[Verse 1]
When you think that STIGs can do it all
You're setting yourself up to fall
They're powerful tools but they have their place
Six limitations you need to face
One product at a time is all they see
No system view for you and me
Your enterprise has dozens more
But STIGs can't see from shore to shore
[Chorus]
STIGs don't do what you think they do
Six big gaps that will trouble you
No system view, no docs to make
No multi-maps, automation breaks
No continuous watch, no relationships too
STIGs don't do what you think they do
[Verse 2]
Need an SSP or assessment plan?
STIGs won't lend a helping hand
POA and Ms are not their game
Documentation's not their claim to fame
FedRAMP, CMMC, HIPAA too
SOC 2 and PCI coming through
STIGs map to NIST controls alone
Multi-framework mapping's not their zone
[Chorus]
STIGs don't do what you think they do
Six big gaps that will trouble you
No system view, no docs to make
No multi-maps, automation breaks
No continuous watch, no relationships too
STIGs don't do what you think they do
[Bridge]
Manual checks need human eyes
Interviews and doc reviews
Physical inspections, no surprise
SCAP can't automate all clues
Point-in-time is all you get
No ongoing posture view
Continuous monitoring? Not yet
That's not what STIGs do
[Verse 3]
Inherited controls from other systems
Shared responsibility arrangements
Authorization boundary conditions
STIGs don't model these engagements
Six limitations, now you know
Where STIGs excel and where they don't go
Powerful tools within their scope
But know their bounds to avoid false hope
[Chorus]
STIGs don't do what you think they do
Six big gaps that will trouble you
No system view, no docs to make
No multi-maps, automation breaks
No continuous watch, no relationships too
STIGs don't do what you think they do
[Outro]
STIGs are strong but they're not complete
Know their limits, avoid defeat
Six things missing from their design
Keep these gaps in your front of mind