Crunchy Bridge for Analytics now has support for Iceberg and other new features. Learn more in our Crunchy Bridge for Analytics announcement.

Crunchy Data PostgreSQL 16 Security Technical Implementation Guide Released by DISA

Doug Hunley

3 min read

Crunchy Data is pleased to announce the publication of the Crunchy Data PostgreSQL 16 Security Technical Implementation Guide (STIG) by the United States Defense Information Systems Agency (DISA). This update covers Postgres versions 13-16, for previous versions of Postgres see the prior Crunchy Data Postgres STIG. Crunchy Data has collaborated with DISA since 2017 on the PostgreSQL STIG and this new STIG reflects Crunchy Data's ongoing collaboration with DISA and commitment to provide enhanced security guidance for PostgreSQL as it continues to advance and evolve.

Data security continues to be at the forefront of the U.S. Department of Defense software and systems development. This DISA STIG complements other DoD initiatives like DevSecOps and container hardening and is a critical piece in a continuous authorization to operate. Security conscious customers anywhere can benefit from implementing the STIG controls in their Postgres environment.

The security functionality reflected within the Crunchy Data PostgreSQL STIG is provided by 100% open source Postgres, Postgres extensions, and documentation. The Crunchy Data PostgreSQL STIG provides security guidance regarding the use of PostgreSQL (versions 13-16) used in conjunction with certain open source PostgreSQL extensions – most notably, pgaudit.

In order to help PostgreSQL users benefit from the guidance provided in the Crunchy Data PostgreSQL STIG, let's provide some background information for getting started.

What is a DISA STIG?

The Security Technical Implementation Guide (STIG) is the configuration standards for United States Department of Defense (DoD) Information Assurance (IA) and IA-enabled devices/systems published by the United States Defense Information Systems Agency (DISA). Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the STIGs. The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.

Is the Crunchy Data PostgreSQL STIG US Government Specific?

The PostgreSQL STIG is from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4 and related documents. While the DISA STIG is intended to provide technical guidance to “lock down” information systems and software used within the DoD, the guidance provided in it is not specific to the DoD and is generally helpful to those interested in securing their PostgreSQL deployments.

What does the Crunchy Data PostgreSQL STIG Cover?

The DISA STIG document outlines many security rules and discussion around how they impact vulnerability within the context of the PostgreSQL database. The document covers 35 different standards. PostgreSQL STIG provides guidance on the configuration of PostgreSQL to address requirements associated with:

  • Auditing
  • Logging
  • Data Encryption at Rest
  • Data Encryption Over the Wire
  • Access Controls
  • Administration
  • Authentication
  • Protecting against SQL Injection

How does the Crunchy Data PostgreSQL STIG work?

The PostgreSQL STIG provides a series of Requirements, Checks and Fixes where:

  • Requirements are provided as a series of security requirements for an operating environment.
  • Checks are provided as a series of instructions or commands for verifying compliance with the stated requirement.
  • Fixes are provided as remediation steps to the extent the Check determines that the system is not in fact in compliance with the stated Requirement.

Looking Ahead

Crunchy Data views the Crunchy Data PostgreSQL STIG as yet another validation of the comprehensive security functionality of PostgreSQL and the accomplishments of the PostgreSQL Global Development Community. The Crunchy Data PostgreSQL STIG demonstrates that open source PostgreSQL is capable of meeting the exacting security requirements of the DoD.

We are proud to be part of the team that developed this STIG for PostgreSQL and look forward to working with all of the organizations who have been anxiously waiting for the Crunchy Data PostgreSQL STIG to be approved for modern versions of this quality open source relational database.

Additional Resources

Download the Crunchy Data PostgreSQL Security Technical Implementation Guide

Avatar for Doug Hunley

Written by

Doug Hunley

June 25, 2024 More by this author