Comment on Security Technical Implementation Guides (STIGs) – DoD Cyber Exchange

<- View Parent
redfox@infosec.pub ⁨9⁩ ⁨months⁩ ago

I hear what you’re saying, you’re not wrong.

I would argue that the technical implementations, the ones that are about a quantified or Boolean evaluation, that’s not the case.

Sure, STIGs can be open to interpretation like any benchmark or compliance standard and are open to the reviewers personal discretion or trends in the industry.

I wouldn’t suggest that stigs are more relevant than CIS, since it’s mostly only used by federal government, but it is something to be aware of and a skill set that’s in demand.

I wouldn’t say cis, or stigs, aren’t a security practice by themselves. Security practices come from implementing good policies and evaluation, and I would suggest that the new cybersecurity framework 2.0 would help inform good security practices.

Have you never found ambiguous standards anywhere else?

source
Sort:hotnewtop