Sys Maintenance: Exceptions to STIG Compliance

Document created by RSA Information Design and Development Employee on Jun 26, 2017Last modified by RSA Information Design and Development Employee on Nov 16, 2018
Version 4Show Document
  • View in full screen mode

This topics contains:

  • Rule exceptions with reasons for their non-compliance and workarounds if any.
  • Rule exceptions that are "Not a Finding" which means that they do not apply to Security Analytics. RSA has verified that the system meets these requirements.

  • Rules to be supported in future release.

Key to Elements in Exception Descriptions

CCE Number

The Common Configuration Enumeration (CCE), assigns unique entries (also called CCE numbers) to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List (, which assigns identifiers to publicly known system vulnerabilities.  The OpenSCAP report lists exceptions by CCE number.


Category IFindings that allow primary security protections to be bypassed, allowing immediate access by unauthorized personnel or unauthorized assumption of super-user privileges. Category I weaknesses must be corrected before an Authorization to Operate (ATO) is granted.
Category IIFindings that have a potential to lead to unauthorized system access or activity. Category II findings can usually be mitigated and will not prevent an Authorization to Operate from being granted.
Category IIIRecommendations that will improve IA posture but are not required for an authorization to operate.

Vulnerability ID

Vulnerability identification code assigned to exception by the Unified Compliance Framework STIG Viewer (


Security Technical Implementation Guide (STIG) identification code. 

Rule ID

Rule identification code.

NIST 800-53 SP 800-53

National Institute of Standards and Technology (NIST 800-53) Special Publication 800-53 control list ( information provided by the RedHat STIG Viewer.


DISA Control Correlation Identifier ( 


Describes what the rule checks to identify exceptions to DISA STIG compliance.


Provides insight on why you would receive this exception.  This section includes one of the following comments that describes the exception:

  • Not a Finding - Exception does not apply to Security Analytics. RSA has verified that the system meets this requirement.
  • Customer Responsibility - You are responsible to make sure the system meets this requirement.
  • Required Functionality - Security Analytics does not meet this requirement.
  • Future Feature - Security Analytics does not meet this requirement. RSA plans to fix this in a future release of Security Analytics.
  • Mitigation Steps Required - Lists steps you can take to mitigate the exception.

Exception Descriptions

The following list contains the exceptions you can receive when you run the OpenSCAP report. The ID or Common Configuration Enumeration (CCE) number in the table is the identification number for the exception from the OpenSCAP report.




Category III





Rule ID


NIST 800-53

NIST SP 800-53 :: CM-6 b
NIST SP 800-53A :: CM-6.1 (iv)
NIST SP 800-53 Revision 4 :: CM-6 b