DISA discusses new STIG process

The recent approval of the Samsung Knox to be used on Defense Department networks reflected a paradigm shift in the Defense Information Systems Agency’s business processes, the agency said Friday.

The Knox was granted approval of Security Implementation Guides or STIGs even before it was commercially released, allowing DISA to get the device in the hands of DOD personnel as soon as it became available.

Previously, new technologies would enter the marketplace and the department would have to wait until DISA could develop a STIG, outlining required technical controls and settings, before introduction and integration to the enterprise.

The rate at which technology was turning over, usually every six to nine months, the department was continually behind.


“The Knox Android STIG was a highly successful effort demonstrating how industry and DOD can work together to create rigorous security guidance quickly, enabling DOD to benefit from new technology as soon as it is commercially available,” said Terry Sherald, chief of the information assurance standards branch and the architect behind developing and fostering the new process.

This new paradigm came about because Sherald’s team created a new process that enabled vendors to develop their own STIGs based on DOD Security Requirements Guides and submit full documentation to DISA for final validation.

While this new process is established for mobile devices, Sherald and her team plan to expand the effort to other technology areas as well, DISA said.

“For the mobility world, a new process was critical,” she said. “The market moves too fast, and this was the only way to meet the mobility needs. We knew that if we could partner with vendors from the start, in their development cycle, and provide them with our Security Requirements Guides, we could get out in front of the market and deliver leading-edge capabilities to the department as soon as the technologies are commercially available.

According to DISA, the agency worked with Samsung and its partners in producing the STIG that included constant communication with DISA that enabled Samsung developers to make changes to its Knox code more rapidly to meet DOD requirements.


DISA plans to share general lessons learned from this effort to assist subsequent vendors writing STIGs, the agency said.

Latest Podcasts