Skip to content
  • There are no suggestions because the search field is empty.

How to create STIG reports with Nipper

The reports provide a risk prioritized evidentiary Pass and Fail assessment report, for both Device specific and generic NDM, RTR, VPN, IDPS, Firewall and L2S STIGs (where applicable).

Security Technical Implementation Guides (STIGs) are configuration standards developed by the Defence Information Systems Agency (DISA). They are designed to make device hardware and software as secure as possible, safeguarding the Department of Defence (DoD) IT network and systems.

Compliance with STIGs is a requirement for DoD agencies, or any organization that is a part of the DoD information networks (DoDIN). This includes defence contractors that connect to the DoD network or system.

Note: The STIG reports are available as part of the Nipper Compliance suite of reports. For more information, contact your Solutions Advisor, or sales@titania.com.

The reports provide a risk prioritized evidentiary Pass and Fail assessment report, for both Device specific and generic NDM, RTR, VPN, IDPS, Firewall and L2S STIGs (where applicable). Findings shown within the report use the STIG risk-based categorization of CAT I, CAT II and CAT III and sorted by severity, allowing focus on the most critical vulnerabilities first.

 

Creating the STIG Report

  1. To begin, go to FileNew Report.

  2. Add one or more devices to the audit using Config FileConfig DirRemote Device or Remote List methods.

  3. On the Reporting Options screen, select the DISA STIG Compliance report check box. If this is not available, your active license does not support the STIG compliance feature.

  4. On the Report Comparison screen, if you wish to perform a comparison with a previously generated report, select the report here.

  5. Begin the report generation by pressing the Next button.

  6. After a short time generating, your report is then available.

 

Viewing the STIG report

The STIG report will be displayed in HTML format by default, within the Nipper report Browser. From here, you can scroll through the report, navigate to key sections via the navigation window shown to the right of the screen and search for key text or phrases within the report. You also have the option to save the report in several formats.

 

STIG Report settings

Within Nipper, there are report-specific settings allowing you to tailor reports to your requirements.

  1. From the Nipper Home Screen, select Settings.

  2. On the Settings screen choose Reports.

  3. From the Reports screen options, select DISA STIG Compliance.

You will be presented with several configuration options for your STIG reports:

Audit

  • Automatically Select Benchmarks. Benchmarks selected for auditing a device are unique to that device and its configuration. By selecting this option, Nipper will automatically use the benchmarks configured for the selected device from within the site’s settings.
  • Default Profile sets the default benchmark profile to be used for the audits.
  • Report Devices that could not be audited will return a CAT I finding requiring investigation for any devices which cannot be audited.
  • Interactive Auditing will cause prompts to appear for any compliance issues that could not be automated. Note, the core interactive audit setting will override any preference here.
  • Add Device Configuration When Asking Interactive Questions will add the device configuration to the interactive question that asks about a specific device.
  • Compact Interactive Mode will prompt Nipper to show all questions for a specific benchmark at the same time, in a compact list.
  • DoD or DoD Approved CA (Certificate Authority) allows you to enter host addresses that are DoD or DoD Approved CAs.
  • Deny MSDP (Multicast Source Discovery Protocol) Peer Sources allows you to enter any addresses here that should be blocked in multicast MSDP peer sources.
  • Deny MSDP Peer Destinations allows you to enter addresses that should be blocked in multicast MSDP peer destinations.

Reporting

  • Order Findings By lets you define the order in which you want the findings shown.
  • Include CCI References will include CCI references within the STIG report.
  • Summarize Each Benchmark will show a summary of the findings for each benchmark, prior to the detailing findings being displayed for each one.
  • Include Rule ID will include the rule ID within the summary table.
  • Include CCI (ident) will include the CCI within the summary table.

Heatmaps

  • Include Heatmap In Summary will include a ratings heatmap within the report summary section.
  • Include Heatmap Section includes a section for a heatmap within the report.
  • Include Passed / NA Findings in the Heatmap will include any passes or N/A results within the heatmap.
  • Heatmap Table Title allows you to specify a name for the heatmap to be shown in the report.
  • Horizonal Heatmap Rating System allows you to specify which rating system to use as the default within the heatmap.
  • Heatmap Horizontal Axis allows you to specify which rating data should be used for the horizontal axis.
  • Vertical Heatmap Rating System allows you to specify which rating system to use as the default within the heatmap.
  • Heatmap Vertical Axis allows you to specify which rating data should be used for the vertical axis.