Our company adopted CIS benchmarks as foundations for our hardening standards. The CIS benchmark for ESXi 6.5 includes validation tests assuming the use of Standard Switches (vs. Distributed Switches). Our compliance scanning tool (Nexpose) has policies built upon the published CIS benchmark. Due to the differences between Standard vs. Distributed switches, and the associated differences in commands which are executed, we are receiving lots of false failures.
How are other companies address this situation? Are you creating your own SCAP-based policies, modifying existing, ....?