diff --git a/content/SCALE/SCALETutorials/SystemSettings/Advanced/_index.md b/content/SCALE/SCALETutorials/SystemSettings/Advanced/_index.md
index 9f068f83a4..aeb9dc9765 100644
--- a/content/SCALE/SCALETutorials/SystemSettings/Advanced/_index.md
+++ b/content/SCALE/SCALETutorials/SystemSettings/Advanced/_index.md
@@ -71,7 +71,7 @@ It also stores Samba4 metadata, such as the user and group cache and share-level
 
 If the system has one pool, TrueNAS configures that pool as the system dataset pool.
 If your system has more than one pool, you can set the system dataset pool using the **Select Pool** dropdown.
-Users can move the system dataset to an unencrypted pool or a key-encrypted pool.
+Users can move the system dataset to an unencrypted or key-encrypted pool.
 
 ![SystemDatasetPoolConfigScreen](/images/SCALE/SystemSettings/SystemStorageConfigScreen.png "TrueNAS Advanced Settings System Dataset Pool Screen")
 
@@ -102,6 +102,26 @@ Entering an IP address limits access to the system to only the address(es) enter
 
 <div class="noprint">
 
+## Setting Up FIPS and STIG
+{{< enterprise >}}
+Only Enterprise-licensed systems show the **Security** widget and have access to FIPS and STIG settings.
+{{< /enterprise >}}
+
+To configure FIPS or STIG compliance on a TrueNAS server, you must first configure two-factor authentication for an admin user with full permissions.
+
+After configuring two-factor authentication, go to **System > Advanced Settings** and locate the **Security** widget.
+
+Click **Settings** to open the **System Security** configuration screen.
+
+![SystemSecurityScreen](/images/SCALE/SystemSettings/SystemSecurityScreen.png "System Security Screen")
+
+Select the toggle to enable FIPS and STIG, then click **Save**. You must enable FIPS with STIG!
+The system prompts you to reboot.
+
+![SecurityFIPSSTIGRebootDialog](/images/SCALE/SystemSettings/SecurityFIPSSTIGRebootDialog.png "Reboot Require Dialog")
+
+The system reboot takes several minutes to complete before showing the login screen.
+
 ## Contents
 
 {{< children depth="2" description="true" >}}
diff --git a/content/SCALE/SCALEUIReference/SystemSettings/AdvancedSettingsScreen.md b/content/SCALE/SCALEUIReference/SystemSettings/AdvancedSettingsScreen.md
index 0585c3e421..a1577161eb 100644
--- a/content/SCALE/SCALEUIReference/SystemSettings/AdvancedSettingsScreen.md
+++ b/content/SCALE/SCALEUIReference/SystemSettings/AdvancedSettingsScreen.md
@@ -85,7 +85,7 @@ There are also options to configure a remote syslog server for recording system
 | **Syslog Server** | Enter the remote syslog server DNS hostname or IP address. Add a colon and the port number to the hostname to use non-standard port numbers, like *mysyslogserver:1928*. Log entries are written to local logs and sent to the remote syslog server. |
 | **Syslog Transport** | Enter the [transport protocol](https://tools.ietf.org/html/rfc8095) for the remote system log server connection. Selecting Transport Layer Security (TLS) displays the **Syslog TLS Certificate** and **Syslog TSL Certificate Authority** fields. This setting requires preconfiguring both the server system certificate and the certificate authority (CA). |
 | **Syslog TLS Certificate** | Displays after selecting **TLS** in **Syslog Transport**. Select the [transport protocol](https://tools.ietf.org/html/rfc8095) for the remote system log server TLS certificate from the dropdown list. Select the default or add the certificate and CA for the server using the **Credentials > Certificates** screen **Certificates** widget. |
-| **Syslog TLS Certificate Authority** | Displays after selecting **TLS** in **Syslog Transport**. Select the TLS CA for the TLS server from the dropdown list. If not using the default, create the CA for the systlog server TLS certificate on the **Credentials > Certificates > Certificate Authorities** screen. |
+| **Syslog TLS Certificate Authority** | Displays after selecting **TLS** in **Syslog Transport**. Select the TLS CA for the TLS server from the dropdown list. If not using the default, create the CA for the syslog server TLS certificate on the **Credentials > Certificates > Certificate Authorities** screen. |
 | **Include Audit Logs** | Select to enable audit logging.  |
 {{< /truetable >}}
 {{< /expand >}}
@@ -210,7 +210,7 @@ Users can move the system dataset to an unencrypted pool, or an encrypted pool w
 {{< trueimage src="/images/SCALE/SystemSettings/SystemStorageConfigScreen.png" alt="System Dataset Pool Config Screen" id="System Dataset Pool Config Screen" >}}
 
 Users can move the system dataset to a key-encrypted pool, but cannot change the pool encryption type afterward.
-If the encrypted pool already has a passphrase set, you cannot move the system dataset to that pool.
+You cannot move the system dataset to an encrypted pool with a passphrase set.
 
 ## Replication Widget
 The **Replication** widget displays the number of replication tasks that can execute simultaneously on the system. It allows users to adjust the maximum number of replication tasks the system can perform simultaneously.
@@ -224,13 +224,13 @@ Click **Configure** to open the **Replication** configuration screen.
 Enter a number for the maximum number of simultaneous replication tasks you want to allow the system to process and click **Save**.
 
 ## Access Widget
-The **Access** widget displays a list of all active sessions, including the user who initiated the session and what time it started.
+The **Access** widget lists all active sessions, including the user who initiated them and when they started.
 It also displays the **Session Timeout** setting for your current session.
-It allows administrators to manage other active sessions and to configure the session timeout for their account.
+It allows administrators to manage other active sessions and configure the session timeout.
 
 {{< trueimage src="/images/SCALE/SystemSettings/AdvancedSystemSettingsAccessWidget.png" alt="Access Widget" id="Access Widget" >}}
 
-**Terminate Other Sessions** ends all sessions except for the one you are currently using.
+**Terminate Other Sessions** ends all sessions except the active session for the logged-in admin user.
 You can also end individual sessions by clicking the logout <span class="iconify" data-icon="PH:arrow-square-right"></span> icon next to that session if it is not the admin user session.
 You must check a confirmation box before the system allows you to end sessions.
 
@@ -241,7 +241,7 @@ It cannot be used to terminate your current session.
 TrueNAS logs out user sessions that are inactive for longer than the configured token setting.
 New activity resets the token counter.
 
-If the configured session timeout is exceeded, TrueNAS displays a **Logout** dialog with the exceeded ticket lifetime value and the time that the session is scheduled to terminate.
+If the configured session timeout is exceeded, TrueNAS displays a **Logout** dialog with the exceeded ticket lifetime value and the time the session is scheduled to terminate.
 
 {{< expand "Logout Dialog" "v" >}}
 {{< trueimage src="/images/SCALE/SystemSettings/TimeoutDialog.png" alt="Logout Dialog" id="Logout Dialog" >}}
@@ -250,12 +250,12 @@ If the configured session timeout is exceeded, TrueNAS displays a **Logout** dia
 If the button is not clicked, the TrueNAS terminates the session automatically and returns to the login screen.
 {{< /expand >}}
 
- **Configure** opens the **Token Settings** screen.
+ **Configure** opens the **Access Settings** screen.
 
-### Token Settings Screen
-The **Token Settings** screen allows users to configure the **Session Timeout** for the current account.
+### Access Settings Screen
+The **Access Settings** screen allows users to configure the **Session Timeout** for the current account.
 
-{{< trueimage src="/images/SCALE/SystemSettings/TokenSettingsScreen.png" alt="Token Settings Screen" id="Token Settings Screen" >}}
+{{< trueimage src="/images/SCALE/SystemSettings/AccessSettingsScreen.png" alt="Access Settings Screen" id="Access Settings Screen" >}}
 
 Select a value that fits your needs and security requirements.
 Enter the value in seconds.
@@ -266,6 +266,11 @@ The default lifetime setting is 300 seconds or five minutes.
 The maximum is 2147482 seconds, or 24 days, 20 hours, 31 minutes, and 22 seconds.
 {{< /hint >}}
 
+The **Login Banner** field allows specifying a text message the system shows before the TrueNAS login splash screen displays.
+**Continue** on the banner screen closes the screen, then shows the login splash screen.
+The maximum length of the banner text is 4096 characters including spaces. Long text wraps and banner text can use carriage returns to break up long messages to improve readability.
+Leave **Login Banner** empty to show just the login screen without interruption by a banner screen.
+
 ## Allowed IP Addresses Widget
 The **Allowed IP Addresses** widget displays IP addresses and networks added to the system that are allowed to use the API and UI. If this list is empty, then all IP addresses are allowed to use API and UI.
 
@@ -276,7 +281,7 @@ The **Allowed IP Addresses** widget displays IP addresses and networks added to
 {{< hint type="warning" >}}
 Entering an IP address to the allowed IP address list denies access to the UI or API for all other IP addresses not listed.
 
-Use only if you want to limit system access to a single or limited number of IP addresses. Leave the list blank to allow all IP addresses.
+Use only if limiting system access to a single or limited number of IP addresses. Leave the list blank to allow all IP addresses.
 {{< /hint >}}
 
 Click **Add** next to **Allowed IP Addresses** to add an entry to the allowed IP Addresses list.
@@ -356,14 +361,19 @@ The **Global Two Factor Authentication** widget allows you to set up two-factor
 
 ## System Security Widget
 {{< enterprise >}}
-The **System Security** widget allows administrators of Enterprise-licensed systems to enable or disable FIPS 140-2 compliant algorithms.
-This requires a system reboot to apply the settings.
-High Availability (HA) systems reboot the standby controller and then prompt to failover and reboot the primary controller.
+The **System Security** widget allows administrators of Enterprise-licensed systems to enable or disable FIPS 140-2 compliant algorithms, and general-purpose OS STIG compliance.
+Changing FIPS or STIG settings requires a system reboot to apply setting changes.
+
+High Availability (HA) systems reboot the standby controller and then show a prompt to failover and reboot the primary controller.
 
-{{< trueimage src="/images/SCALE/SystemSettings/AdvancedSystemSecurityWidget.png" alt="System Security Widget" id="System Security Widget" >}}
+{{< trueimage src="/images/SCALE/SystemSettings/SystemAdvancedSecurityWidget.png" alt="System Security Widget" id="System Security Widget" >}}
 
 **Settings** opens the **System Security** configuration screen.
 
-Click the **Enable FIPS** toggle to enable or disable enforcement, then click **Save**.
+{{< trueimage src="/images/SCALE/SystemSettings/SystemSecurityScreen.png" alt="System Security Screen" id="System Security Screen" >}}
+
+The **Enable FIPS** toggle enables or disables enforcement.
+The **Enable General Purpose OS STIG compatibility mode** toggle enables or disables the STIG compliance implementation. Requires two-factor authentication for an admin user with full permissions before enabling STIG compatibility.
+**Save**.
 The system prompts to reboot (or failover for HA systems) to apply the settings.
 {{< /enterprise >}}
diff --git a/static/images/SCALE/SystemSettings/AccessSettingsScreen.png b/static/images/SCALE/SystemSettings/AccessSettingsScreen.png
new file mode 100644
index 0000000000..0cd99fd537
Binary files /dev/null and b/static/images/SCALE/SystemSettings/AccessSettingsScreen.png differ
diff --git a/static/images/SCALE/SystemSettings/SecurityFIPSSTIGRebootDialog.png b/static/images/SCALE/SystemSettings/SecurityFIPSSTIGRebootDialog.png
new file mode 100644
index 0000000000..ae648bb075
Binary files /dev/null and b/static/images/SCALE/SystemSettings/SecurityFIPSSTIGRebootDialog.png differ
diff --git a/static/images/SCALE/SystemSettings/SystemAdvancedSecurityWidget.png b/static/images/SCALE/SystemSettings/SystemAdvancedSecurityWidget.png
new file mode 100644
index 0000000000..5a8209224e
Binary files /dev/null and b/static/images/SCALE/SystemSettings/SystemAdvancedSecurityWidget.png differ
diff --git a/static/images/SCALE/SystemSettings/SystemSecurityScreen.png b/static/images/SCALE/SystemSettings/SystemSecurityScreen.png
new file mode 100644
index 0000000000..ccd68e11d8
Binary files /dev/null and b/static/images/SCALE/SystemSettings/SystemSecurityScreen.png differ
diff --git a/static/images/SCALE/SystemSettings/TokenSettingsScreen.png b/static/images/SCALE/SystemSettings/TokenSettingsScreen.png
deleted file mode 100644
index 306550d6a5..0000000000
Binary files a/static/images/SCALE/SystemSettings/TokenSettingsScreen.png and /dev/null differ
diff --git a/static/includes/AccessSettingsWidget.md b/static/includes/AccessSettingsWidget.md
index 085a9a5ed5..b6c757f4e4 100644
--- a/static/includes/AccessSettingsWidget.md
+++ b/static/includes/AccessSettingsWidget.md
@@ -1,31 +1,32 @@
 &NewLine;
 
-The **Access** widget displays a list of all active sessions, including the user who initiated the session and what time it started, the **Session Timeout** setting for your current session, and the UI **Login Banner**.
+The **Access** widget displays a list of all active sessions including the current logged-in user and the time it started, the **Session Timeout** setting for your current session, and the UI **Login Banner**.
 It allows administrators to manage other active sessions and to configure the session timeout for their account.
 
 {{< trueimage src="/images/SCALE/SystemSettings/AdvancedSystemSettingsAccessWidget.png" alt="Access Widget" id="Access Widget" >}}
 
-The **Terminate Other Sessions** button ends all sessions except for the one you are currently using.
+The **Terminate Other Sessions** button ends all sessions except the current session.
 You can also end individual sessions by clicking the logout <span class="iconify" data-icon="bi:box-arrow-in-right"></span> button next to that session.
 You must check a confirmation box before the system allows you to end sessions.
 
-The logout icon is inactive for the currently logged in administrator session and active for any other current sessions.
-It cannot be used to terminate the currently logged in active administrator session.
+The logout icon is inactive for the currently logged-in administrator session and active for any other current sessions.
+It cannot be used to terminate the currently logged-in active administrator session.
 
 **Session Timeout** displays the configured token duration for the current session (default five minutes).
-TrueNAS logs out user sessions that are inactive for longer than that configured token setting for the user.
+TrueNAS logs out user sessions that are inactive for longer than the configured token setting for the user.
 New activity resets the token counter.
 
-If the configured session timeout is exceeded, TrueNAS displays a **Logout** dialog with the exceeded ticket lifetime value and the time that the session is scheduled to terminate.
+If the configured session timeout is exceeded, TrueNAS displays a **Logout** dialog with the exceeded ticket lifetime value and the time the session is scheduled to terminate.
 
 {{< trueimage src="/images/SCALE/SystemSettings/TimeoutDialog.png" alt="Logout Dialog" id="Logout Dialog" >}}
 
 Click **Extend Session** to reset the token counter.
-If the button is not clicked, the TrueNAS terminates the session automatically and returns to the log in screen.\
+If the button is not clicked, the TrueNAS terminates the session automatically and returns to the login screen.
 
-**Login Banner** displays the custom text that TrueNAS displays before the login screen, if configured.
+**Login Banner** displays the custom text that TrueNAS displays before the login screen.
+If configured, users see the login banner and must click **Continue** to show the TrueNAS login splash screen.
 
-Click **Configure** to open the **Access Settings** screen and configure **Session Timeout** or **Login Banner**.
+To change settings, click **Configure** to open the **Access Settings** screen, where you can configure **Session Timeout** or **Login Banner**.
 
 {{< trueimage src="/images/SCALE/SystemSettings/TokenSettingsScreen.png" alt="Token Settings Screen" id="Token Settings Screen" >}}
 
@@ -33,7 +34,7 @@ Select a value that fits user needs and security requirements.
 Enter the value in seconds.
 
 {{< hint type=tip title="Session Timeout Requirements" >}}
-The default session timeout setting is 300 seconds, or five minutes.
+The default session timeout setting is 300 seconds or five minutes.
 
 The minimum value allowed is 30 seconds and the maximum is 2147482 seconds, or 20 hours, 31 minutes, and 22 seconds.
 {{< /hint >}}