STIG Updates for DoDIN/JITC APL Products

My team performs Information Assurance (IA) services for a vendor whose products are on the DoDIN APL. When we review STIG configurations, we often identify dozens of findings which were not documented at the time of certification - so they are not included in the product's CAP package.

I believe this is partially due to the fact that the vendor is not keeping the product up to date by incorporating new STIG updates each quarter. In other words, the product …

assurance cap certification cybersecurity findings identify information package product products review services team updates vendor