In my experience the security requirements are included in the overall implementation design document. I don't believe there is such a thing as a 'standard' STIG, as each customer tends to have different requirements. Also bear in mind each customer has different security standards, something which should have been captured during the SAS design phase.
As a starting point I would simply take the security requirements from the overall design doc and put them in a separate one, then ask the customer to review it and provide feedback.