STIG guidance and Independent Review

Any stig guidance? The security code looks very dependent on 6.6.2 and not 7 es. Nothing borrowed from IP owned by elastic.co sources? Our project can’t use it unless opendistro passes a independent review.