The first, and only STIG for ArcGIS Server is 10.3. It's rather hard to write a security plan for 10.5.1, or 10.6, when referencing a STIG for an older version. The folks that review these plans don't miss a thing. The current STIG can mostly apply to the current server version, however there are security features in the later versions that aren't referenced in the STIG, and, most importantly, the current STIG does not specifically state the current release of server. For example, the STIG does not cover security configurations when the server is federated to a Portal. While we're on the topic of STIGs, there needs to be one for Portal and Data Store.
Any chance that ESRI will start maintaining STIGS with the server version soon? It's been pointed out to me we can no longer use the 10.3 STIG as there are so many security features in 10.7 that don't exist in this antiquated STIG.
I would recommend that you reach out to the Esri Security team for more information, if avaialble; https://trust.arcgis.com/en/
The 10.3 STIG is still valid for stand-alone ArcGIS Server instances. Updated STIGS for Enterprise (including Portal/Datastore) are on our roadmap.
Hate to split hairs on this, but https://dl.dod.cyber.mil/wp-content/uploads/stigs/pdf/U_Esri_ArcGIS_Server_10-3_STIG_V1_Release_Memo... doesn't mention any other version of ArcGIS Server other than 10.3. I'm not going to get into our specific security posture online, but I'm pretty confident the security folks aren't going to accept a 4-version-old STIG checklist in the ATO process.
Seems like this would be an easy thing to maintain? There really isn't all that much difference between versions, the biggest road block would be getting a new version STIG pushed through the Vendor Development, which I understand is glacially slow.
Hi Thomas,
We have provided updates to DISA as our product has evolved for different versions, however DISA has not had bandwidth on their side to run a full update of their materials for each version. DISA clarified that the version number on the STIG does not have to match the version number deployed, IF the vendor has a public statement that the STIG is still tested and valid. We therefore have the statement that the ArcGIS Server STIG "...is tested for compatibility through current releases." as part of the document description within the ArcGIS Trust Center documents section here.
As for providing STIGS for ArcGIS Enterprise base software components - Server, Portal, DataStore, we have attempted to engage DISA, however their backlog is too severe for them to provide us an estimate for when they can engage. Once the number of direct requests from customers to DISA are significant enough, DISA will accordingly prioritize and engage with Esri - Until such time, we are looking at creating an ArcGIS Enterprise security hardening guide in 2020 that customers can reference for thier deployments and authorization efforts.
Awesome! A security guide is helpful too. We don't necessarily need it to be DISA-approved format for our purposes. M$ releases many "Security Checklists" that are outside of the STIG process that can still serve as authoritative hardening processes, whereas pages of software documentation may not. IN other words, handing something to an Auditor and saying "yes, we are following vendor guidelines, here's their list". You hit the nail with the word "Authorization".
@MichaelYoungor @RandallWilliams has there been any progress on the ArcGIS Enterprise Hardening Guide? It would be very helpful to me, particularly since I'm trying to apply the IIS STIG as well. My organization will accept vendor-provided hardening guides for an authorization when a STIG is unavailable.
"the cadence for DISA being able to engage to issue a new revision spanning ArcGIS Enterprise has resulted in us deciding to release a general security hardening guide" (Esri Blog)
The new Hardening Guide has now been released (it addresses the security measures appropriate for software defined as critical by NIST:
New Hardening Guide, Privacy Certification & More (esri.com)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.