Integrate the the SCAP Extensions. Make it easier to use, faster, and include dashboards\reports.
1. Make a GUI for running the SCAP extensions. Preferably integrate the SCAP extensions into SCCM so SCAPtoDCM.exe can be run from right clicking Compliance Settings
2. Reduce the amount of PowerShell code created in each Configuration Item (CI). A CI that checks for the existence of a registry key is very long. Additionally, some of the CI’s will either timeout or require an increase in the timeout time which could affect client performance.
3. CI’s created should not use the oval ID as its name as it cannot be correlated to practical information. In the case of DISA STIGS, the CI name should be the Vulnerability ID.
4. Each CI should contain the Vulnerability ID, STIG ID, Severity, and Title within it so that any report generated will provide meaningful data.
5. STIG Vulnerability ID’s that contain multiple definitions should have each definition place in it meaning a SCCM CI could have more than one script.
6. CI’s should have categories assigned to it
7. Scripts shouldn’t query Win32_UserAccount
8. There should be a dashboard and sub reports for SCAP baselines. The default reports make it difficult to use the data created by the SCAPtoDCM tool. Ideally, a reporting pane specifically for SCAP extensions, similar to the SCEP console reports.