eMASS Test Results not mapping STIG IDs to all associated CCIs

[TheCleverEpithet]

If I import MS_Windows_2008_MS_STIG_V6R42 STIG into Qter and import a completed STIG Checklist file created using the same version of the same STIG in Qter and generate the TRExport/eMASSrepor and the DFR I think I am seeing a discrepancy.

Specifically, I looked for V-1077 / SV-29201r2_rule. This STIG does appear in the DFR and does appear on one line in the eMASS Test Results reports.

The issue is that this STIG ID is mapped to three CCIs. The following is from the STIG Checklist in STIG viewer:

"CCI-000162: The information system protects audit information from unauthorized access.
CCI-000163: The information system protects audit information from unauthorized modification.
CCI-000164: The information system protects audit information from unauthorized deletion."

The problem (especially with the Emass Test Results report is that there are no test results generated for CCI-000162 or CCI-000163. There is a test result for CCI-000164 associated with this STIG check but that is all.

The eMASS test results should contain a test result record per STIG for each CCI mapped to that STIG. In this case there should have been a compliant test result all three of these mapped CCIs stating that the system passed STIG check SV-29201r2_rule. and is there fore compliant with this CCI.

The "old" DFR would do this pretty consistently. We need the eMASS test results export from STIG Qter to generate a test result for every Mapped CCI per STIG check done (compliant and non-compliant).