20 min readDeterministic Automation

Implementation Guide: Automate STIG Compliance Checks, Generate SCAR/SCAP Reports & Trigger Patch Deployment

Step-by-step implementation guide for deploying AI to automate stig compliance checks, generate scar/scap reports & trigger patch deployment for Government & Defense clients.

Use CaseImplementation Guide

Software Procurement

DISA SCAP Compliance Checker (SCC) 5.x

DISASCC 5.x

$0

DISA's authoritative SCAP-validated compliance scanning tool. Scans Windows, Linux, and network device configurations against DISA STIGs and produces XCCDF/ARF results files. Required for DoD RMF and CMMC compliance evidence. Download from: https://public.cyber.mil/stigs/scap/. Must be registered to access.

DISA STIG Viewer 3.x

DISA

$0

Viewer and checklist tool for DISA STIGs. Produces XCCDF-format checklist files (.ckl) that serve as the official compliance record for each system. Used by ISSOs to manually review and document findings. License type: Free (DoD and contractor use).

Tenable.sc (Vulnerability and Compliance Management)

TenableTenable.sc

~$15,000–$30,000/year for 500–1,000 assets

Integrates SCAP/STIG compliance scan results with CVE vulnerability data for unified risk posture view. Provides compliance dashboards, trend analysis, and remediation workflow tracking. DISA-approved for DoD environments. Tenable Nessus (the scan engine embedded in Tenable.sc) supports DISA STIG audit files natively.

Microsoft Intune (GCC High)

Microsoft

~$8/device/month standalone (GCC High)

Included in M365 E3/E5 GCC High or standalone

Cloud-based endpoint management for patch deployment, compliance policy enforcement, and device configuration baselines. Intune Compliance Policies can enforce STIG-aligned configuration baselines and report non-compliant devices to Microsoft Sentinel (GCC High) for alert generation. Preferred for modern, cloud-managed endpoints.

Microsoft Endpoint Configuration Manager (MECM / SCCM)

MicrosoftMECM / SCCM

Included with qualifying M365 license

On-premises endpoint management for patch deployment and software distribution. Preferred for organizations with air-gapped or high-security networks where cloud management is not feasible. MECM Software Update Point (SUP) manages Windows patch deployment. Can co-manage with Intune in hybrid environments.

Microsoft Azure Automation (Azure Government)

Microsoft Azure Government

First 500 minutes/month free; $0.002/minute thereafter

Runs PowerShell and Python runbooks on a schedule for automated STIG compliance tasks: triggering SCC scans, collecting results, applying configuration remediations, and generating compliance reports. Supports hybrid workers (on-premises systems managed from Azure Automation via Hybrid Runbook Worker).

Microsoft Sentinel (Azure Government)

Microsoft Azure Government

~$2.46/GB ingested

Aggregates STIG scan results, Intune compliance states, and patch deployment status into a unified compliance dashboard. Analytics rules alert the ISSO when systems fall out of compliance or when patches fail to deploy within the authorized maintenance window.

Prerequisites

  • STIG baseline determination: The ISSO must determine which STIGs apply to each system in the CMMC boundary. STIG applicability depends on OS (Windows 11, Windows Server 2022, RHEL 9, etc.), installed software (SQL Server, IIS, Chrome, Office), and network devices (Cisco IOS, Palo Alto PAN-OS). Download applicable STIGs from https://public.cyber.mil/stigs/. A system may have 5–15 applicable STIGs.
  • SCAP tool and STIG registration: Access to DISA SCC and STIG benchmarks requires registration on the DoD Cyber Exchange (https://public.cyber.mil). The MSP technician and at least one client ISSO must be registered. Contractors access via the public portal; government users may have additional access to pre-release benchmarks.
  • Maintenance window definition: Before configuring automated patch deployment, obtain written authorization for maintenance window timing (day of week, time, duration) from the ISSM. Automated patch deployment outside the authorized maintenance window is a CMMC finding. Document the authorized maintenance window in the System Security Plan (SSP).
  • Test environment: A test/staging environment mirroring production must be available for patch and STIG remediation testing before production deployment. Automated patch deployment without testing is a change management violation under CMMC CM practices. For small organizations without a formal test environment, document a representative test system.
  • eMASS or POA&M system: The ISSO must have access to the system of record for STIG findings — either eMASS (for DoD systems) or a POA&M tracking system (for CMMC). STIG scan results feed into the POA&M. Configure the pipeline to export findings in the format required by the client's system of record.
  • IT admin access: Azure Government subscription, Azure Automation, Intune GCC High (Intune Administrator), MECM Site Administrator, Tenable.sc admin, local admin on endpoints for SCC scan agent deployment.

Installation Steps

...

Step 1: Deploy and Configure DISA SCC for Automated STIG Scanning

Install the DISA SCAP Compliance Checker and configure automated scheduled scans across all in-scope endpoints.

powershell
# Deploy SCC agent and configure automated scanning via PowerShell
# SCC 5.x supports both interactive and command-line operation

# Step 1: Deploy SCC to all endpoints via MECM/Intune software deployment
# SCC Silent Install:
$SCCInstaller = "C:\Installers\SCC-5.x.x_Windows_bundle.exe"
$InstallArgs = "/S /v/qn"
Start-Process -FilePath $SCCInstaller -ArgumentList $InstallArgs -Wait

# Verify installation:
Get-Package -Name "SCAP Compliance Checker*" | Select Name, Version

# Step 2: Stage STIG SCAP content on endpoints
# Download SCAP content from public.cyber.mil for each applicable STIG
# Example: Windows 11 STIG SCAP content
$SCAPContentPath = "C:\SCC\Resources\Content"
$STIGContent = @(
    "U_MS_Windows_11_V2R2_STIG_SCAP_1-3_Benchmark.zip",
    "U_MS_Office_365_ProPlus_V2R12_STIG_SCAP_1-3_Benchmark.zip",
    "U_Google_Chrome_V2R10_STIG_SCAP_1-3_Benchmark.zip"
)
# Deploy SCAP content to each endpoint via MECM software distribution or GPO

# Step 3: Configure SCC command-line automated scan
# Create scan script (run via Azure Automation or Windows Task Scheduler):

$SCCBinary = "C:\Program Files\SCAP Compliance Checker 5\cscc.exe"
$ResultsPath = "C:\SCC\Results\$(Get-Date -Format 'yyyyMMdd')"
New-Item -ItemType Directory -Path $ResultsPath -Force

# Run SCC scan with all applicable SCAP content
$SCCScanArgs = @(
    "--version",
    "--select-all",                    # Scan all installed SCAP content
    "--output-format", "all",          # Output: XCCDF, HTML, CSV, CKL
    "--output-path", $ResultsPath,     # Results directory
    "--log-level", "1"                 # Standard logging
)

$ScanResult = Start-Process -FilePath $SCCBinary `
    -ArgumentList $SCCScanArgs `
    -Wait -PassThru -NoNewWindow

Write-Host "SCC Scan completed. Exit code: $($ScanResult.ExitCode)"
Write-Host "Results saved to: $ResultsPath"

# Step 4: Upload results to central share (Azure Files or SharePoint)
# For Azure Files (Azure Government):
$StorageAccount = "stigresultsprod"
$ShareName = "stig-results"
$AzureFilesPath = "\\${StorageAccount}.file.core.usgovcloudapi.net\${ShareName}"

# Map Azure Files share (using storage account key or Azure AD auth)
net use Z: $AzureFilesPath /user:"Azure\$StorageAccount" $env:STORAGE_ACCOUNT_KEY

# Copy results
Copy-Item -Path "$ResultsPath\*" -Destination "Z:\$env:COMPUTERNAME\$(Get-Date -Format 'yyyyMMdd')\" -Recurse
net use Z: /delete

Write-Host "Results uploaded to central STIG results repository."
Note

DISA SCC scans can take 15–45 minutes per endpoint depending on the number of applicable STIGs and system performance. Schedule scans during off-hours maintenance windows. For large environments (100+ endpoints), use distributed scanning with staggered schedules (e.g., 20 endpoints per night across 5 nights) rather than scanning all systems simultaneously. SCC 5.x supports remote scanning of Windows systems via WMI/WinRM — configure this to avoid deploying the SCC agent on every endpoint.

Step 2: Build the STIG Results Processing Pipeline

Parse SCC scan results (XCCDF XML format), extract findings, and load into the Tenable.sc or custom compliance database.

stig_results_processor.py
python
# Parses SCC XCCDF results and generates compliance reports

# stig_results_processor.py
# Parses SCC XCCDF results and generates compliance reports

import xml.etree.ElementTree as ET
import json, os, datetime, glob

# XCCDF namespaces used by DISA SCC output
NAMESPACES = {
    'xccdf': 'http://checklists.nist.gov/xccdf/1.2',
    'arf': 'http://scap.nist.gov/schema/asset-reporting-format/1.1',
    'dc': 'http://purl.org/dc/elements/1.1/'
}

def parse_scc_results(xccdf_file: str) -> dict:
    """Parse a DISA SCC XCCDF results file and extract findings."""
    tree = ET.parse(xccdf_file)
    root = tree.getroot()

    results = {
        "scan_date": datetime.datetime.utcnow().isoformat(),
        "hostname": "Unknown",
        "stig_benchmark": "Unknown",
        "findings": [],
        "summary": {
            "open": 0,          # Non-compliant (CAT I, II, III failures)
            "not_a_finding": 0, # Compliant
            "not_applicable": 0,
            "not_reviewed": 0,
            "cat_i": 0,         # Critical (CAT I)
            "cat_ii": 0,        # High (CAT II)
            "cat_iii": 0        # Medium (CAT III)
        }
    }

    # Extract target system info
    target = root.find('.//xccdf:target', NAMESPACES)
    if target is not None:
        results["hostname"] = target.text

    # Extract benchmark info
    benchmark = root.find('.//xccdf:benchmark', NAMESPACES)
    if benchmark is not None:
        results["stig_benchmark"] = benchmark.get('id', 'Unknown')

    # Extract individual rule results
    for rule_result in root.findall('.//xccdf:rule-result', NAMESPACES):
        rule_id = rule_result.get('idref', '')
        result_elem = rule_result.find('xccdf:result', NAMESPACES)
        result_value = result_elem.text if result_elem is not None else 'unknown'

        # Get severity from rule definition
        severity = rule_result.get('severity', 'medium')
        cat = {"high": "CAT I", "medium": "CAT II", "low": "CAT III"}.get(severity, "Unknown")

        # Get finding details
        check_content = rule_result.find('.//xccdf:check-content', NAMESPACES)
        finding = {
            "rule_id": rule_id,
            "result": result_value,
            "severity": severity,
            "category": cat,
            "fix_text": ""  # Populated from STIG benchmark reference
        }

        results["findings"].append(finding)

        # Update summary counts
        if result_value == "fail":
            results["summary"]["open"] += 1
            if cat == "CAT I":
                results["summary"]["cat_i"] += 1
            elif cat == "CAT II":
                results["summary"]["cat_ii"] += 1
            elif cat == "CAT III":
                results["summary"]["cat_iii"] += 1
        elif result_value == "pass":
            results["summary"]["not_a_finding"] += 1
        elif result_value == "notapplicable":
            results["summary"]["not_applicable"] += 1
        elif result_value in ["notchecked", "unknown"]:
            results["summary"]["not_reviewed"] += 1

    results["summary"]["total_rules"] = len(results["findings"])
    results["summary"]["compliance_score"] = round(
        results["summary"]["not_a_finding"] /
        max(results["summary"]["total_rules"] - results["summary"]["not_applicable"], 1) * 100, 1
    )

    return results


def generate_poam_entries(findings: list, system_name: str, isso: str) -> list:
    """Generate POA&M entries from STIG open findings."""
    poam_entries = []

    for finding in findings:
        if finding["result"] == "fail":
            scheduled_completion = (
                datetime.date.today() +
                datetime.timedelta(days=30 if finding["severity"] == "high" else 90)
            ).isoformat()

            poam_entries.append({
                "poam_id": f"POAM-{finding['rule_id'][-6:]}",
                "system": system_name,
                "weakness_name": f"STIG Finding: {finding['rule_id']}",
                "weakness_description": f"{finding['category']} STIG finding — {finding['rule_id']}",
                "point_of_contact": isso,
                "resources_required": "System Administrator — 1-4 hours",
                "scheduled_completion_date": scheduled_completion,
                "milestone_with_completion_date": f"Apply STIG remediation — {scheduled_completion}",
                "status": "Ongoing",
                "comments": "AI-generated entry — ISSO review required before submission to eMASS"
            })

    return poam_entries

Step 3: Build the AI-Assisted STIG Compliance Report Generator

Generate plain-language STIG compliance status reports from parsed scan results for ISSO and leadership review.

stig_report_generator.py
python
# stig_report_generator.py

from openai import AzureOpenAI
import os, json

client = AzureOpenAI(
    azure_endpoint=os.environ["AZURE_OPENAI_ENDPOINT"],
    api_key=os.environ["AZURE_OPENAI_KEY"],
    api_version="2024-08-01-preview"
)

def generate_stig_compliance_narrative(
    scan_results: dict,
    prior_scan_results: dict = None,
    system_name: str = "Unknown System",
    issm_name: str = "ISSM"
) -> str:
    """Generate AI-assisted STIG compliance report narrative."""

    summary = scan_results.get("summary", {})
    trend = ""
    if prior_scan_results:
        prior_open = prior_scan_results.get("summary", {}).get("open", 0)
        current_open = summary.get("open", 0)
        delta = current_open - prior_open
        trend = f"TREND: {abs(delta)} findings {'added' if delta > 0 else 'remediated'} since last scan. "

    report_prompt = f"""Generate a STIG compliance status report narrative for ISSO and leadership review.

SYSTEM: {system_name}
SCAN DATE: {scan_results.get('scan_date', 'Unknown')}
STIG BENCHMARK: {scan_results.get('stig_benchmark', 'Unknown')}
ISSM: {issm_name}

COMPLIANCE SUMMARY:
- Total rules evaluated: {summary.get('total_rules', 0)}
- Compliant (Not a Finding): {summary.get('not_a_finding', 0)}
- Open Findings: {summary.get('open', 0)}
  - CAT I (Critical): {summary.get('cat_i', 0)}
  - CAT II (High): {summary.get('cat_ii', 0)}
  - CAT III (Medium): {summary.get('cat_iii', 0)}
- Not Applicable: {summary.get('not_applicable', 0)}
- Not Reviewed: {summary.get('not_reviewed', 0)}
- Overall Compliance Score: {summary.get('compliance_score', 0)}%
{trend}

Generate:
## EXECUTIVE SUMMARY
- Overall compliance posture assessment (Acceptable / Marginal / Unacceptable)
- Most significant findings requiring immediate attention
- Trend assessment (improving/declining/stable)
- ISSM risk acceptance recommendation for any CAT I findings

## CAT I FINDINGS (CRITICAL — 30-day remediation required)
For each CAT I finding: Rule ID, brief plain-language description, recommended remediation

## TOP CAT II FINDINGS
Top 5 CAT II findings by remediation priority

## RECOMMENDED REMEDIATION PRIORITY ORDER
Ordered list of remediation actions (most critical first)
Each action: What to do, estimated admin effort (hours), risk if not remediated

## POA&M STATUS
Summary of findings that require POA&M entries vs. findings that can be remediated immediately

## CMMC COMPLIANCE IMPACT
Which CMMC practices are affected by the current open findings?
(Reference: CM.L2-3.4.1, CM.L2-3.4.2, SI.L2-3.14.x as applicable)

[DRAFT — AI GENERATED — REQUIRES ISSO REVIEW AND ISSM APPROVAL]
[Classification: CUI — Handle per CMMC requirements]"""

    response = client.chat.completions.create(
        model=os.environ["AZURE_OPENAI_DEPLOYMENT"],
        messages=[
            {"role": "system", "content": "You are a DoD cybersecurity compliance specialist generating STIG compliance reports for ISSO and leadership review. Be precise about finding severity and remediation requirements per DISA standards."},
            {"role": "user", "content": report_prompt}
        ],
        temperature=0.1,
        max_tokens=3000
    )

    return response.choices[0].message.content

STIG Compliance Report — System Prompt

You are a DoD cybersecurity compliance specialist generating STIG compliance reports for ISSO and leadership review. Be precise about finding severity and remediation requirements per DISA standards.
Sonnet 4.6

STIG Compliance Report — User Prompt Template

Generate a STIG compliance status report narrative for ISSO and leadership review. SYSTEM: {system_name} SCAN DATE: {scan_date} STIG BENCHMARK: {stig_benchmark} ISSM: {issm_name} COMPLIANCE SUMMARY: - Total rules evaluated: {total_rules} - Compliant (Not a Finding): {not_a_finding} - Open Findings: {open} - CAT I (Critical): {cat_i} - CAT II (High): {cat_ii} - CAT III (Medium): {cat_iii} - Not Applicable: {not_applicable} - Not Reviewed: {not_reviewed} - Overall Compliance Score: {compliance_score}% {trend} Generate: ## EXECUTIVE SUMMARY - Overall compliance posture assessment (Acceptable / Marginal / Unacceptable) - Most significant findings requiring immediate attention - Trend assessment (improving/declining/stable) - ISSM risk acceptance recommendation for any CAT I findings ## CAT I FINDINGS (CRITICAL — 30-day remediation required) For each CAT I finding: Rule ID, brief plain-language description, recommended remediation ## TOP CAT II FINDINGS Top 5 CAT II findings by remediation priority ## RECOMMENDED REMEDIATION PRIORITY ORDER Ordered list of remediation actions (most critical first) Each action: What to do, estimated admin effort (hours), risk if not remediated ## POA&M STATUS Summary of findings that require POA&M entries vs. findings that can be remediated immediately ## CMMC COMPLIANCE IMPACT Which CMMC practices are affected by the current open findings? (Reference: CM.L2-3.4.1, CM.L2-3.4.2, SI.L2-3.14.x as applicable) [DRAFT — AI GENERATED — REQUIRES ISSO REVIEW AND ISSM APPROVAL] [Classification: CUI — Handle per CMMC requirements]
Sonnet 4.6

Step 4: Configure Automated Patch Deployment via Intune (GCC High)

Configure Intune software update policies to automate patch deployment within authorized maintenance windows.

Configure Intune Update Rings via Microsoft Graph API (Government endpoint)
powershell
# Configure Intune Update Rings via Microsoft Graph API (Government endpoint)
# Connect to Microsoft Graph (Government)
Connect-MgGraph -Environment USGov -Scopes "DeviceManagementConfiguration.ReadWrite.All"

# Create Windows Update Ring for automatic patching
$updateRingParams = @{
    displayName = "CMMC-Endpoints-Update-Ring"
    description = "Automated Windows patching for CMMC boundary endpoints. Maintenance window: Sunday 02:00-06:00 ET"
    microsoftUpdateServiceAllowed = $true
    driversExcluded = $false
    qualityUpdatesDeferralPeriodInDays = 0       # No deferral for security updates
    featureUpdatesDeferralPeriodInDays = 30      # 30-day deferral for feature updates
    automaticUpdateMode = "autoInstallAndRebootAtScheduledTime"
    scheduledInstallDay = "sunday"
    scheduledInstallTime = 2                     # 2 AM
    deadlineForQualityUpdatesInDays = 7          # Force install within 7 days
    deadlineForFeatureUpdatesInDays = 14
    deadlineGracePeriodInDays = 2
    postponeRebootUntilAfterDeadline = $false
    userPauseAccess = "disabled"                 # Users cannot pause updates
    userWindowsUpdateScanAccess = "disabled"     # Users cannot run Windows Update manually
    updateNotificationLevel = "defaultNotifications"
}

# Create the update ring
$updateRing = New-MgDeviceManagementDeviceConfiguration -BodyParameter $updateRingParams
Write-Host "Update ring created: $($updateRing.Id)"

# Assign update ring to CMMC endpoint group
$groupId = (Get-MgGroup -Filter "displayName eq 'CMMC-Boundary-Endpoints'").Id
$assignmentParams = @{
    target = @{
        "@odata.type" = "#microsoft.graph.groupAssignmentTarget"
        groupId = $groupId
    }
}
New-MgDeviceManagementDeviceConfigurationAssignment `
    -DeviceConfigurationId $updateRing.Id `
    -BodyParameter $assignmentParams

Write-Host "Update ring assigned to CMMC-Boundary-Endpoints group."

# Create compliance policy to enforce STIG-aligned configuration
$complianceParams = @{
    displayName = "CMMC-STIG-Compliance-Policy"
    description = "Enforces DISA STIG-aligned configuration baselines for CMMC compliance"
    passwordRequired = $true
    passwordMinimumLength = 15                   # STIG requires 15+ chars
    passwordRequiredType = "alphanumeric"
    passwordMinutesOfInactivityBeforeLock = 15  # STIG: 15 min timeout
    encryptionRequired = $true                   # STIG: BitLocker required
    secureBootEnabled = $true                    # STIG: Secure Boot required
    activeFirewallRequired = $true               # STIG: Windows Firewall on
    antivirusRequired = $true
    antiSpywareRequired = $true
    defenderEnabled = $true
    rtpEnabled = $true                           # Real-time protection
    signatureOutOfDate = $false                  # Require current signatures
    osMinimumVersion = "10.0.22631"             # Windows 11 23H2 minimum
}

$compliancePolicy = New-MgDeviceManagementDeviceCompliancePolicy `
    -BodyParameter $complianceParams
Write-Host "STIG compliance policy created: $($compliancePolicy.Id)"

Step 5: Configure the STIG Compliance Dashboard in Microsoft Sentinel

Build Sentinel analytics rules and workbooks that provide real-time STIG compliance posture monitoring.

Sentinel KQL: STIG Compliance Monitoring
kql
-- Non-Compliant Devices Alert, Patch Compliance Status, CAT I Finding Age
-- Tracker, and Compliance Score Trend

// Sentinel KQL: STIG Compliance Monitoring
// Data source: Intune compliance data via Sentinel connector

// ─── 1. Non-Compliant Devices Alert ──────────────────────────────────────────
IntuneDeviceComplianceOrg
| where TimeGenerated > ago(24h)
| where ComplianceState == "noncompliant"
| summarize
    noncompliant_count = dcount(DeviceId),
    devices = make_set(DeviceName),
    owners = make_set(UPN)
  by ComplianceState, OS, OSVersion
| where noncompliant_count > 0
| extend Alert = strcat(noncompliant_count, " non-compliant devices detected — STIG compliance failure")
| project TimeGenerated = now(), Alert, noncompliant_count, devices, owners, OS, OSVersion


// ─── 2. Patch Compliance Status ───────────────────────────────────────────────
// Track patch deployment success rate within maintenance window
Update
| where TimeGenerated > ago(7d)
| where UpdateState == "Needed"
| where Classification in ("Security Updates", "Critical Updates")
| summarize
    needed_count = count(),
    oldest_needed = min(TimeGenerated),
    devices_needing_update = make_set(Computer)
  by Title, BulletinID, KBID
| extend days_outstanding = datetime_diff('day', now(), oldest_needed)
| where days_outstanding > 7  // Patches outstanding more than 7 days
| order by days_outstanding desc


// ─── 3. CAT I Finding Age Tracker ─────────────────────────────────────────────
// Custom table populated by STIG results processor (see Step 2)
STIGFindings_CL
| where FindingResult_s == "fail"
| where FindingSeverity_s == "high"  // CAT I
| where FindingStatus_s != "Remediated"
| extend days_open = datetime_diff('day', now(), OpenDate_t)
| where days_open > 30  // CAT I findings require 30-day remediation
| project
    Hostname_s, BenchmarkID_s, RuleID_s,
    days_open, OpenDate_t,
    ISSO_s, SystemName_s
| extend Alert = strcat("CAT I STIG finding overdue: ", RuleID_s, " on ", Hostname_s,
                         " — ", days_open, " days open (30-day limit)")
| order by days_open desc


// ─── 4. Compliance Score Trend ────────────────────────────────────────────────
STIGFindings_CL
| where TimeGenerated > ago(90d)
| summarize
    total = count(),
    compliant = countif(FindingResult_s == "pass"),
    cat_i_open = countif(FindingResult_s == "fail" and FindingSeverity_s == "high")
  by bin(TimeGenerated, 7d), SystemName_s
| extend compliance_pct = round(toreal(compliant) / total * 100, 1)
| project TimeGenerated, SystemName_s, compliance_pct, cat_i_open, total
| order by SystemName_s, TimeGenerated asc

Custom AI Components

STIG Remediation Guidance Generator

Type: Prompt Generates plain-language remediation instructions for STIG findings tailored to the specific system and environment — going beyond the generic fix text in the STIG itself.

Implementation:

STIG Remediation Guidance Generator

SYSTEM PROMPT: You are a DISA STIG remediation specialist. Generate specific, step-by-step remediation instructions for the following STIG finding, tailored to the specific operating environment. FINDING: Rule ID: {rule_id} Category: {category} (CAT I = Critical, CAT II = High, CAT III = Medium) STIG Benchmark: {benchmark} Finding Description: {description} STIG Fix Text: {fix_text} ENVIRONMENT CONTEXT: Operating System: {os_version} Domain Joined: {domain_joined} Management Tool: {management_tool} (Intune / MECM / GPO / Manual) Cloud Connected: {cloud_connected} Generate: 1. PLAIN LANGUAGE DESCRIPTION What is the vulnerability and why does it matter? 2. REMEDIATION STEPS Specific, numbered steps to remediate — tailored to the management tool specified. Include exact registry paths, group policy settings, or PowerShell commands. 3. VERIFICATION STEPS How to verify the fix was applied successfully (SCC re-scan, manual check) 4. RISK IF NOT REMEDIATED Specific risk to the organization's CMMC compliance and security posture 5. ESTIMATED ADMIN EFFORT Hours to implement for one system / for 100 systems (via automation) 6. AUTOMATION POTENTIAL Can this finding be remediated at scale via GPO / Intune policy / PowerShell DSC? (Yes/No — how) [DRAFT — VERIFY AGAINST CURRENT STIG VERSION BEFORE APPLYING IN PRODUCTION]
Sonnet 4.6

Testing & Validation

  • SCC scan accuracy test: Run SCC against a known-configuration test system and manually verify 10 random findings against the STIG requirements. Scan results must correctly identify known compliant and non-compliant settings. Any discrepancy between manual STIG review and SCC output must be investigated before relying on automated scans for compliance evidence.
  • XCCDF parser accuracy test: Parse a known SCC results file and compare the output (finding counts by category, compliance score) against the HTML report generated by SCC for the same scan. Summary statistics must match exactly.
  • POA&M entry generation test: Generate POA&M entries from a test scan with 10 known findings. Verify all CAT I findings have 30-day remediation dates, all CAT II have 90-day dates, and all required POA&M fields are populated. Have the ISSO review for eMASS import readiness.
  • Patch deployment test: Deploy a test Windows update to 5 test endpoints via Intune during a simulated maintenance window. Verify: (a) patch deploys only during the authorized maintenance window, (b) all 5 endpoints report compliant status in Intune within 24 hours, (c) Sentinel receives the compliance state update.
  • Non-compliant device alert test: Manually force a test endpoint into non-compliant state (disable Windows Firewall). Verify the Sentinel KQL alert fires within 1 hour and sends notification to the ISSO via Teams and email.
  • CAT I overdue alert test: Insert a test STIGFindings_CL record with a CAT I finding dated 35 days ago. Verify the Sentinel overdue alert fires and includes the correct device name, rule ID, and days-open count.
  • STIG report narrative quality test: Generate a compliance report narrative from a sample scan result set and have the ISSO evaluate it against DISA standards. The report must correctly characterize the compliance posture, prioritize CAT I findings, and reference the correct CMMC practices.
  • Maintenance window enforcement test: Attempt to trigger a patch deployment outside the authorized maintenance window. Verify the Intune policy blocks the deployment and the attempt is logged in Sentinel.
  • Central results repository test: Complete a scan on a test endpoint and verify the results file is uploaded to the Azure Files central repository within 30 minutes of scan completion, with the correct folder structure (hostname/date).

Client Handoff

Handoff Meeting Agenda (90 minutes — ISSO + ISSM + System Administrators + IT Lead)

1
STIG baseline and scan infrastructure review (20 min): Walk through the STIGs deployed for each system category | Demonstrate a live SCC scan on a test system | Review the central results repository structure
2
Compliance dashboard demonstration (20 min): Walk through the Sentinel STIG compliance workbook | Show the non-compliant device alert and CAT I overdue alert | Demonstrate the compliance score trend visualization
3
Patch deployment workflow review (15 min): Walk through the Intune update ring configuration | Confirm the authorized maintenance window is correctly configured | Demonstrate the patch compliance reporting in Intune and Sentinel
4
POA&M and eMASS workflow (15 min): Show how STIG findings export to POA&M format | Review the POA&M entry quality and eMASS import process | Confirm ISSM approval is required before eMASS submission
5
CMMC evidence package (20 min): Walk through the CMMC evidence that this system generates | Identify how compliance reports support CM.L2-3.4.1, CM.L2-3.4.2, and SI practices | Review the evidence retention schedule
6
Documentation handoff: STIG applicability matrix (which STIGs for which system types) | SCC scan schedule and configuration | Azure Automation runbook documentation | Intune update ring and compliance policy export | Sentinel workbook and analytics rule documentation | POA&M template and eMASS import guide | STIG remediation guidance prompt library

Maintenance

Daily Tasks (Automated)

  • Sentinel alerts run continuously — CAT I overdue and non-compliant device alerts fire automatically
  • Intune compliance state refreshes daily

Weekly Tasks

  • ISSO reviews Sentinel compliance dashboard — note any new findings or trend changes
  • Review patch deployment success rate — investigate any failed deployments

Monthly Tasks

  • Run full SCC scan on all in-scope endpoints (automated via Azure Automation)
  • Generate monthly STIG compliance report narrative for ISSM review
  • Update POA&M in eMASS with current finding status
  • Azure Automation and Sentinel cost review

Quarterly Tasks

  • Download and apply updated STIG benchmarks from public.cyber.mil — DISA releases updated STIGs quarterly
  • Update SCC SCAP content on all endpoints to match new benchmark versions
  • Review and update Intune compliance policies against new STIG requirements
  • CMMC evidence package review — ensure all required evidence is current for upcoming assessment

Annual Tasks

  • Full STIG applicability matrix review — confirm new software or system components have applicable STIGs identified
  • ISSM annual review and sign-off on overall STIG compliance posture
  • CMMC assessment preparation — compile complete STIG scan evidence (12 months of scan results, POA&M history, remediation documentation)

Alternatives

Telos xacta.io (RMF/CMMC Compliance Automation)

Telos xacta provides automated RMF compliance management including STIG integration, POA&M management, and eMASS integration. FedRAMP authorized. Best for: Large defense contractors or agencies needing full RMF lifecycle management beyond STIG scanning. Tradeoffs: $50,000–$200,000+/year enterprise pricing; overkill for STIG scanning alone; best value when combined with full RMF ATO management.

Tenable.io Government + Tenable SCAP (Cloud Compliance Management)

Tenable.io Government (FedRAMP Moderate) provides STIG compliance scanning via Nessus SCAP audit files, combined with CVE vulnerability management in a single cloud platform. Best for: Organizations preferring a cloud-based vulnerability + compliance platform. Tradeoffs: FedRAMP Moderate (not High); SCAP audit files not identical to SCC output — verify DISA acceptance for the specific program's RMF requirement.

Anchore (Container STIG Compliance)

For organizations deploying containerized applications (DoD Platform One, Iron Bank containers), Anchore provides automated STIG compliance scanning for container images against DISA Container Platform SRG/STIG requirements. Complements the endpoint STIG scanning described in this guide. Best for: DevSecOps programs using containers. Not a replacement for endpoint STIG scanning.

Want early access to the full toolkit?

All Government & Defense solutions