Government facilities process critical, and sometimes classified, information, which requires strict adherence to security controls and practices. Navigating the various government instructions, directives, and manuals — and confirming that security measures are sufficient to comply with them — can seem complex at first. This course covers how to find the applicable policies and guidelines, assess existing controls, and recommend changes for physical, environmental, and host-device security in a military facility. Major topics include:
- Laws, regulations, and requirements for military facilities
- Assessing physical security and environmental controls
- Checking network devices for compliance and remediating discovered vulnerabilities By the end of this course, you should be able to locate the specific requirements that apply to a given facility and assess that facility for compliance. Familiarity with fundamental security engineering concepts is assumed.
Course Scenario
A military facility that processes classified information has become aware of increasing potential adversary threats to its computer networks. You have been hired as a consultant to evaluate the facility’s network, host, and physical security controls, and to provide recommendations that improve security and prevent a compromise of classified information. Your job is to:
- Identify the regulations, requirements, and security guidelines that apply to DoD facilities.
- Evaluate the facility’s existing security controls against those requirements.
- Recommend improvements. The facility processes information classified up to the Secret level, but only in certain spaces — not throughout the entire building.
Note on scope: All resources, demonstrations, tools, and screen content used in this course are unclassified and accessible over the public internet. No special access or knowledge gained through DoD employment is used in this material.
Table of Contents
- Module 1: DoD Policy Framework and Required Controls for Government Facilities
- Government Facility Types and Information Classification
- The DoD Issuance Hierarchy: Publications, Directives, Instructions, and Manuals
- Demo: Navigating DoD Issuances to Find Facility Requirements
- Risk Management Framework (RMF)
- Command Cyber Readiness Inspections and Security Technical Implementation Guides
- Cybersecurity Workforce Framework (CSWF)
- Demo: Using STIG Viewer to Review Physical and Environmental Security Controls
- Module 2: Assessing Physical Security and Implementing Controls
- Threat Categories Facing Military Facilities
- Layered Physical Security Controls
- Demo: Designing Physical Security for a Facility Floor Plan
- Utility and Environmental Control Threats and Mitigations
- Demo: Assessing Utility and Environmental Controls in a Server Room
- Building Management Systems: Benefits and Security Considerations
- Module 3: Assessing Devices and Implementing Required Controls
- Summary
Module 1: DoD Policy Framework and Required Controls for Government Facilities
This module discusses the specific requirements and considerations for securing government facilities, with a particular focus on military installations. It starts by looking at the resources available for determining what controls are required for a government facility. Required controls are typically strict, with clear guidelines and, in most cases, a routine inspection to enforce compliance. It also covers example controls for a military base facility and the systems connected to military networks — an overview of the different types of governing documents, their purpose, where to find them, and how to determine what applies to a specific facility or network.
Government Facility Types and Information Classification
Government facilities span a range of missions, and each has its own set of security control requirements based on the department within the US Government it belongs to, the information it processes, and the unique threats to that institution.
| Facility Type | Example Information Processed | Notes |
|---|---|---|
| Military facility | Unclassified through Secret and Top Secret | Focus of this course; controls scale with the classification level processed in a given space |
| Embassy | Classified diplomatic information | Requires its own distinct set of security controls |
| Courthouse | Case file records | Controls protect legal records rather than national-security classified data |
| National laboratory | Classified research data | Requirements vary depending on the type of research conducted at the facility |
flowchart TD
A[Government Facility] --> B[Military Facility]
A --> C[Embassy]
A --> D[Courthouse]
A --> E[National Laboratory]
B --> B1[Unclassified -> Secret -> Top Secret]
C --> C1[Classified diplomatic information]
D --> D1[Case file records]
E --> E1[Classified research data, varies by program]
The DoD Issuance Hierarchy: Publications, Directives, Instructions, and Manuals
Determining the requirements for securing information on military networks and the facilities themselves can be difficult at first. Searching for guidance tends to surface multiple overlapping documents outlining different positions and responsibilities. Understanding the hierarchy of DoD issuances makes it much easier to navigate to the information you actually need.
There are four main groups of documents, and — true to how the Department of Defense operates — each is explicitly labeled as one of these types:
| Issuance Type | Purpose | Level of Detail | Example |
|---|---|---|---|
| Publication | Provides guidelines, technical specifications, recommendations, and reference material | Reference-level; may originate outside the DoD | NIST Special Publication 800-53 — a catalog of security and privacy controls for all US federal systems (issued by NIST, not DoD-specific, but referenced throughout DoD directives, instructions, and manuals) |
| Directive | States high-level policy or requirements that apply DoD-wide | Brief compared to instructions/manuals | A directive requiring DoD components to have a Chief Information Officer or Senior Information Resources Management Official |
| Instruction | Contains more specific policy and assigns responsibilities to entities within a DoD organization | Applies DoD-wide, but responsibilities are assigned to senior positions | DoD Instruction 8500.01, Cybersecurity |
| Manual | Contains detailed procedures, specifications, or requirements, typically tailored to a particular process | Most granular; responsibilities can extend down to specific operational roles | DoD Manual 5200.01 (classification/declassification) and 5200.08 (physical security) |
flowchart TD
P["Publications<br/>Guidelines, technical specs, references<br/>e.g. NIST SP 800-53"] --> D
D["Directives<br/>Brief, high-level, DoD-wide policy"] --> I
I["Instructions<br/>Specific policy + assigned responsibilities<br/>e.g. DoDI 8500.01 Cybersecurity"] --> M
M["Manuals<br/>Detailed procedures & requirements<br/>e.g. DoD Manual 5200.01 / 5200.08"]
DoD Instruction 8500.01 — Cybersecurity is a useful example of an instruction. It outlines cybersecurity-related roles and responsibilities across the DoD organization, ranging from the DoD CIO, to the Director of the Defense Information Systems Agency (DISA), down to the Commander of US Cyber Command. It defines DoD policy for required functions such as risk management, interoperability, and cyber defense, and it establishes high-level procedures for each of those functions.
DoD Manuals 5200.01 and 5200.08 (each with multiple volumes) go into much greater detail than an instruction. They cover:
- Procedures for classification and information marking
- The physical security program
- Protection of classified information
- Access controls for installations and facilities
Demo: Navigating DoD Issuances to Find Facility Requirements
This walkthrough shows how to navigate DoD policy resources to find the specific requirements for a facility, based on the information that facility needs to protect.
Step-by-step process:
- Start at the DoD Issuances resource. The DoD Directives Division pages within the Washington Headquarters Services website host DoD directives, instructions, and manuals used when engineering security solutions. These are largely high-level guidelines, but they establish the general policies and procedures that systems must follow to remain compliant.
- Open the DoD Issuances menu. This exposes a drop-down of the different issuance types available: directives, instructions, publications, and manuals.
- Choose the issuance type based on your scenario. In the course scenario — protecting a military facility that processes classified information up to the Secret level — DoD manuals are the most useful issuance type, since they contain the operational detail needed to implement and assess controls.
- Browse the 5200 series of manuals. Scrolling to the 5200 section of the manuals list surfaces several directly relevant policies:
- Information Security Program volumes
- Physical Security Program
- Specific requirements for DoD installation access
- Select the most relevant manual for the scenario. Since the facility protects classified information, DoD Manual 5200.01, Volume 3 is the most directly applicable; DoD Manual 5200.08 (physical security) is also relevant. Reviewing 5200.01 Volume 3’s table of contents first helps confirm relevance before reading in depth.
- Review the manual’s enclosures:
- Enclosure 2 — required safeguards for classified information that apply to all DoD organizations, including access to classified information, security checks, equipment, and use of secured communications.
- Enclosure 3 — storage and destruction procedures; highly relevant to a physical security assessment.
- Enclosure 4 — transmission and transportation requirements.
- Enclosures 5 and 6 — security education/training requirements and incident handling involving classified information.
- Drill into Enclosure 3 for physical security specifics. This enclosure gets very specific, defining requirements such as:
- Lock specifications
- Approved security containers for classified information
- Inspection frequency and clearance requirements for the inspectors themselves
- Requirement for an intrusion detection system with a defined response interval
A facility already in operation likely already meets many of these requirements, but an assessor still needs to confirm that the appropriate procedures are followed and that storage/transmission safeguards remain in place — these requirements form the checklist basis for the physical security assessment covered later in the course.
Risk Management Framework (RMF)
In addition to directives, instructions, and manuals, the US military maintains frameworks and protocols that provide additional security guidance.
DoDI 8510.01: Risk Management Framework (RMF) is a process for DoD systems, developed in accordance with the existing NIST RMF. It defines a repeatable cycle for managing risk across a system’s lifecycle:
flowchart LR
A[Prepare] --> B[Categorize]
B --> C[Select]
C --> D[Implement]
D --> E[Assess]
E --> F[Authorize]
F --> G[Monitor]
G -.continuous monitoring feeds back into.-> A
| RMF Step | Purpose |
|---|---|
| Prepare | Establish context and priorities for managing security and privacy risk |
| Categorize | Categorize the system based on the information it handles and the impact of a loss of confidentiality, integrity, or availability |
| Select | Select the controls needed to reduce risk to an acceptable level |
| Implement | Implement the selected controls |
| Assess | Assess whether the implemented controls are working as intended |
| Authorize | Authorize the system for operation based on the residual risk |
| Monitor | Continuously monitor the system’s security posture while it remains in operation |
Each step involves multiple tasks, outcomes, and assigned responsibilities that must be completed for the program to be implemented successfully.
Command Cyber Readiness Inspections and Security Technical Implementation Guides
To check for, and enforce, compliance on DoD networks, the DoD uses the Command Cyber Readiness Inspection (CCRI) — an inspection protocol that measures compliance with DoD standards. Inspectors check both cybersecurity and physical security measures for compliance.
In support of CCRIs, DoD networks are subject to Security Technical Implementation Guides (STIGs) — specific requirements, checks, and expected outcomes that a system is measured against. STIGs let inspectors identify deficiencies and vulnerabilities and score a network against a standard. If a command fails an inspection, it is required to remediate findings until it achieves a sufficient score within a set time window.
flowchart TD
A[STIG requirements published] --> B[System/facility scanned or inspected]
B --> C{Compliant with STIG checks?}
C -->|Yes| D[Pass CCRI]
C -->|No| E[Findings scored by severity]
E --> F[Remediate within required time window]
F --> B
Cybersecurity Workforce Framework (CSWF)
The Cybersecurity Workforce Framework (CSWF) defines categories, specialty areas, and specific roles within the DoD cybersecurity workforce. Each role carries a common set of duties that apply consistently across the DoD, enabling:
- Uniform identification, tracking, and reporting of the cybersecurity workforce
- Enforcement of specific training and certification standards per role
- Overall workforce management and planning for the DoD cybersecurity mission
Demo: Using STIG Viewer to Review Physical and Environmental Security Controls
STIGs are specific requirements and controls implemented on a network or facility. Each STIG entry documents its purpose, the required control, a check procedure, and the expected outcome if the control is properly in place. Because STIGs can be dense, this demo uses the STIG Viewer tool (version 2.17) to browse them.
Where to get the tools (all links are unclassified and publicly available):
| Resource | URL |
|---|---|
| STIG Viewer (v2.17 used in this course) | https://public.cyber.mil/stigs/srg-stig-tools/ |
| STIG/SRG Library (compilation loaded into STIG Viewer) | https://public.cyber.mil/stigs/compilations/ |
Step-by-step process:
- Install STIG Viewer (installation is straightforward and not covered in detail).
- In STIG Viewer, go to File > Import, then choose a library to import. You can import the entire STIG/SRG library, or a specific library scoped to the technology you support.
- For this demo, open the physical security checklist, which falls under the traditional security category.
- Check the box next to the checklist to load its vulnerabilities into the central console. This particular checklist contains 145 separate rules.
- Open the first rule to see the general shape of a STIG entry:
- Identifying information, category, and classification (shown in the heading)
- An official title
- References
- Check Text — the specific procedure used to verify compliance
- Fix Text — the options available to bring the site into compliance
- STIG controls span multiple categories, including environmental controls. For example, Vulnerability ID 245744 requires an emergency power shut-off capability within the IT area and near the main entrance, properly labeled and covered to prevent accidental shut-off.
Using STIGs in this way lets an assessor confirm not only that a military facility is properly secured, but that it remains compliant with DoD requirements, manuals, and policies.
Module 2: Assessing Physical Security and Implementing Controls
This module explores the types of security controls implemented in a military facility, some of their requirements, and methods for evaluating existing controls, beginning with the physical security of bases, buildings, and rooms.
Threat Categories Facing Military Facilities
Threats to military facilities take many forms and are constantly evolving. For the purposes of a physical security evaluation, it is useful to group them into two broad categories:
- Direct physical attacks on military facilities. Most base perimeter controls exist to detect and deter this category and to protect the personnel inside the fence line. Examples include:
- Armed attacks on a base in a war zone
- Vehicle-borne improvised explosive device (VBIED) attacks
- Active shooters on the installation
- Unauthorized access to, and removal of, classified information. This is the bigger focus of this course. These attacks typically involve coercing an employee who already has some level of access, in order to obtain, remove, and sell or transfer that information to an adversary. Building-level physical security controls exist specifically to control access to different levels of classified material and to prevent this style of attack.
flowchart TD
T[Threats to Military Facilities] --> P[Physical attacks on the installation]
T --> I[Unauthorized access / exfiltration of classified information]
P --> P1[Armed attack in a war zone]
P --> P2[VBIED attack]
P --> P3[Active shooter]
I --> I1[Coerced insider with existing access]
I --> I2[Removal, sale, or transfer of classified data to an adversary]
Layered Physical Security Controls
To counter these threats, military installations employ a variety of physical security controls, generally organized under a Defense in Depth model — multiple controls, in layers, so that the failure of any single measure does not compromise the facility.
| Layer | Example Controls |
|---|---|
| Base perimeter | Installation ID/pass checked by armed gate guards before anyone sets foot on base; high, stable fencing topped with barbed wire |
| Building entry | Additional armed guards controlling building access; badges indicating clearance level; facial ID |
| High-classification facility entry | RFID badges with PIN verification; single-entry control points staffed by a guard; mantrap systems with multiple entry doors |
| Room-level (within high-classification facilities) | Combination locks; alarm systems with a required response interval; security cameras for monitoring |
flowchart TD
subgraph "Defense in Depth"
L1[Base Perimeter: fencing, gate guards, installation ID] --> L2
L2[Building Entry: armed guard, badge + clearance level, facial ID] --> L3
L3[High-Classification Facility: RFID + PIN, single entry point, mantrap] --> L4
L4[Room Level: combination lock, alarm w/ response interval, CCTV]
end
Demo: Designing Physical Security for a Facility Floor Plan
This walkthrough plans the physical security measures for a new facility by looking at a sample existing building where military networks will be installed, and by discussing the placement of physical security components. It is not a comprehensive list of every possible control — lock specifications and door hardware requirements at that level of detail should come from the DoD manuals referenced in Module 1. The scenario is illustrated in two parts: the building entrance, and a single floor containing offices and a server room.
Building entrance:
- Primary entry doors. The double doors are the point where authorized personnel enter the facility.
- Guard station. An area just inside the first door houses a security guard who can visually check badges and check in visitors.
- Access control at every entry point. A badge reader using RFID, potentially with a required PIN, provides two-factor authentication at each entry.
- Surveillance of the external entry point. The guard monitors the entrance via camera; if a visitor approaches without a badge, the guard can open the door to allow them to check in without granting access to the rest of the facility. These two layers mean that even if the external door itself is breached, a guard is present to respond to the threat, or to call for assistance, before the visitor reaches the full facility.
- After-hours protection. If the facility is not guarded 24/7, the entry door needs an approved lock and an alarm system that alerts a guard force able to respond within the interval required by the classification level of the information being protected. Routine after-hours inspections confirm the door is locked and the facility secured.
- Data center door. A separate lock protects the data center itself against insider threats, restricting access to trained IT/cybersecurity personnel only.
- Physical document storage. Safes store physical classified documents and remain closed when not in use; opening and closing of the safe — like the facility door — is tracked and inspected.
- Secondary/emergency exit. A second external door supports personnel safety (e.g., fire egress) but, to preserve the single controlled entry point, is configured as an emergency-exit-only door with its own alarm.
- Visitor notification. When an uncleared visitor is inside a secured facility, personnel must be alerted via both a vocal signal from the visitor’s escort and a visual cue (e.g., a silent-flashing beacon/siren without sound). This tells employees to sanitize their workspace — securing classified material and powering off classified-system monitors — while the visitor is present.
flowchart TD
Start([Visitor/Employee approaches entrance]) --> Badge{Has valid badge/RFID + PIN?}
Badge -->|Yes, employee| Enter[Access facility via controlled entry]
Badge -->|No, visitor| GuardCheck[Guard visually verifies and opens external door only]
GuardCheck --> CheckIn[Visitor checks in, escort assigned]
CheckIn --> Alert[Vocal + visual uncleared-visitor alert to occupants]
Alert --> Sanitize[Employees secure classified material, power off classified displays]
Enter --> DataCenter{Needs data center access?}
DataCenter -->|Yes, trained IT/cyber staff| DCEntry[Separate locked data center door]
DataCenter -->|No| Offices[General office access]
Single floor — offices and server room: the same layered principles extend inward from the building entrance: the server room requires its own dedicated lock beyond general office access, physical document safes require tracked open/close logging, and the emergency exit / visitor-alert controls described above apply at the floor level as well as at the building entrance.
Utility and Environmental Control Threats and Mitigations
Utility and environmental controls protect a facility against threats that do not involve a person physically breaching a door, but can still result in the loss of access to, or damage of, critical information systems.
| Threat | Description | Potential Impact |
|---|---|---|
| Power grid impact | Natural or human-caused disruption to power | Disables the network and many of the access-control systems protecting sensitive information |
| Attacks on ICS/SCADA climate-control systems | Compromise of industrial control systems managing data center climate | Servers and network equipment overheat, causing outages and loss of access to critical information |
| Natural disasters | Unpredictable events impacting the facility | Outages and loss of access similar to a power-grid impact |
Mitigations:
- Backup power. Uninterruptible power supplies (UPS) keep systems available long enough to shut down safely, or until a generator comes online; generators then sustain power until grid power is restored.
- Redundant power paths. Multiple power supplies per unit of equipment, tied to separate circuits, so a single circuit failure does not take equipment offline.
- ICS/SCADA isolation. Environmental control systems must not be reachable over the public internet or by unauthorized users on the base, limiting the attack surface for climate-control compromise.
- Backup sites and off-site storage. Provide continued access to information if a primary site is damaged or destroyed by natural disaster or physical attack.
flowchart TD
A[Power Grid Impact] --> M1[UPS + Generator]
A --> M2[Redundant power supplies on separate circuits]
B[ICS/SCADA Attack on Climate Control] --> M3[Isolate control systems from internet & unauthorized users]
C[Natural Disaster] --> M4[Backup sites + off-site information storage]
Demo: Assessing Utility and Environmental Controls in a Server Room
This walkthrough assesses utility and environmental controls in a simulated facility’s server room and recommends additional components, using the same facility from the physical security demo.
Existing state: the server/network equipment room already has uninterruptible power supplies and air conditioning units installed — a reasonable starting point, since environmental controls for temperature and backup battery power already exist.
Assessment and recommendations:
- UPS redundancy. A single UPS per rack has no fault tolerance — if the UPS fails during an outage, the entire rack goes offline. Recommend a second UPS at each rack, with each server’s dual power supplies connected to a separate UPS. This way, either a single power supply or a single UPS can fail without taking the system down.
- Circuit diversity. The second set of UPS units should be wired to separate building circuits, rather than relying on a single power source.
- Backup generator. Battery backup alone is only sufficient to shut servers down safely. A backup generator provides a secondary power source; once in place, the UPS’s role shifts to bridging the gap until the generator comes online, rather than sustaining the load for the long term.
- Fire detection and suppression. STIGs require a fire detection/suppression system that notifies the servicing fire department, in addition to suppressing the fire, and that is inspected regularly by a fire marshal.
- Climate monitoring with alerting. Even with air conditioning in place, a thermostat should be configured to alert technicians if the room’s temperature falls outside the equipment’s tolerance range — critical in a facility that is not monitored 24/7, so staff are notified before equipment is damaged.
| Environmental Control Checklist Item | Status Assessed | Recommendation |
|---|---|---|
| UPS present | Yes (single per rack) | Add a second UPS per rack; dual power supplies split across both |
| Circuit diversity | Not present | Wire redundant UPS units to separate building circuits |
| Backup generator | Not present | Add a generator as the long-term power source behind UPS bridging power |
| Fire detection/suppression | Not confirmed | Confirm system notifies fire department and is regularly inspected by a fire marshal (STIG requirement) |
| Climate monitoring w/ alerting | Present (A/C only, no alerting) | Add thermostat alerting to notify technicians of out-of-tolerance temperatures |
Building Management Systems: Benefits and Security Considerations
A Building Management System (BMS) connects all facility controls together, enabling real-time monitoring, automation, centralized control, and reduced maintenance costs.
Benefits:
- Central monitoring of temperature changes
- Fire alert notifications
- Managing and monitoring access control
- Managing power across the facility
- Reduced maintenance costs through improved status tracking, enabling proactive maintenance that avoids more expensive repairs
Security considerations:
Because a BMS is centralized, compromising it can give an attacker access to every system it manages:
- If the BMS manages access control, a compromise could allow an attacker to defeat the physical security of the building.
- If the BMS manages environmental controls, a compromise could allow an attacker to alter data-center temperature and cause physical damage to equipment.
flowchart TD
BMS[Building Management System] --> AC[Access Control Systems]
BMS --> ENV[Environmental / Climate Control]
BMS --> PWR[Power Management]
BMS --> FIRE[Fire Alerting]
Attacker((Attacker compromises BMS)) -.-> BMS
style Attacker fill:#f66,stroke:#900,color:#fff
Given this risk, any BMS implementation must weigh the benefits against the centralized blast radius of a compromise, and must be secured accordingly:
- Keep the BMS separate from other network systems and not connected to the internet — this significantly limits the ability to compromise the system from outside, and limits an attacker’s ability to pivot to other network systems if the BMS is compromised.
- Being isolated on a separate network does not, by itself, make the BMS safe — it should be subject to similar security measures as other military network systems, with access further limited to reduce the risk from both external compromise and insider threats.
Module 3: Assessing Devices and Implementing Required Controls
This module shifts focus to network devices and their associated security requirements, including automated tools for scanning systems for required controls. It begins with the threats facing military facility networks — specifically, advanced persistent threats (APTs) known to target the military.
Advanced Persistent Threats Targeting Military Networks
Using a list of advanced persistent threats compiled by Mandiant as a reference, several APTs have targeted military networks, or companies associated with the military, with a variety of goals and methods.
| APT | Primary Targets | Method | Goal |
|---|---|---|---|
| APT2 | Military and aerospace sectors | Spear phishing exploiting a specific vulnerability | Intellectual property theft — stealing military/aerospace information to provide an advantage to their sponsoring country |
| APT22 | Broad set of entities, including military networks | Malware delivered by compromising web servers to gain access | General access/espionage |
| APT23 | Entities with political and military significance | Spear phishing attacks | Theft of information with political and military significance |
| APT35 | Multiple entities, including military networks | Spear phishing and compromised account credentials | Collection of strategic intelligence |
flowchart LR
subgraph Actors
A2[APT2]
A22[APT22]
A23[APT23]
A35[APT35]
end
A2 -->|spear phishing + vuln exploit| Goal1[IP theft: military/aerospace data]
A22 -->|compromised web servers + malware| Goal2[Broad access/espionage]
A23 -->|spear phishing| Goal3[Political/military info theft]
A35 -->|spear phishing + stolen creds| Goal4[Strategic intelligence collection]
Automating Compliance Checks with ACAS and SCC
Physical and environmental security controls generally have to be checked manually — there is no substitute for a person inspecting a lock, a safe, or a fire suppression system. Network devices could in theory be checked the same way, but given both the number of required checks per system and the number of systems on a typical network, automation is far more practical. Two tools are widely used on DoD networks:
| Tool | Full Name | Purpose |
|---|---|---|
| ACAS | Assured Compliance Assessment Solution | Vulnerability scanning tool for US DoD networks; categorizes findings by risk. Checks network devices for vulnerabilities and specific configurations. Reports are used to prioritize remediation and gain visibility into overall device security. Mandated for use on all DoD networks; built on components of Tenable’s Nessus scanners. |
| SCC | SCAP (Security Content Automation Protocol) Compliance Checker | Enables authenticated configuration scanning using SCAP content. Supports local or remote scans of Windows, Linux, Solaris, and Mac OS X systems. Ships with STIG benchmarks for multiple operating systems and Cisco network devices. Publicly available for download from DISA. |
flowchart TD
A[Network devices & hosts] --> B[ACAS: DoD-wide vulnerability scanning + risk categorization]
A --> C[SCC: authenticated SCAP/STIG configuration scanning]
B --> D[Prioritized remediation reports]
C --> D
D --> E[Remediate configuration & patch vulnerabilities]
E --> F[Continuous scanning / monitoring]
F --> A
Demo: Using SCAP Compliance Checker to Find and Remediate STIG Vulnerabilities
This walkthrough uses the SCAP Compliance Checker (SCC) on a lab machine to scan for vulnerabilities, remediate an example finding, and rescan to confirm the fix.
Lab environment:
| Component | Details |
|---|---|
| Host virtualization | VirtualBox (free) |
| Guest OS | Ubuntu 20.04 Desktop (freshly installed) |
| Resource | URL |
|---|---|
| Ubuntu 20.04 Desktop | https://releases.ubuntu.com/focal/ |
| SCC and SCAP content | https://public.cyber.mil/stigs/scap/ |
Step-by-step process:
-
Download SCC from DISA’s public Cyber Exchange, under the SCAP Tools section. If your operating system is not listed, expand the entry menu to show more options. This demo uses the Ubuntu 18-20 version of SCC.
-
Install SCC. The downloaded package includes a manual with OS-specific installation and startup instructions.
-
Configure the scan. Deselect irrelevant benchmarks and leave only the 20.04 STIG benchmark and the Firefox benchmark selected.
-
Start the scan. A warning appears about manual questions — checks the tool cannot verify automatically. Selecting Continue marks them all as “not answered” and the scan proceeds.
-
Review the non-compliance report for the operating system benchmark once the scan completes. On a freshly installed, unhardened system, the machine is expected to be far out of compliance.
-
Drill into severity categories. Results are broken down by:
Severity STIG Category High CAT I Medium CAT II Low CAT III -
Inspect an individual finding — Vulnerability ID 238218 (unattended/automatic login using SSH). The detail view shows a description, reference, definition, test information, and — most importantly — Fix Text describing the remediation steps.
-
Remediate the finding:
- Open
sshd_config(this demo usesnano). - Locate
PermitEmptyPasswordsand uncomment it, setting it tono. - Locate
PermitUserEnvironmentand uncomment it, setting it tono. - Save the file and exit the editor.
- Restart the SSHD service to apply the change.
- Open
-
Rerun the scan and confirm the compliance percentage improves and that Vulnerability ID 238218 no longer appears under CAT I findings.
# Edit the SSH daemon configuration
sudo nano /etc/ssh/sshd_config
# Ensure the following two lines are present and uncommented:
PermitEmptyPasswords no
PermitUserEnvironment no
# Save and exit, then restart the SSH service to apply changes
sudo systemctl restart sshd
sequenceDiagram
participant Analyst
participant SCC as SCC Tool
participant Host as Ubuntu 20.04 Host
Analyst->>SCC: Configure scan (20.04 STIG + Firefox benchmarks)
SCC->>Host: Run authenticated configuration scan
Host-->>SCC: Return results
SCC-->>Analyst: Non-compliance report (CAT I / II / III findings)
Analyst->>Host: Edit sshd_config (PermitEmptyPasswords no, PermitUserEnvironment no)
Analyst->>Host: Restart sshd service
Analyst->>SCC: Rerun scan
SCC->>Host: Run authenticated configuration scan
Host-->>SCC: Return updated results
SCC-->>Analyst: Improved compliance %, finding 238218 resolved
Operational workflow beyond a single scan: running SCC and manually fixing every finding on every deployed system is tedious at scale. A more practical pattern is to build and harden a base image:
- Run SCC against a reference build, working through the STIG benchmark and manual checks a single time, testing each fix to confirm it does not disable critical systems or software.
- Once the image is hardened, validate it with ACAS as well.
- Deploy the hardened image as the standard image for new/reimaged hardware.
- Continue routine ACAS scanning against deployed systems and apply continuous patching as new vulnerabilities are discovered.
Summary
Meeting the specialized engineering requirements for government facilities — and military facilities in particular — is an in-depth process involving numerous policies, frameworks, and layered controls. The key principles from this course are:
- Know the issuance hierarchy. Publications (e.g., NIST SP 800-53) provide reference guidance; directives set brief, DoD-wide policy; instructions (e.g., DoDI 8500.01) assign responsibilities; manuals (e.g., DoD Manual 5200.01/5200.08) contain the granular, actionable procedures used during an assessment.
- Use frameworks to structure risk decisions and inspections. RMF (Prepare → Categorize → Select → Implement → Assess → Authorize → Monitor) drives system risk management; CCRIs and STIGs enforce and measure ongoing compliance; the CSWF standardizes cybersecurity workforce roles and training.
- Design physical security in layers (Defense in Depth). Perimeter fencing and gate guards, building-entry badge/guard controls, high-classification single-entry/mantrap systems, and room-level locks/alarms/cameras each add an independent layer that must all fail for an intruder — or an insider threat — to succeed.
- Do not overlook utility and environmental controls. Power grid disruption, ICS/SCADA attacks on climate control, and natural disasters can all take critical systems offline just as effectively as a physical breach; redundant UPS/generators, isolated environmental control networks, and backup sites mitigate these risks.
- Weigh BMS convenience against centralized risk. A Building Management System offers real monitoring and cost benefits, but a compromise gives an attacker leverage over every system it touches — keep it isolated from the internet and other networks, and secure it as rigorously as any other military network system.
- Automate device-level compliance checking at scale. ACAS provides DoD-wide vulnerability scanning and risk categorization; SCC provides authenticated SCAP/STIG configuration scanning with actionable Check Text/Fix Text. Harden a base image once, validate with both tools, then deploy and continuously monitor.
Quick-Reference Checklist
| Area | Checklist Item |
|---|---|
| Policy research | Identify the facility’s information classification level; locate the applicable DoD manual(s) (e.g., 5200.01 Vol. 3, 5200.08) and relevant STIG checklist(s) |
| Physical security | Perimeter fencing/gate guard, building-entry guard + badge/clearance check, RFID+PIN or mantrap for high-classification spaces, room-level locks/alarms/cameras, tracked safe usage, uncleared-visitor alert procedure |
| Environmental/utility | Redundant UPS per rack across separate circuits, backup generator, isolated (non-internet-connected) ICS/SCADA climate control, fire detection/suppression with fire-department notification and marshal inspection, out-of-tolerance temperature alerting, backup site/off-site storage |
| Building Management System | Isolated from the internet and other networks; subject to the same security controls as other military network systems; access tightly restricted |
| Network devices | ACAS scanning in place DoD-wide; SCC/SCAP scans run against hosts; findings remediated per STIG Fix Text; hardened base image built, validated, and deployed; continuous scanning and patching maintained |
Search Terms
government · facilities · specialized · engineering · governance · risk · compliance · networking · systems · security · controls · physical · assessing · dod · environmental · facility · framework · find · management · military · required · stig · threats · utility