Skip Ribbon Commands Skip to main content

IASE content is currently frozen in preparation for IASE's migration to the DoD Cyber Exchange.
Please see for recent updates to PKI/E content.

Frequently Asked Questions - FAQs

8500 IA Control Checklist

Where are 8500.2 Checklists?

"The DODI 8500.2 IA Implementation Policy" Checklist has been discontinued, and has been removed from the IASE web site.

The source of IA control information should now be obtained from the DoD DIACAP Knowledge service at (NIPR ONLY).

Application Security and Development STIG

Are all applications subject to the Application Security and Development STIG?

The most direct path to your answer appears in the DoD Directive 8500.1 as follows:

  • The directive applies to all applications: Section 2 (Ability and Scope) Paragraph 2.1.2: All DoD-owned, or controlled information systems that receive, process, store, display, or transmit DoD information, regardless of mission assurance category, classification or sensitivity ...
  • The directive also states as policy: Section 4 (Policy) paragraph 4.1: IA requirements will be identified and included in the design, acquisition, installation, operation, upgrade, or replacement of all DOD information systems ...

Section 4 (Policy) paragraph 4.13: All DoD information systems shall be certified and accredited in accordance with DoD instruction 5200.40 (reference (U)).

Section 4 (Policy) then goes on to address IA-enabled entities as a separate item.

Enclosure 2 (definitions) contains definitions for Application, DoD Information System, and other terms used in this document.

To summarize, DISA consensus has always been that the 8500.1 directive applies to all DoD compute assets, unless specifically exempted (such as weapons systems for war fighters).

The Application Security and Development STIG The second consideration is the Application Security and Development STIG itself. The Authority section does quote specifics surrounding AI-enabled applications, which are defined as having specific AI considerations and impacts. An argument could be made that the STIG text in the Authority section could be made more complete, with better alignment to the 8500.1 language. However, absence of text stating authority for other application developments should not be used to supersede or exempt any application development from being subject to the 8500.1 guidance. I have recommended this language update to the Authority paragraph for future releases of STIGs.

The Scope section of the Application Security and Development STIG does specifically go on to state that this guidance is a requirement for all DoD developed, architected, and administered applications and systems connected to DoD networks. Later in the same paragraph it does specifically call out custom developed systems. It is the Scope paragraph that makes the connection back to the 8500.1 language.

I hope this helps you in your justification and position that all DoD application are subject to AI guidance as they are developed or acquired.


Will DISA be releasing an SCAP benchmark for Debian?

Although the SCC tool does support Debian SCAP benchmarks DISA will not be releasing a benchmark for Debian.

FTP and Telnet

Where are FTP and TELNET checks?

FTP and Telnet have been moved to the OS STIGs. If you are using FTP and Telnet on a UNIX/Linux Server, they are now covered under the UNIX STIG. If you are using FTP and Telnet on a Windows Operating System, they are now covered under the Windows STIGs. Also refer to the Enclave Security STIG section on "FTP and Telnet for detailed information on its use.


Microsoft has produced a security guide for Hyper-V, the links are provided below. However, due to funding constraints, this is listed on the unfunded STIG development list. When a STIG does not exist, organizations may use a vendor developed guide to use to configure their systems. Organizations using the Hyper-V software need to also review the appropriate Windows Server STIG when setting up their Hyper-V system.

For Server 2012:

For server 2016:​


What is status of IIS 7.5 Guidance?

The IIS7 STIG should be used for IIS 7.5 - Link

iPad / iPhone

Where is the iPad and iPhone STIG?

The current Apple iOS STIG can be found on the IASE web site at Link.

Microsoft SQL Server 2008

Is there currently a STIG for Windows SQL 2008?

The SQL Server 2005 STIG should be used for SQL Server 2008.

The SQL 2005 STIG can be found at the following location on IASE:

The SQL Server 2012 STIG should be used for SQL Server 2008 R2.

The SQL 2012 STIG can be found at the following location on IASE:


What STIG should be use for MySQL ?

The MySQL STIG is currently under development with the vendor and does not have a release date. The Database SRG should be used until the STIG is released.


Where can I find STIGs on Android, Windows Phone 8, BlackBerry 10, and other smartphones and tablets?

STIGs for these devices, when available, can be found at Link. If a STIG is not listed, it may be under development.


May I deploy a product if no STIG exists?

Yes, based on mission need and with DAA approval.


What do I use if there is no STIG?

Determine if a STIG has been published for an earlier version of the same product. Many checks and fixes in earlier versions of STIGs can be applied to the new version of the product. If a STIG for an older version of the product is available, review the check and fix procedures to determine which of these work with the new product version. Where possible, use the checks and fixes that work directly with the new version. The remainder of checks and fixes that no longer work with the new product version will need to be evaluated and proper check and fix procedures will need to be determined for each requirement. New product features and configuration settings must also be accounted for based on the relevant SRG.

If there is no related STIG, the most relevant SRG can be used to determine compliance with DoD policies. If assistance is needed in determining which SRG applies to the product, please open a ticket with the STIG Customer Support Helpdesk at

In fulfilling a requirement, be it from an SRG or an earlier version of a STIG, vendor documentation may be followed for configuration guidance.


Does DISA  certify products for use in the DoD?

No. DISA certifies Information Systems for use in DISA. DISA not does certify products for DoD use. SRGs/STIGs are designed to assist in implementing the secure deployment of products.

STIG Style sheet

Where are other style sheet choices?

There is a style sheet package located on IASE. If one of those does not satisfy your needs submit a request to the DISA support desk. Your request will be submitted for consideration as an addition style sheet choice.


Will there be other style sheet choices?

There is a style sheet package located on IASE. If one of those does not satisfy your needs submit a request to the DISA support desk. Your request will be submitted for consideration as an addition style sheet choice.


Where can I find STIGs for tablets?

If the tablet is using Windows 7 or Windows 8, use the STIG for those operating systems. Windows STIGs can be found at Link. Windows RT devices are not authorized to connect to DoD networks or process DoD data. STIGs for iOS or Android tablets can be found at Link

Unified Capabilities Approved Product List:

How do I get a product added to the UC APL?

The DSAWG provides the IA approval for a product to be added to the UC APL. JITC provides the interoperability approval for the product. Both approvals are needed for a product to be added to the UC APL.

The APL site is (NIPR ONLY)


VMWare ESXi and VSphere

Does the current VMWare ESXi guidance work for the newer release? Is newer VMWare ESXi Vsphere guidance available, and when will it be available?

VMWare ESX3 - Use the ESX Server STIG/Checklist located at this link.

VMWare ESX4 - DISA will not be releasing a STIG for ESX4. The ESX 3 STIG and the ESXi 5 Server STIGs can be used in conjunction to enhance security on ESX4 systems.

VMWare ESX5 - Use the ESXi 5 Server STIGs located at this link.

Windows 2008 R2 OS

Will there be a Microsoft Server 2008 R2 STIG?

The Windows Server 2008 R2 STIG has been released and is available on IASE at Link.

XCCDF STIGs - How to Open

How do I open XCCDF STIGs?

Save the STIG zip file package to your local PC drive and extract it to a folder. Extract the files from the zip package that ends with MANUAL_STIG into a new folder. Open the folder with the extracted files, locate and open the .xml file using a web browser. For requestors who want PDF interactive checkboxes, etc.

PDF formats have been an interim step for STIG publication, and are being phased out. There is currently no plan to develop updatable PDF formats for STIGs. The future format for STIG publication is XCCDF output. The conversion process has begun for XCCDF, to enable STIG consumption by tools where both compliance and configuration remediation can be automated with the addition of OVAL code. Several operating system STIGs appear on the IASE web site today in the XCCDF format.

The XCCDF format of STIG is made human readable by using a style sheet, which will be bundled with each STIG. It is not in our current plan to create interactive checkbox functionality for XCCDF format STIGs.


How to load .XCCDF file into Excel and store STIG in .xlsx spreadsheet format?


    1. Invoke Microsoft Excel
    2. Click "Disable Macros" if prompted
    3. Within Excel menu bar select: File-->Open-->Name of XML XCCDF file you wish to load into Excel
    4. Open .xml file (XCCDF file)
    5. A set of radio buttons will appear.
    6. a. Click the 2nd button (open the file with the following stylesheet applied). The name of the style sheet should appear.                                                                                                                                                        b. Then Click OK
    7. Wait a few seconds for the transformation to be applied. You may get the following error message but you can ignore it by typing “yes”.                                                                                                                              "The file you are trying to open “name of file”, is in a different format than specified by the file extension. Verify that the file is not corrupted and is from a trusted source before opening the file. Do you want to open the file now? ”Click “YES”                                                                                                                        
    8. To store the file as an Excel .xlsx document:                                                                                                  a) From the menu bar, click "File", then "Save as"
    9. At the bottom of the page, save file as type:                                                                                                   a) Excel Workbook
    10. Transformation/STIG should now be stored as an .xlsx Word document.

    XCCDF STIGs - MS Word

    How to load .xml XCCDF file into Microsoft Word and store as a .doc file?


    1. Invoke Microsoft Word
    2. Within Word menu bar select: File Open Provide name of the .XML file you wish to load into Word
    3. Open .XML file (.XCCDF file)
    4. A box comes up asking whether you want to install an XML expansion pack.
      a) Click the "NO" box
    5. On the right side of the screen there is an XML data view box.
      a) Double click: STIG_unclass.xsl or STIG_fouo.xsl depending on which name comes up
      [in the case of Windows Office 2007 you may not need to double-click at all]
      Wait a few seconds for the XSL transformation to complete. The STIG/Checklist should appear on the screen similar to how it would appear in the Internet Explorer or Firefox browser.
    6. To store the file as a Word document:
      a) From the menu bar, click File, then Save As
    7. At the bottom of the page, save file as type:
      a) Word 2007 document
    8. The stylized STIG should now be stored as a Word document (extension .doc).

    Sunset STIGs/SRGs

    Why are certain STIGs and SRGs designated "Sunset" and what does that mean to me?

    Sunset products are older SRGs, STIGs, Checklists, or Tools (i.e., DISA Products) that MAY be relevant to the vendor products they address, but are no longer supported by DISA for various reasons. The most common reason for this lack of DISA support is that the vendor product is outdated, superseded by a newer vendor product, or may be vendor non-support.

    The lack of DISA support means that there is no active maintenance of the DISA product, thus no updates of the product will be published. Lack of DISA maintenance means that any new vulnerability in the vendor's product WILL NOT be captured for mitigation, thus the DISA product either is, or will quickly become, out of date. Since DISA is no longer maintaining a given product, a SME responsible for, and knowledgeable about, the product may not be available, thus customer support questions will most likely not be answerable.


    What does *PKI = DoD PKI Certificate Required mean?

    It means that access to the file or directory is restricted only to holders of a DoD PKI certificate, commonly embedded within DoD Common Access Cards (CAC). PKI access means that there are no approval lists to join and no other certificates are accepted.

    If PKI-restricted content is required for a contractor without a CAC, the content wil have to be supplied through their DoD sponsor.

    * PKI is defined as the infrastructure consisting of systems, software, tokens, public and private keys, and processes which provide the using community with identification, confidentiality, integrity, and non-repudiation.


    Where can I get information concerning the Risk Management Framework?

    For information concerning the Risk Management Framework, please see RMF Knowledge Service Web site at

    SCAP 1.2 - Accounting for Missing Files

    Why are files missing from the benchmarks in the SCAP 1.2 format?

    SCAP 1.2 benchmarks are published using the data stream XML format. The traditional XCCDF, OVAL, CPE-OVAL, and CPE-Dictionary components of a DISA Benchmark are bundled together as a single data stream file, which is then ZIPped for delivery. The data stream format adds the capability to sign SCAP content, which may be utilized in future releases of DISA Benchmarks.

    STIGs Related Links