The Guide to Federal Security Best Practices for SteelHead

Joe Tomasello

The Department of Defense’s (DoD) ability to keep a safe and consistent security posture for its network devices is no small feat.

There are many components in play to ensure systems are secured and frequently monitored for changes. Devices and applications are not typically configured by default to operate in the most secure manner, which results in less obvious configuration settings and security risks.

To keep federal networks secure, the Defense information Systems Agency (DISA) sees to it that the DoD has an established way to apply a security ‘profile’ for different devices and applications, across its network. This is accomplished by applying a Security Technical Implementation Guide (STIG), a tool that is created for the device type and allows each agency to configure and audit their systems for compliance.

Sounds easy, right? It can be, if there is a specific STIG created for a product. If there isn’t a product-specific STIG, then you must figure out which of the existing STIGs should be used. STIGs come in many forms and several may apply to a given system. While the STIG is designed to facilitate the application of security controls, understanding which ones to apply can be burdensome. 

Fortunately, DISA recognized this challenge and established a process for vendors to author and submit a product-specific STIG to DISA for consideration and publication.

Riverbed Technology has done exactly that—by working with the Field Security Office (FSO) and applying all the applicable DoD Security Requirement Guides (SRGs) into a single STIG.

A SteelHead-specific STIG is now available on the DISA websites for customers to download and use to meet their security audits.  The SteelHead STIG provides the technical security policies, requirements, and implementation details for applying security concepts to the Riverbed SteelHead Wide Area Network (WAN) optimization solution. Along with the STIG, a comprehensive user’s guide can walk you through the configuration changes to set up the SteelHead, in compliance with the STIG.

The SteelHead-specific STIG is an example of how DISA is becoming more proactive about dealing with potential cyber security threats. Roger Greenwell, chief of cyber security for the Defense Information Systems Agency’s Risk Management Executive, said the goal is to create knowledge across DISA and ‘try to actually drive behavioral changes not just in compliance, but also in culture: Think before you’re doing.’

It’s a good thing the DoD can rely on DISA to publish a STIG as a way to ensure its systems are locked down in accordance to security best practices.  It’s even better that they have opened up the collaborative authoring of a STIG with vendors to expand the device types to streamline their use.  

Now if I can only find something to lockdown my iPad. 


Useful links:



No Responses to “The Guide to Federal Security Best Practices for SteelHead”

Leave a Reply

Your email address will not be published. Required fields are marked *