Background and Definitions

Background

Evolution of STIGs and Security Benchmarks

The Department of Defense (DOD) has continually updated its databases that track rules and Security Technical Implementation Guides (STIGs) that house those rules.

Initially, the system was known as the Vulnerability Management System (VMS).

In the STIGs, you might come across data elements that are remnants from these iterations. These include Group Title (gid or gtitle), Vulnerability ID (VulnID), Rule ID (rule_id), STIG ID (stig_id), and others.

A significant change was the shift from using STIG ID to Rule ID in many security scanning tools. This change occurred because the Vulnerability Management System used the STIG_ID as the primary index for the requirements in each Benchmark in VMS.

However, when DISA updated the Vendor STIG Processes and replaced the VMS, they decided to migrate the primary ID from the STIG ID to the Rule ID, tracking changes in the Rules as described above.

Examples of tools that still use either fully or in part the 'STIG ID' vs the 'Rule ID' as a primary index are: the DISA STIG Viewer, Nessus Audit Scans, and Open SCAP client.

While these elements might seem confusing, understanding their historical context is essential.

In our modern profiles, some data from the XCCDF Benchmarks still exist in the document but are not used or rendered in the modern InSpec Profiles. However, in some of the older profiles, you may see many of these data elements as tags in the profile. The intention was to ensure easy and lossless conversion between XCCDF Benchmark and HDF Profile.

It was later realized that since the structure of these data elements was 'static', they could be easily reintroduced when converting back to an XCCDF Benchmark. Therefore, rendering them in the profile was deemed unnecessary.