TSelf-signed certificates on each managed computer should be removed as it hinders environments where a STIG disallows self signed certs
The requirement for Self-signed certificates (used for data encryption) on each managed computer should be addressed as it complicates management of environments where a STIG disallows self signed certs. Also a public (external) official MS whitepaper should be made available which states that these certs should not be altered or replaced with reasons why or a method provided to replace if this is supported.
Robert Avritt commented
Per DoD Instruction 8520.02
–DoD shall only rely on certificates that are issued by the DoD PKI or by a DoD approved PKI for authentication, digital signature, or encryption.