NIST, STIG and every other standard tries to be a one size fits all cyber security guideline. Every product is different. The threat model for web hosting is different than an IoT refrigerator. The only way test if your security model works, is to expose it to expert hackers.
Cyber Proving Grounds by Null Tools provides the venue for security testing. Companies can bring their product to our facility where we invite hackers from around the globe to do their worst 24x7x365. If they succeed, and explain how they did it, they’ll get paid a bounty.
If the hackers get in, you can fix the problem before major damage is done in the real world. If they don’t get in, it will show how well you put together a solid engineering team.