The first, and only STIG for ArcGIS Server is 10.3. It's rather hard to write a security plan for 10.5.1, or 10.6, when referencing a STIG for an older version. The folks that review these plans don't miss a thing. The current STIG can mostly apply to the current server version, however there are security features in the later versions that aren't referenced in the STIG, and, most importantly, the current STIG does not specifically state the current release of server. For example, the STIG does not cover security configurations when the server is federated to a Portal. While we're on the topic of STIGs, there needs to be one for Portal and Data Store.