CCI's not mapping to correct STIGs?

[Shoegum]

I just looked up CCI-001336 (training record retention) and the STIG Rules annotated at the bottom are just not right. portmap/rpcbind settings... these have nothing to do with training record retention.

I thought I should communicate that so you know! Thank you for creating this site btw, it has been super helpful!

[adamstauffer]

You are right, that doesn't seem like that CCI is mapped appropriately. I manually checked some of the STIGs that are linked, trying to make sure that there wasn't a parsing error. It looks like the CCI is mapped that way in the STIGs directly from DISA. I do want to keep the database consistent with the information from DISA. In the future, I'd like to show the mapping from DISA but also have our own recommendation or allow comments from other users sharing their rationale for mapping, perhaps with a voting system that will allow users to form a consensus on a mapping in the event that it differs from STIG authors.

For now, I would recommend sending an email to DISA to see if they can change this in future revisions of these STIGs. I will do the same

[Shoegum]

I sent an email to DISA. Hopefully (if) when they fix this it'll carry over in your next round of update(s).

Real solid man. I appreciate your work in this.

[livinginMD]

There is also an issue with DISA's source for SC-37.3 (missing but likely CCI-002523). I emailed them on it.