1. What are STIGs?Configuration standards for DoD IA and IA-enabled devices. Contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to attackAll of these define STIGsMinimally acceptable configuration standards for systems that store, process or transmit DoD information 2. Who Develops STIGs?NISTDISAVendorsDoD CIO 3. Roughly how often are STIGs updated?AnnuallyMonthlyWeeklyQuarterly 4. Where are STIGS published to/downloaded from?nvd.govnist.gov/stigsiase.disa.milchecklists.mil 5. Which STIGs require a CAC to download?Enclave & DMZ, General Purpose Operating System, WirelessJIE Network, Apache, WirelessBackbone Transport, General Purpose Operating System, ApacheBackbone Transport, Enclave & DMZs, JIE Network 6. What are sunset products?STIGs for older product that are no longer supported by DISASTIGs that are currently supported by DISANone of the aboveSTIGS that are unavailable for older products 7. What authoritative documents dictate that DoD organizations use security technical implementation guidance?DoDI 8510.01 and NIST SP 800-53NSIT SP 800-53 and NIST SP 800-37DoDI 8500.01 and NIST SP 800-53DoDI 8500.01 and DoDI 8510.01 8. What is XCCDF?Extensible Configuration Checklist Description FormatExtendable Configuration Checklist Description FormatExtensible Checklist Configuration Description Format 9. What is a CAT 1 finding?Allows primary security protections to be bypassed, allowing immediate access by unauthorized personnel or unauthorized assumption of super-user privilegesRecommendations that will improve IA posture but are not required for an authorization to operateFindings that have the potential to lead to unauthorized system access or activity 10. Which software tool generates a manual review checklist?eMASSSCAP Compliance CheckerACASSTIG Viewer 11. What is the definition of 'Not Applicable'?Configurable, may or may not meet requirements based on settingsInherently meets, not configurable, but meets the requirement by defaultThe feature does not exist in the product and therefore cannot be exploitedDoes not meet, not configurable and does not meet the requirement 12. Other than STIG Viewer, how can you view the STIG file?You can't. It can only be viewed in STIG Viewer.Open the .pdf file in Adobe ReaderOpen the .xml file in a browserOpen the .doc file in Word 13. What is SCAP in terms of SCC?Security Certification and Authorization PackageSecurity Certification and Authorization ProcessSecurity Content Automation ProtocolSpecialty Coffee Association of Panama 14. Does SCC Scan for all configuration settings?YesNoDepends on the benchmark used 15. Which requires a CAC to download?STIG ViewerSCC benchmark contentOperating System STIG contentSCC install files Loading...
