[fname]

> but DISA can't enforce STIGs across the entire government can they?

No, with a small caveat: If that civilian agency (say DHS) is connected to the GIG[1], then DISA has a say-so and can threaten to disconnect them for failing security audits.

Something to keep in mind is that the STIGs are merely implementation guides to secure a system. Therefore, different agencies have different interpretations. In some cases specific secure implementations break systems and applications (mostly legacy ones), so they avoid securing those particular settings all together.

1: https://en.wikipedia.org/wiki/Global_Information_Grid