STIG Compliance Checker (Reserved Slot) — Adapter Technical Specification

STIG Compliance Checker (Reserved Slot) — Adapter Technical Specification

NoteCanon-derived document

Status: reserved · Class: conformance · Mission: policy · Phase: phase-planning

Canon source: canon/adapter-registry.yaml (propagated by uiao/tools/sync_canon.py).

The YAML frontmatter and this banner are regenerated from canon on every sync. Do not hand-edit. Author new material only below the ## Overview heading.

WarningScaffold — awaiting authored content

This document is a stub. Replace every _TODO — ..._ block with authored content that is consistent with UIAO canon. Canon invariants (gcc-boundary, ssot-mutation: never, etc.) must never be contradicted.

Overview

The STIG Compliance Adapter is a conformance-class policy adapter that evaluates system configuration against DISA Security Technical Implementation Guide (STIG) baselines. It ingests XCCDF assessment results from SCAP engines (OpenSCAP, SCAP Workbench) and normalizes them into canonical claims.

Key capabilities: XCCDF result parsing (rule_id, severity, pass/fail/notapplicable), benchmark-scoped assessment, pass/fail counting for evidence generation, and STIG-to-NIST control mapping.

Implementation: uiao/src/uiao/adapters/stigcompliance_adapter.py. Conformance: 30/30 PASS.

Scope

Target surfaces / subsystems: (not yet defined)

Reads: STIG assessment results (JSON with rule_id, severity, result, title per XCCDF rule). Emits: ClaimSet with one claim per STIG rule result, EvidenceObject with pass/fail/total counts. Does NOT: execute SCAP scans, modify system configuration, or remediate findings. Read-only policy evaluation.

Controls

NIST SP 800-53 Rev 5 controls this adapter supports: CM-6, CM-7, CA-7

Control Role Adapter capability
CM-6 Configuration Settings Primary STIG rule evaluation verifies configuration settings against DISA baselines.
CM-7 Least Functionality Supporting STIG rules include least-functionality checks (disabled services, removed packages).
CA-7 Continuous Monitoring Supporting Scheduled STIG assessment provides continuous compliance posture evidence.

Operational profile

Field Value
Runtime TBD
Runtime pin TBD
Runner class TBD
Tenancy per-customer
Evidence class interval
Retention 3 year(s)

Canon invariants

  • gcc-boundary: gcc-moderate
  • ssot-mutation: never
  • certificate-anchored: true
  • object-identity-only: true

Notes from canon

Slot reserved per ARCHITECTURE.md §3.5 and §13 open decision ODA-14. Candidates include SCAP/OpenSCAP, STIG Viewer automation, or OPA-based STIG rule engines. Selection deferred to Phase 2 planning.

References

  • UIAO-CANON-003
  • ADR-025

Generated by uiao/tools/sync_canon.py. See uiao/ARCHITECTURE.md §4 for the cross-repo sync contract. See uiao-docs/_quarto.yml for rendering configuration.

Back to top