DISA Gold Disk and SRR - The Lost Security Tools

UPDATE: My FOIA request was denied, and these tools will remain lost forever.  Details here.

Today I sent an email to DISA requesting a public copy of the Gold Disk and SRR tools.

For those unfamiliar with the tools, they used to be available from http://iase.disa.mil/stigs/index.html

However, the tools are now PKI protected and no longer accessible to the public.

According the DISA's web site these tools are unlicensed...putting them in the public domain.  Here is a description of both tools directly from DISA's website:

Security Readiness Review (SRRs) Scripts test products for STIG compliance. SRR Scripts are available for some operating systems and databases that have STIGs. The SRR scripts are unlicensed tools developed by the FSO and the use of these tools on products is completely at the user's own risk.

The DISA FSO Windows Gold disk tool provides an automated mechanism for compliance reporting and remediation to the Windows STIGs. The FSO Windows Gold Disks are an unlicensed tool developed by the FSO, the use of this tool is completely at the user's own risk. Currently, the Gold Disk supports Windows XP, Windows Vista, Windows 2003, Windows 2008 R1. There are no plans to develop Gold Disks for future technologies or products, FSO will utilize the SCAP standards for compliance reporting for Windows 7.
Hopefully they will provide the tools without any issue.  If not, my next step will be a FOIA request.  It is my hope that should they provide the tools, that someone may continue working on them for private sector use.

In the meantime...SCAP versions of all STIGs (DISA security guides) are publicly available:


  1. Did you have any luck with your request?

  2. Not yet Michael. I've been busy with other things, but will probably end up having to submit a FOIA request.