Vulcan

Appearance

Intent Form and Questionnaire

Analysis of the DISA Vendor STIG Intent Form and STIG Applicability Questionnaire, with mapping to Vulcan's data model.

Vendor STIG Intent Form

Purpose

The Intent Form is the first step in the DISA STIG process. It formally notifies DISA that a vendor wants to create a STIG for their product.

  • Submitted to: disa.stig_spt@mail.mil
  • Who fills it out: An engineer knowledgeable about the product and cybersecurity
  • When: Before any other STIG development activity
  • Outcome: DISA reviews internally and notifies vendor whether to proceed

Source: U_Vendor_STIG_Intent_Form.pdf

Form Fields

Part I — Vendor Contact Information

FieldTypeMaps to Vulcan
Vendor Name (Requestor)TextProject metadata
DateDateProject metadata
Vendor POC NameTextProject admin_name
POC PhoneTextProject metadata
POC EmailTextProject admin_email

Part II — Product Information

FieldTypeMaps to Vulcan
Product NameTextProject name
Product VendorTextProject metadata
Product VersionTextComponent version
Previously Worked With APLYes/NoProject metadata
Product/Security Guide URLURLProject metadata
Brief Product DescriptionTextareaProject description

Part III — Components of the Product

This section directly maps to Vulcan's multi-Component model:

FieldTypeVulcan Mapping
Operating SystemTextComponent (GPOS SRG)
Virtual SoftwareTextComponent (Virtual SRG)
Web ServerTextComponent (Web Server SRG)
Cloud ServiceTextComponent (Cloud SRG)
DatabaseTextComponent (Database SRG)

Each populated technology layer implies a separate Component in Vulcan, each based on a different SRG.

Part IV — Sponsor Information

FieldTypeMaps to Vulcan
DoD SponsorTextProject metadata
SuborganizationTextProject metadata
Sponsor POC NameTextProject metadata
Sponsor POC PhoneTextProject metadata
Sponsor POC EmailTextProject metadata

Part V — Additional Information

FieldTypeMaps to Vulcan
How is the system used? (SaaS, PaaS, client/server, etc.)TextareaProject metadata
Other DoD organizations using productTextareaProject metadata
Total licenses/copies/devices in DoDNumberProject metadata
Amount type (Actual/Estimate)CheckboxProject metadata

STIG Applicability Questionnaire

Purpose

The Questionnaire determines which SRGs, STIGs, checklists, and SCAP benchmarks apply to a product. It contains ~50+ technology category checkboxes across 8 sections.

  • Filled out by: An engineer "fully knowledgeable of the system to be tested"
  • When: After DISA approves the Intent Form
  • Outcome: DISA determines the complete set of applicable SRGs

Source: STIG_Questionnaire-Released-Nov-2017.pdf (V4.3) — available from DISA Vendor Process page (requires CAC)

Sections

SectionContentExample Checkboxes
1. IntroductionProduct identification, device listProduct name, model, version, APL status
2. General Type/FunctionUC category, device type, management, encryptionVoice/Video/Data, Firewall, VPN, FIPS 140-2, PKI, CAC
3. NetworkBackbone, routers, switches, wirelessCisco, Juniper, Router SRG, Firewall SRG
4. Operating SystemOS family and versionWindows, Mac OS, Red Hat, GPOS SRG
5. Software/ApplicationsWeb servers, browsers, databases, app serversApache, IIS, Oracle, PostgreSQL, Database SRG
6. Mobile DevicesMobile OS and MDMAndroid, iOS, Samsung, MDM SRG
7. Other FeaturesVirtualization, exchange, IDS/IPS, VPNESXi, vCenter, Palo Alto, NAC
8. ProtocolsFile transfer, encryption, SIP, directoryFTP, TLS, SSH, LDAP, SNMP

SRG Determination Logic

The checkbox selections map to specific SRGs:

If vendor checks...Then applicable SRG is...
Any OS not specifically listedGeneral Purpose OS SRG (GPOS)
Any database not specifically listedDatabase SRG
Web server (any)Web Server SRG
Separate management applicationApplication Security and Development STIG
Management built into device OSNetwork Device Management SRG

Part of the MITRE Security Automation Framework (SAF)

Copyright © 2025 MITRE Corporation