Authority standards

Security Configuration Management
Defense Information System Agency Security Technical Implementation Guidelines

The Defense Information Systems Agency (DISA) releases the Security Technical Implementation Guidelines (STIG). STIG provides recommendations for secure installation, configuration, and maintenance of software, hardware, and information systems. STIG is one of the basis of configuration standards that the US Department of Defense uses. For more information about DISA and STIG, see

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) is a baseline of technical and organizational requirements that are related to the Payment Card Industry. You must establish a secure payments environment throughout your organization to achieve PCI DSS compliance. SCM enforces security configurations for endpoints and servers in your organization, and can help your organization protect endpoints meet security compliance for PCI DSS. By complying with the PCI DSS standards you ensure that cardholder data and sensitive authentication data are secure and well protected from malicious users and attacks. The PCI DSS applies to all entities involved in payment card processing and requires continuous compliance with the security standards and best practices set by the PCI Security Standards Council. For more information about PCI DSS, see the PCI Security Standards Council website at

Center for Internet Security

The Center for Internet Security (CIS) guidelines recommends technical control rules and values that are applicable to network devices, operating systems, software applications, and middleware applications. CIS guidelines are consensus-based and are used by the US government and businesses in various industries. The CIS guidelines are distributed for free in PDF formats and are also available in Extensible Configuration Checklist Description Format (XCCDF) for CIS Security Benchmark members. XCCDF is an XML-based language that is used for benchmark assessment tools and custom scripts. For more information about CIS, see

United States Government Configuration Baseline

The United States Government Configuration Baseline (USGCB) provides guidance for security configuration of Information Technology products that are deployed by US government federal agencies. USGBC replaced the Federal Desktop Core Configuration (FDCC). For more information about USGCB, see