Is partial compliance still "compliant"?
I recently started work with an IT Vendor and we are STIG compliant.
Just last week a customer requested proof of compliance & my company sent them an excel sheet of RHEL STIG V1R2 with ~300 vulnerability ID's, as well as a note of which ID's we were not compliant with. Some non-compliance were on vulnerabilities with "Severity" high.
The customers took it, my company had no troubles sending it out. But it has left me very confused. Why can we say that we are "compliant" with 76 of 300+ non-compliant entries?
I have read a bit about a compliance process online & the books I saw typically stated that compliance had to be (a) Third party accredited (Ie some other reputable organization certifies you) or (b) VA or Configuration checks by customer ITSEC department.
As such could I ask
- What is my company's stance with regards to STIG compliance? Is there a "partial compliance"?
- Are there any potential issues that may arise from this that I should be prepared for?
