"Not to
mention no single SCAP benchmark can encompass all of the
minimum required controls from the different control families"
I'm
not so sure about this one. Or rather, I'm wondering if a
single SCAP benchmark can encompass the *maximum* required
controls from the different control families.
In
theory, a cross matrix of all regulations should provide a
system that meets all regulations (and is probably unusable,
but that's a different issue).
Do
we have actual conflicting guidance between regs?