speak to DISA STIGs

[afeld]

...and how they relate to controls.

https://public.cyber.mil/stigs/

[afeld]

Should probably also mention the CIS Benchmarks. Is there a generic term for these?

[brasky]

The generic term for these would probably be configuration baselines or just baselines. The guidance provided by USGCB/STIGs/CIS Benchmarks is what you use to determine your baseline configuration settings.

Different baselines might be prescribed based on the scenario. For FedRAMP in CM-6(a) it prescribes using USGCB if available, then CIS benchmarks. STIGs come into play when you add the DISA SRG

The SRG has a well written overview on page 5 section 1.4.

The thing I do not know and would be curious to learn where the requirement is for agencies and subcontractors. I'm guessing it's in 800-171 3.4.1 where it says to follow NIST 800-128 which says:

Identification of common secure configurations (e.g., FDCC/USGCB, DISA STIGs,
National Checklist Program, etc.) to be used as a basis for establishing approved baseline
configurations for the information system;

But I'd love some correction if I'm totally off base.

[afeld]

Thanks for all of that!

configuration baselines or just baselines

Yeah, the former is better, as there are also control baselines, which are a different thing.