The DISA website for SQL is here:
I was working in a STIG compliant environment where EVERY server was required to be compliant.
Items labeled at Category I: DG0001, DG0067, DG0128, DG0129, DG0167, DM1758, DM6101
Must ALL be addressed IF they apply to your environment, like if you don't have SSAS running then DM6101 is N/A. For DG0129 if you use all MS connectivity products it is Not a Finding. For DG0167, unless you have sensitive data per the DOD description or the data to the app from the database server is directly over the internet (not very often) this one is generally Not a Finding.
Items labeled at Category II may or may not be required, for the ones you decide not to tackle write up a paragraph why or how you are otherwise handling it. Some are basically just best practices but not important enough to put much effort into. some are related to other Cat II items. There are 164 of them.
Items labeled at Category III are often ignored, read through them but don't stress them. There are 20 of these.
There are a total of 191 items. I/II/III 7/164/20
Having a strong understanding of what the ACTUAL STIG item says and what it means is a great way to blunt auditors who only know what their company gave them. These are the real government issued STIG compliance requirements not some auditing companies distillation.
Also, keep in mind the main document is 240 pages long, and is an extremely painful read.