*** Update ***
The ESXi 5 STIG for ESXi Server and vCenter Server is now at version 1 revision 3. The only difference between revision 2 and 3 is the removal of some IAVM findings incorrectly included in the previous release. The certificate requirements have still been pulled and the below information valid for revision 3.
Ok, so yesterday DISA released the ESXi 5 Version 1 Revision 2 of the STIG. Now this is only Revision 2 of the ESXi 5 Server and vCenter Server STIG, not the VM. That is still at revision 1.
Why did they do it? Just one thing, the removal of the rule The system must not use default self-signed certificates for <ESXi / vCenter> Communication. So, if you want to follow the STIG, you no longer have to replace the default certificates provided, or you could replace them with an internal CA.
Why did they do this? Well, there’s a reason, but not one I’m going to put here on a public blog. If you’d like to know why just ask your SE. I will have either already informed them, or they can reach out to me for the information internally.