Man, those STIGs are both a blessing and a curse for defense contractors.

A blessing, 'cause if your system is configured as per the STIG, there's not a damn thing the auditors can say when they roll through.

A curse for many folks deploying a Linux system, 'cause if your particular variant of Linux doesn't have a STIG, -regardless of how similar it is to one that does- IME there's next to nothing you can do to get an auditor to approve the hardening work you've done.