Here is the honest situation. DISA Security Technical Implementation Guides are the configuration hardening standards for systems on and connected to government networks, released and updated on a quarterly cycle and categorised CAT I to CAT III by severity. Running a real STIG program means mapping assets to the right STIGs, building hardened baselines, applying and controlling the settings, scanning with SCAP-validated tools and the STIG Viewer, tracking findings through a POA&M, and sustaining compliance against configuration drift and new releases. Doing that and evidencing it is real work, and a system hardened once and left to drift, or with open CAT I findings, is exactly where systems fall short.
This Kit removes the guesswork. It is every step of a STIG program written as an adopt-ready control you personalize in a weekend, with the evidence an assessor examines.
What you get, the moment you buy
Grounded in the DISA STIG compliance process, with the applicable STIGs and SRGs, the severity categories, hardened baselines, SCAP and STIG Viewer assessment, the POA&M and continuous compliance called out. Editable Word and Excel files.
What one control looks like
This is establishing the STIG program and its scope, where hardening begins. All 18 are built to this depth.
Why this is not another template pack
- The evidence is the point. A setting you cannot evidence is an open finding. This tells you what an assessor examines and where systems fall short, for every step.
- Scanning, POA&M and drift control built in. The SCAP scanning, the POA&M finding management and the drift control are written into the controls, the substance of a real STIG program.
- Built on a mapped compliance corpus, not one person's opinion, from a graph of thousands of controls across standards.
- It compounds. STIG results feed the RMF authorization and align with the NIST 800-53 controls, so this work feeds your wider security and authorization program.
Who buys this
Teams hardening systems to DISA STIGs for government or defence work, system administrators, security engineers and ISSMs, and the consultants who support them. Whether it is a first STIG program or an authorization push, you save weeks and walk in with the baselines, scanning and POA&M structured.
Common questions
Is it really editable? Yes. Word and Excel files you own and adapt. No portal, no subscription.
Does it cover SCAP scanning? Yes. Assessing systems with SCAP-validated tools and the DISA benchmarks, plus manual STIG Viewer review, are built as controls.
Does it cover the POA&M? Yes. Recording findings and managing them to closure through a plan of action and milestones is built as a control.
Does it help with authorization? Yes. Integrating STIG results and the POA&M into the authorization and risk process is a control.
What if it is not for me? A 30-day money-back guarantee.
Instant digital download · 30-day money-back guarantee · The Art of Service Pty Ltd, GPO Box 2673, Brisbane QLD 4001 · support@theartofservice.com