA)’s GEOINT Services mission to reduce the time it takes to secure authority to operate certification for cloud services, Crunchy Data’s technology leverages open source software to provide automated compliance testing. In this case, the compliance testing and subsequent review and approval was accomplished within 72 hours, a major reduction in effort. The PostgreSQL STIG Automation project uses the InSpec Project, which provides an open source compliance, security and policy testing framework, to dynamically extract system configuration information. This information is checked against strict security DoD guidelines crafted by industry-leading PostgreSQL security experts. The PostgreSQL STIG Automation project also electronically supplements the Body of Evidence required to verify NIST 800-53 and the government’s compliance requirements.