Announcing Support for DISA STIGs in Puppet Comply
I’ve got some exciting news!
With the recent release of Puppet Comply 1.0.2, we’re providing the ability to assess Windows 2016 servers against DISA STIGs, required security standards for companies that do business with the U.S. Department of Defense. This new capability makes it drastically easier for organizations to assess and demonstrate compliance with DISA STIGs.
Although the Department of Defense’s Cloud Computing Security Requirements Guide indicates that the CIS Benchmarks™ are an acceptable alternative for STIGs, we know that many organizations are still required to demonstrate compliance with STIGs specifically.
Puppet Comply leverages CIS-CAT® Pro, the compliance assessment tool created by the Center for Internet Security® (CIS), to scan infrastructure against the CIS Benchmarks. Through their partnership with experts in the cybersecurity community, CIS has incorporated STIG assessment into CIS-CAT Pro.
Puppet Comply 1.0.2 introduces the ability to assess nodes against CIS Windows Server 2016 STIGs. These new STIG benchmarks align to the existing CIS Benchmarks, with clear guidance on how the controls map to each other and which controls are unique to STIGs:
- The existing CIS level 1 and level 2 profiles have been mapped to the applicable STIG recommendations.
- A new level 3 profile contains the additional STIG requirements that aren’t covered by the level 1 and level 2 profiles.
- Scans against the level 3 profile automatically include all of the rules for level 1 and level 2.
Comply users can select the profile to scan against, get a clear view of which systems passed or failed each control, and drill down for guidance on how to remediate failures.
This is only the first step toward expanding Puppet Comply’s assessment capabilities. In future releases, we plan to support STIG assessment for additional operating systems, as well as other common regulations. Stay tuned for more!
Alex Hin is the Principal Engineering Product Manager for Puppet Comply.
- Learn how to simplify and automate your compliance program with Puppet and the CIS Benchmarks.
- Listen to our podcast episode to learn how Puppet Comply helps automate infrastructure-wide compliance.
- ANZ Bank shares how they use Puppet to enforce and report on compliance across their fleet of over 6,000 servers.