Skip Ribbon Commands Skip to main content

IASE content is currently preparing to migrate to the DoD Cyber Exchange.
Please see for updates to PKI/E content until the DoD Cyber Exchange goes live.


DISA Risk Management Executive (RME)  developed a process whereby original product developers/vendors can write Security Technical Implementation Guides (STIGs) for their products. Vendor STIGs must be written against a published DoD Security Requirements Guide (SRG).

To initiate the process, a product vendor must fill out the Vendor STIG Intent Form available under Guidance Documents. The completed form is submitted to

A representative from the Risk Management Executive STIG team will follow-up with the vendor to initiate the process.

Technology specific SRGs reflect what a technology family SHOULD be capable of, in order to be secured. The STIG author (vendor) will assess the SRG controls against a product with one of four potential outcomes. 

Not Applicable - the feature does not exist in the product, and therefore cannot be exploited.

Applicable - configurable - may or may not meet requirement based on settings.

Applicable - inherently meets - not configurable, but meets the requirement by default. 

Applicable - does not meet - not configurable, and does not meet the requirement. 

Upon completion of the SRG spreadsheet, the data is transformed into a STIG. The STIG, once written, will reflect what a specific product CAN do, in a specific release and possible patch level. Published STIGs will only contain requirements that fall into the "applicable and configurable" category.

STIGs Related Links