You obviously know what you're talking about, but DISA can't enforce STIGs across the entire government can they? Some say that's DHS's job, or some Office within DHS (or within an Agency under DHS).
> but DISA can't enforce STIGs across the entire government can they?
No, with a small caveat: If that civilian agency (say DHS) is connected to the GIG[1], then DISA has a say-so and can threaten to disconnect them for failing security audits.
Something to keep in mind is that the STIGs are merely implementation guides to secure a system. Therefore, different agencies have different interpretations. In some cases specific secure implementations break systems and applications (mostly legacy ones), so they avoid securing those particular settings all together.
No, with a small caveat: If that civilian agency (say DHS) is connected to the GIG[1], then DISA has a say-so and can threaten to disconnect them for failing security audits.
Something to keep in mind is that the STIGs are merely implementation guides to secure a system. Therefore, different agencies have different interpretations. In some cases specific secure implementations break systems and applications (mostly legacy ones), so they avoid securing those particular settings all together.
1: https://en.wikipedia.org/wiki/Global_Information_Grid