To anyone that works in the DoD space... how can you take a .ckl file and add the new STIG requirements to that ckl file to be reviewed so that you can avoid having to review ALL of the STIG requirements every quarter?
You can't. Welcome to DOD internal written software.
You will need to generate the new checklist and copy/paste any findings/comments back over, keeping an eye open for changed items. Not too difficult if you are lucky enough to do this on a SCAP scan, but that's limited to something like 8 checklists total.
Now if someone was willing to pay me, I could build a new checklist manager that can compare an old+new checklist, create a "combined" checklist with proper formatting & a list of what's new, but it will take about 6 months. I would also need to work it on personal time, so... yeah, never gonna happen.
Yep. They did fix that "little" issue finally. I saw the release on Friday, but hadn't pulled it down yet. We aren't due for a full STIG review until next month, so wasn't in a rush.
Now if I can just figure out how to work with the XCCDF files directly in my own apps, I'll be set. I really want to automate the IIS 8.5 STIG for our web servers. It's a real pain hand-checking every setting.
Be aware that the latest STIG viewers use the new vulnerability IDs and internal format structure, so old CKL files may not import in the new version correctly. You may need to dig up an older version of the viewer depending on how old the CKL file is.