A detailed description of how the finding did not meet the test description. This provides information on how the actual results fail to meet the security requirement, as noted in the CMS security policy, CMS security requirements, CMS guidance or industry best practices published by the Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIG), Center for Internet Security (CIS), or database vendors. The finding should have the paragraph from the original report and the date of the final report included in the description as the first line for easy reference in the POA&Ms.
