In my current position, I routinely see 'risk assessment' reports that consist of no more than DISA Gold Disk findings assigned to an DoDD 8500.2 IA control. I've been assurred by the 'experts' who conducted an ST&E that the report does not contain false positives.  When asked, "how do you know it doesn't contain false positives," I was promptly told "it doesn't!" 

In my opinion, a report with nothing more than cut and paste from a DISA Gold report isn't all that useful and could contain false positives.  Isn't some level of analysis is needed to ensure what makes your final report is an actual finding?

My question:  How in the heck can you assess a severity code I to an IA control based on DISA Gold/STIG/checklist findings that may or may not be true?  Essentially, where is the analysis????

If I were a Cert Authority (CA), I wouldn't make a recommendation to my DAA based data that hasn't been analyzed.  It seems that some organizations rely solely on DISA gold/SRR/Checklist and if it's a STIG CAT I, by god, it's going to make the IA Control a CAT I.  Grrrr ... very frustrating!  I've seen several STIG PDIs that make reference to the wrong IA control.

Sorry to vent, but the IA business really sucks at times!