One chestnut from my history in lottery game development:
While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.
Once they went around hot gluing shut all of the “unnecessary” USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.
Misunderstood STIG from the sound of it. The STIG is only applicable to unprivileged users but tends to get applied to all workstations regardless of user privileges. Also I think the .mil STIG GPOs apply it to all workstations regardless of privileges.
The other thing that tends to get overlooked is that AC-12 let’s you set it to whatever the heck you want. Ao you could theoretically set it to 99999 year by policy if you wanted.
https://www.stigviewer.com/stig/application_security_and_development/2017-01-09/finding/V-69243