What Is DoD Compliance?

Quick Fix Summary

What’s Happening

DoD compliance—often called DoD RMF or DoD Cybersecurity Compliance—requires federal contractors and DoD information systems to meet the security controls in NIST SP 800-53 Rev. 5 and the hardening baselines from the Defense Information Systems Agency (DISA). As of 2026, the current baselines are the Security Technical Implementation Guides (STIGs) version 2.0+. These guides tie every required control to a specific registry key, group policy setting, or configuration file tweak.

When a scan fails, three culprits usually stand out: the STIG bundle isn’t up to date, the target host runs an unsupported OS (like Windows Server 2019 or older), or the scanning account lacks local admin privileges to read or modify the necessary settings.

Step-by-Step Solution

1. Confirm the STIG baseline version.
   • Grab the latest STIG bundle from the DISA STIGs site (STIG Viewer 5.0 or higher).
   • In STIG Viewer: File → Import → Pick the XML bundle named “Windows_Server_2022_STIG_V2R10.xml” (swap in the right Linux/Unix baseline if needed).
2. Ensure the target host OS version matches the STIG.

   OS Family	Required Version (as of 2026)
   Windows Server	2022 LTSC Datacenter
   RHEL	9.4
   Ubuntu	24.04 LTS

3. Run the scan with elevated credentials.
   • Spin up—or reuse—a domain account that’s already in the local Administrators group on the target host.
   • In STIG Viewer: File → New Scan → Choose “SCAP XCCDF” template → Target Host → Drop in the FQDN or IP → Credentials → Enter the local admin account details.
4. Apply remediations and reboot.
   • In STIG Viewer: View → Vulnerabilities → Right-click any “CAT I” or “CAT II” rule → Remediate → Save the changes to a script (.ps1 or .sh).
   • Run that script on the target host with elevated privileges (Run as Administrator).
   • Reboot the host and rerun the scan.
5. Export the final SCAP results.
   • File → Export → SCAP 1.2 Data Stream → Save as “stig-results-YYYYMMDD.xml”.
   • Upload the XML to the DoD eMASS portal for accreditation.

If This Didn’t Work

• Use SCCM or Ansible for mass remediation.
  • Microsoft Endpoint Configuration Manager (SCCM) 2303+ comes with built-in STIG remediation baselines you can push via Configuration Items → Settings → STIG Baselines.
  • For Linux hosts, pull the community.general collection and the stig_compliance role (v3.4+).
• Check the SCAP tool version.
  • If you’re still on openscap-scanner 1.3.7 or older, upgrade to v2.1.0+ to dodge false positives on newer STIG rules.
• Verify network connectivity and firewall rules.
  • The target host must let WinRM (TCP 5985/5986) or SSH (TCP 22) traffic in from the scanner host.
  • Windows Defender Firewall needs an inbound rule that allows the STIG Viewer service through.

Prevention Tips

• Automate daily compliance checks.
  • Set a nightly openscap-xccdf eval --profile stig-rhel9-disa script on Linux hosts via cron.
  • On Windows: schtasks /create /tn "DailySTIGScan" /tr "C:\Program Files\DISA\STIGViewer\STIGViewer.exe --scan --export C:\STIG\results.xml" /sc daily /ru SYSTEM.
• Maintain an OS life-cycle plan.
  • Keep a simple matrix of OS versions and their end-of-support dates. Replace anything older than two years (Windows Server 2022, for example, is good until 2030).
• Rotate scanning credentials quarterly.
  • Use Group Policy Preferences or Ansible Vault to cycle the local admin password every 90 days. Make sure the new password meets DoD 8570 complexity rules.
• Join the DoD Cyber Exchange community.
  • Subscribe to the DoD Cyber Exchange mailing list to get STIG update alerts within 24 hours of release.