Disjointed ancillary thought, is there an include function in the XCCDF?
I haven't been able to find one in the spec so far but it could be
useful for local waiver overrides while preserving the official content.
There's an obvious issue (as I type this) that any sort of standard
include statement would allow someone to completely override policy for
a scan while still mimicking the appropriate results. Having a
reporting tool that can do diffs of the results and the policy settings
could catch that, but that may not be sufficient for reporting or
detection time.