regscale-cli 6.21.2.0__py3-none-any.whl → 6.28.2.1__py3-none-any.whl

regscale/integrations/scanner_integration.py

@@ -22,10 +22,12 @@ from regscale.core.app.application import Application
 from regscale.core.app.utils.api_handler import APIHandler
 from regscale.core.app.utils.app_utils import create_progress_object, get_current_datetime
 from regscale.core.app.utils.catalog_utils.common import objective_to_control_dot
-from regscale.core.utils.date import date_obj, date_str, datetime_str, days_from_today, get_day_increment
+from regscale.core.utils.date import date_obj, date_str, datetime_str
 from regscale.integrations.commercial.durosuite.process_devices import scan_durosuite_devices
 from regscale.integrations.commercial.durosuite.variables import DuroSuiteVariables
 from regscale.integrations.commercial.stig_mapper_integration.mapping_engine import StigMappingEngine as STIGMapper
+from regscale.integrations.due_date_handler import DueDateHandler
+from regscale.integrations.milestone_manager import MilestoneManager
 from regscale.integrations.public.cisa import pull_cisa_kev
 from regscale.integrations.variables import ScannerVariables
 from regscale.models import DateTimeEncoder, OpenIssueDict, Property, regscale_models
@@ -47,6 +49,31 @@ def get_thread_workers_max() -> int:
     return ScannerVariables.threadMaxWorkers
 
 
+def _create_config_override(
+    config: Optional[Dict[str, Dict]],
+    integration_name: str,
+    critical: Optional[int],
+    high: Optional[int],
+    moderate: Optional[int],
+    low: Optional[int],
+) -> Dict[str, Dict]:
+    """Create a config override for legacy parameter support."""
+    override_config = config.copy() if config else {}
+    if "issues" not in override_config:
+        override_config["issues"] = {}
+    if integration_name not in override_config["issues"]:
+        override_config["issues"][integration_name] = {}
+
+    integration_config = override_config["issues"][integration_name]
+    severity_params = {"critical": critical, "high": high, "moderate": moderate, "low": low}
+
+    for param_name, param_value in severity_params.items():
+        if param_value is not None:
+            integration_config[param_name] = param_value
+
+    return override_config
+
+
 def issue_due_date(
     severity: regscale_models.IssueSeverity,
     created_date: str,
@@ -60,6 +87,9 @@ def issue_due_date(
     """
     Calculate the due date for an issue based on its severity and creation date.
 
+    DEPRECATED: This function is kept for backward compatibility. New code should use DueDateHandler directly.
+    This function now uses DueDateHandler internally to ensure consistent behavior and proper validation.
+
     :param regscale_models.IssueSeverity severity: The severity of the issue.
     :param str created_date: The creation date of the issue.
     :param Optional[int] critical: Days until due for high severity issues.
@@ -71,40 +101,19 @@ def issue_due_date(
     :return: The due date for the issue.
     :rtype: str
     """
-    if critical is None:
-        critical = ScannerVariables.issueDueDates.get("critical", 30)
-    if high is None:
-        high = ScannerVariables.issueDueDates.get("high", 60)
-    if moderate is None:
-        moderate = ScannerVariables.issueDueDates.get("moderate", 120)
-    if low is None:
-        low = ScannerVariables.issueDueDates.get("low", 364)
-
-    if config is None:
-        config = {}
-
-    due_date_map = {
-        regscale_models.IssueSeverity.Critical: critical,
-        regscale_models.IssueSeverity.High: high,
-        regscale_models.IssueSeverity.Moderate: moderate,
-        regscale_models.IssueSeverity.Low: low,
-    }
-
-    if title and config:
-        # if title in a config key, use that key
-        issues_dict = config.get("issues", {})
-        matching_key = next((key.lower() for key in issues_dict if title.lower() in key.lower()), None)
-        if matching_key:
-            title_config = issues_dict.get(matching_key, {})
-            due_date_map = {
-                regscale_models.IssueSeverity.Critical: title_config.get("critical", critical),
-                regscale_models.IssueSeverity.High: title_config.get("high", high),
-                regscale_models.IssueSeverity.Moderate: title_config.get("moderate", moderate),
-                regscale_models.IssueSeverity.Low: title_config.get("low", low),
-            }
-
-    days = due_date_map.get(severity, low)
-    return date_str(get_day_increment(start=created_date, days=days))
+    integration_name = title or "default"
+
+    # Check if individual parameters need config override
+    if any(param is not None for param in [critical, high, moderate, low]):
+        config = _create_config_override(config, integration_name, critical, high, moderate, low)
+
+    due_date_handler = DueDateHandler(integration_name, config=config)
+    return due_date_handler.calculate_due_date(
+        severity=severity,
+        created_date=created_date,
+        cve=None,  # Legacy function doesn't have CVE parameter
+        title=title,
+    )
 
 
 class ManagedDefaultDict(Generic[K, V]):
@@ -322,6 +331,8 @@ class IntegrationFinding:
     :param str impact: The impact of the finding, defaults to an empty string.
     :param str recommendation_for_mitigation: Recommendations for mitigating the finding, defaults to an empty string.
     :param str asset_identifier: The identifier of the asset associated with the finding, defaults to an empty string.
+    :param str issue_asset_identifier_value: This is the value of all the assets affected by the issue, defaults to an
+    empty string.
     :param Optional[str] cci_ref: The Common Configuration Enumeration reference for the finding, defaults to None.
     :param str rule_id: The rule ID of the finding, defaults to an empty string.
     :param str rule_version: The version of the rule associated with the finding, defaults to an empty string.
@@ -418,6 +429,7 @@ class IntegrationFinding:
     impact: str = ""
     recommendation_for_mitigation: str = ""
     asset_identifier: str = ""
+    issue_asset_identifier_value: Optional[str] = None
     comments: Optional[str] = None
     source_report: Optional[str] = None
     point_of_contact: Optional[str] = None
@@ -637,6 +649,9 @@ class ScannerIntegration(ABC):
     # Error suppression options
     suppress_asset_not_found_errors = False
 
+    # CCI mapping flag - set to False for integrations that don't use CCI references
+    enable_cci_mapping = True
+
     def __init__(self, plan_id: int, tenant_id: int = 1, is_component: bool = False, **kwargs):
         """
         Initialize the ScannerIntegration.
@@ -646,6 +661,7 @@ class ScannerIntegration(ABC):
         :param bool is_component: Whether this is a component integration
         :param kwargs: Additional keyword arguments
             - suppress_asset_not_found_errors (bool): If True, suppress "Asset not found" error messages
+            - import_all_findings (bool): If True, import findings even if they are not associated to an asset
         """
         self.app = Application()
         self.alerted_assets: Set[str] = set()
@@ -657,6 +673,14 @@ class ScannerIntegration(ABC):
 
         # Set configuration options from kwargs
         self.suppress_asset_not_found_errors = kwargs.get("suppress_asset_not_found_errors", False)
+        self.import_all_findings = kwargs.get("import_all_findings", False)
+
+        # Initialize due date handler for this integration
+        self.due_date_handler = DueDateHandler(self.title, config=self.app.config)
+
+        # Initialize milestone manager for this integration
+        self.milestone_manager = None  # Lazy initialization after scan_date is set
+
         if self.is_component:
             self.component = regscale_models.Component.get_object(self.plan_id)
             self.parent_module: str = regscale_models.Component.get_module_string()
@@ -692,8 +716,12 @@ class ScannerIntegration(ABC):
 
         self.cci_to_control_map: ThreadSafeDict[str, set[int]] = ThreadSafeDict()
         self._no_ccis: bool = False
+        self._cci_map_loaded: bool = False
         self.cci_to_control_map_lock: threading.Lock = threading.Lock()
 
+        # Lock for thread-safe scan history count updates
+        self.scan_history_lock: threading.RLock = threading.RLock()
+
         self.assessment_map: ThreadSafeDict[int, regscale_models.Assessment] = ThreadSafeDict()
         self.assessor_id: str = self.get_assessor_id()
         self.asset_progress: Progress = create_progress_object()
@@ -704,6 +732,12 @@ class ScannerIntegration(ABC):
         thread_safe_kev_data.update(kev_data)
         self._kev_data = thread_safe_kev_data
 
+        # Issue lookup cache for performance optimization
+        # Eliminates N+1 API calls by caching issues and indexing by integrationFindingId
+        # Populated lazily on first use during findings processing
+        self._integration_finding_id_cache: Optional[ThreadSafeDict[str, List[regscale_models.Issue]]] = None
+        self._issue_cache_lock: threading.RLock = threading.RLock()
+
     @classmethod
     def _get_lock(cls, key: str) -> threading.RLock:
         """
@@ -722,6 +756,21 @@ class ScannerIntegration(ABC):
                     cls._lock_registry[key] = lock
         return lock
 
+    def get_milestone_manager(self) -> MilestoneManager:
+        """
+        Get or initialize the milestone manager.
+
+        :return: MilestoneManager instance
+        :rtype: MilestoneManager
+        """
+        if self.milestone_manager is None:
+            self.milestone_manager = MilestoneManager(
+                integration_title=self.title,
+                assessor_id=self.assessor_id,
+                scan_date=self.scan_date or get_current_datetime(),
+            )
+        return self.milestone_manager
+
     @staticmethod
     def load_stig_mapper() -> Optional[STIGMapper]:
         """
@@ -752,6 +801,74 @@ class ScannerIntegration(ABC):
 
         return regscale_models.Issue.get_user_id()
 
+    def get_user_organization_id(self, user_id: Optional[str]) -> Optional[int]:
+        """
+        Get the organization ID for a user.
+
+        :param Optional[str] user_id: The user ID to look up
+        :return: The organization ID or None if not found
+        :rtype: Optional[int]
+        """
+        if not user_id:
+            return None
+
+        try:
+            from regscale.models import User
+
+            user = User.get_object(user_id)
+            return user.orgId if user else None
+        except Exception as e:
+            logger.debug(f"Unable to get user organization for user {user_id}: {e}")
+            return None
+
+    def get_ssp_organization_id(self) -> Optional[int]:
+        """
+        Get the organization ID from the security plan.
+
+        :return: The organization ID or None if not found
+        :rtype: Optional[int]
+        """
+        try:
+            from regscale.models import SecurityPlan
+
+            if ssp := SecurityPlan.get_object(self.plan_id):
+                # First try to get organization from SSP owner
+                if getattr(ssp, "systemOwnerId"):
+                    if owner_org_id := self.get_user_organization_id(ssp.systemOwnerId):
+                        return owner_org_id
+                # Fallback to SSP's direct organization
+                return ssp.orgId
+        except Exception as e:
+            logger.debug(f"Unable to get SSP organization for plan {self.plan_id}: {e}")
+
+        return None
+
+    def determine_issue_organization_id(self, issue_owner_id: Optional[str]) -> Optional[int]:
+        """
+        Determine the organization ID for an issue based on the expected behavior:
+
+        1. If Issue Owner is set and has an Org, use Issue Owner's Org
+        2. Else if SSP Owner has an Org, use SSP Owner's Org
+        3. Else use SSP's Org if set
+
+        :param Optional[str] issue_owner_id: The issue owner ID
+        :return: The organization ID or None
+        :rtype: Optional[int]
+        """
+        # First check if issue owner has an organization
+        if issue_owner_id:
+            if owner_org_id := self.get_user_organization_id(issue_owner_id):
+                logger.debug(f"Setting issue organization {owner_org_id} from issue owner {issue_owner_id}")
+                return owner_org_id
+
+        # Fallback to SSP organization (which includes SSP owner check)
+        if ssp_org_id := self.get_ssp_organization_id():
+            logger.debug(f"Setting issue organization {ssp_org_id} from SSP {self.plan_id}")
+            return ssp_org_id
+
+        logger.debug(f"No organization found for issue owner {issue_owner_id} or SSP {self.plan_id}")
+        return None
+
     def get_cci_to_control_map(self) -> ThreadSafeDict[str, set[int]] | dict:
         """
         Gets the CCI to control map
@@ -759,15 +876,33 @@ class ScannerIntegration(ABC):
         :return: The CCI to control map
         :rtype: ThreadSafeDict[str, set[int]] | dict
         """
+        # If we know there are no CCIs, return immediately
         if self._no_ccis:
             return self.cci_to_control_map
+
+        # If we've already loaded (or attempted to load) the map, return it
+        if self._cci_map_loaded:
+            return self.cci_to_control_map
+
         with self.cci_to_control_map_lock:
-            if any(self.cci_to_control_map):
+            # Double-check inside the lock
+            if self._cci_map_loaded:
                 return self.cci_to_control_map
-            logger.info("Getting CCI to control map...")
-            self.cci_to_control_map = regscale_models.map_ccis_to_control_ids(parent_id=self.plan_id)  # type: ignore
-            if not any(self.cci_to_control_map):
+
+            logger.debug("Loading CCI to control map...")
+            try:
+                loaded_map = regscale_models.map_ccis_to_control_ids(parent_id=self.plan_id)  # type: ignore
+                if loaded_map:
+                    self.cci_to_control_map.update(loaded_map)
+                else:
+                    self._no_ccis = True
+            except Exception as e:
+                logger.debug(f"Could not load CCI to control map: {e}")
                 self._no_ccis = True
+            finally:
+                # Mark as loaded regardless of success/failure to prevent repeated attempts
+                self._cci_map_loaded = True
+
             return self.cci_to_control_map
 
     def get_control_to_cci_map(self) -> dict[int, set[str]]:
@@ -914,15 +1049,18 @@ class ScannerIntegration(ABC):
             return res[:450]
         return prefix[:450]
 
-    def get_or_create_assessment(self, control_implementation_id: int) -> regscale_models.Assessment:
+    def get_or_create_assessment(
+        self, control_implementation_id: int, status: Optional[regscale_models.AssessmentResultsStatus] = None
+    ) -> regscale_models.Assessment:
         """
-        Gets or creates a RegScale assessment
+        Gets or creates a RegScale assessment.
 
         :param int control_implementation_id: The ID of the control implementation
+        :param Optional[regscale_models.AssessmentResultsStatus] status: Optional status override (used by cci_assessment)
         :return: The assessment
         :rtype: regscale_models.Assessment
         """
-        logger.info("Getting or create assessment for control implementation %d", control_implementation_id)
+        logger.debug("Getting or create assessment for control implementation %d", control_implementation_id)
         assessment: Optional[regscale_models.Assessment] = self.assessment_map.get(control_implementation_id)
         if assessment:
             logger.debug(
@@ -934,7 +1072,7 @@ class ScannerIntegration(ABC):
                 plannedStart=get_current_datetime(),
                 plannedFinish=get_current_datetime(),
                 status=regscale_models.AssessmentStatus.COMPLETE.value,
-                assessmentResult=regscale_models.AssessmentResultsStatus.FAIL.value,
+                assessmentResult=status.value if status else regscale_models.AssessmentResultsStatus.FAIL.value,
                 actualFinish=get_current_datetime(),
                 leadAssessorId=self.assessor_id,
                 parentId=control_implementation_id,
@@ -1046,39 +1184,120 @@ class ScannerIntegration(ABC):
         :param Optional[str] component_name: The name of the component to associate the asset with. If None, the asset
                                           is added directly to the security plan without a component association.
         """
-        # Continue with normal asset creation/update
         if not asset.identifier:
             logger.warning("Asset has no identifier, skipping")
             return
 
-        component = getattr(self, "component") if self.is_component else None
-        if component_name:
-            logger.debug("Searching for component: %s...", component_name)
-            component = component or self.components_by_title.get(component_name)
-            if not component:
-                logger.debug("No existing component found with name %s, proceeding to create it...", component_name)
-                component = regscale_models.Component(
-                    title=component_name,
-                    componentType=asset.component_type,
-                    securityPlansId=self.plan_id,
-                    description=component_name,
-                    componentOwnerId=self.get_assessor_id(),
-                ).get_or_create()
-                self.components.append(component)
-            if component.securityPlansId and not self.is_component:
-                component_mapping = regscale_models.ComponentMapping(
-                    componentId=component.id,
-                    securityPlanId=self.plan_id,
-                )
-                component_mapping.get_or_create()
-            self.components_by_title[component_name] = component
+        # Get or create component if needed
+        component = self._get_or_create_component_for_asset(asset, component_name)
 
+        # Create or update the asset
         created, existing_or_new_asset = self.create_new_asset(asset, component=None)
 
-        # update results expects a dict[str, list] to update result counts
-        self.update_result_counts("assets", {"created": [1] if created else [], "updated": [] if created else [1]})
+        # Note: Result counts are updated during bulk_save() operation, not here
+        # to avoid double-counting and ensure accurate counts from actual database operations
+
+        # Handle component mapping and DuroSuite processing
+        self._handle_component_mapping_and_durosuite(existing_or_new_asset, component, asset, created)
+
+    def _get_or_create_component_for_asset(
+        self, asset: IntegrationAsset, component_name: Optional[str]
+    ) -> Optional[regscale_models.Component]:
+        """
+        Get or create a component for the asset if component_name is provided.
+
+        :param IntegrationAsset asset: The asset being processed
+        :param Optional[str] component_name: Name of the component to associate with
+        :return: The component object or None
+        :rtype: Optional[regscale_models.Component]
+        """
+        if not component_name:
+            return getattr(self, "component") if self.is_component else None
+
+        component = getattr(self, "component") if self.is_component else None
+        component = component or self.components_by_title.get(component_name)
+
+        if not component:
+            component = self._create_new_component(asset, component_name)
+
+        self._handle_component_mapping(component)
+        self.components_by_title[component_name] = component
+        return component
+
+    def _get_compliance_settings_id(self) -> Optional[int]:
+        """
+        Get the compliance settings ID from the security plan.
+
+        :return: The compliance settings ID if available
+        :rtype: Optional[int]
+        """
+        try:
+            security_plan = regscale_models.SecurityPlan.get_object(object_id=self.plan_id)
+            if security_plan and hasattr(security_plan, "complianceSettingsId"):
+                return security_plan.complianceSettingsId
+        except Exception as e:
+            logger.debug(f"Failed to get compliance settings ID from security plan {self.plan_id}: {e}")
+        return None
+
+    def _create_new_component(self, asset: IntegrationAsset, component_name: str) -> regscale_models.Component:
+        """
+        Create a new component for the asset.
+
+        :param IntegrationAsset asset: The asset being processed
+        :param str component_name: Name of the component to create
+        :return: The newly created component
+        :rtype: regscale_models.Component
+        """
+        logger.debug("No existing component found with name %s, proceeding to create it...", component_name)
+        component = regscale_models.Component(
+            title=component_name,
+            componentType=asset.component_type,
+            securityPlansId=self.plan_id,
+            description=component_name,
+            componentOwnerId=self.get_assessor_id(),
+            complianceSettingsId=self._get_compliance_settings_id(),
+        ).get_or_create()
+        self.components.append(component)
+        return component
+
+    def _handle_component_mapping(self, component: regscale_models.Component) -> None:
+        """
+        Handle component mapping creation if needed.
+
+        :param regscale_models.Component component: The component to create mapping for
+        """
+        if not (component.securityPlansId and not self.is_component):
+            return
+
+        component_mapping = regscale_models.ComponentMapping(
+            componentId=component.id,
+            securityPlanId=self.plan_id,
+        )
+        mapping_result = component_mapping.get_or_create()
+
+        if mapping_result is None:
+            logger.debug(
+                f"Failed to create or find ComponentMapping for componentId={component.id}, securityPlanId={self.plan_id}"
+            )
+        else:
+            mapping_id = getattr(mapping_result, "id", "unknown")
+            logger.debug(f"Successfully handled ComponentMapping for componentId={component.id}, ID={mapping_id}")
+
+    def _handle_component_mapping_and_durosuite(
+        self,
+        existing_or_new_asset: Optional[regscale_models.Asset],
+        component: Optional[regscale_models.Component],
+        asset: IntegrationAsset,
+        created: bool,
+    ) -> None:
+        """
+        Handle component mapping and DuroSuite scanning after asset creation.
 
-        # If the asset is associated with a component, create a mapping between them.
+        :param Optional[regscale_models.Asset] existing_or_new_asset: The asset that was created/updated
+        :param Optional[regscale_models.Component] component: The associated component, if any
+        :param IntegrationAsset asset: The original integration asset
+        :param bool created: Whether the asset was newly created
+        """
         if existing_or_new_asset and component:
             _was_created, _asset_mapping = regscale_models.AssetMapping(
                 assetId=existing_or_new_asset.id,
@@ -1086,9 +1305,33 @@ class ScannerIntegration(ABC):
             ).get_or_create_with_status()
 
         if created and DuroSuiteVariables.duroSuiteEnabled:
-            # Check if this is a DuroSuite compatible asset
             scan_durosuite_devices(asset=asset, plan_id=self.plan_id, progress=self.asset_progress)
 
+    def _truncate_field(self, value: Optional[str], max_length: int, field_name: str) -> Optional[str]:
+        """
+        Truncate a field to the maximum allowed length to prevent database errors.
+
+        :param Optional[str] value: The value to truncate
+        :param int max_length: Maximum allowed length
+        :param str field_name: Name of the field being truncated (for logging)
+        :return: Truncated value or None
+        :rtype: Optional[str]
+        """
+        if not value:
+            return value
+
+        if len(value) > max_length:
+            truncated = value[:max_length]
+            logger.warning(
+                "Truncated %s field from %d to %d characters for value: %s...",
+                field_name,
+                len(value),
+                max_length,
+                truncated[:100],
+            )
+            return truncated
+        return value
+
     def create_new_asset(
         self, asset: IntegrationAsset, component: Optional[regscale_models.Component]
     ) -> tuple[bool, Optional[regscale_models.Asset]]:
@@ -1101,22 +1344,130 @@ class ScannerIntegration(ABC):
         :return: Tuple of (was_created, newly created asset instance).
         :rtype: tuple[bool, Optional[regscale_models.Asset]]
         """
-        # Ensure the asset has a name
+        if not self._validate_asset_requirements(asset):
+            return False, None
+
+        asset_type = self._validate_and_map_asset_type(asset.asset_type)
+        other_tracking_number = self._prepare_tracking_number(asset)
+        field_data = self._prepare_truncated_asset_fields(asset, other_tracking_number)
+
+        new_asset = self._create_regscale_asset_model(asset, component, asset_type, field_data)
+
+        created, new_asset = new_asset.create_or_update_with_status(bulk_update=True)
+        self.asset_map_by_identifier[asset.identifier] = new_asset
+        logger.debug("Created new asset with identifier %s", asset.identifier)
+
+        self._handle_software_and_stig_processing(new_asset, asset, created)
+        return created, new_asset
+
+    def _validate_asset_requirements(self, asset: IntegrationAsset) -> bool:
+        """Validate that the asset has required fields for creation."""
         if not asset.name:
             logger.warning(
                 "Asset name is required for asset creation. Skipping asset creation of asset_type: %s", asset.asset_type
             )
-            return False, None
+            return False
+        return True
+
+    def _validate_and_map_asset_type(self, asset_type: str) -> str:
+        """Validate and map asset type to valid RegScale values."""
+        valid_asset_types = [
+            "Physical Server",
+            "Virtual Machine (VM)",
+            "Appliance",
+            "Network Router",
+            "Network Switch",
+            "Firewall",
+            "Desktop",
+            "Laptop",
+            "Tablet",
+            "Phone",
+            "Other",
+        ]
+
+        if asset_type not in valid_asset_types:
+            logger.debug(f"Asset type '{asset_type}' not in valid types, mapping to 'Other'")
+            return "Other"
+        return asset_type
+
+    def _prepare_tracking_number(self, asset: IntegrationAsset) -> str:
+        """Prepare and validate the tracking number for asset deduplication."""
+        other_tracking_number = asset.other_tracking_number or asset.identifier
+        if not other_tracking_number:
+            logger.warning("No tracking number available for asset %s, using name as fallback", asset.name)
+            other_tracking_number = asset.name
+        return other_tracking_number
+
+    def _prepare_truncated_asset_fields(self, asset: IntegrationAsset, other_tracking_number: str) -> dict:
+        """Prepare and truncate asset fields to prevent database errors."""
+        max_field_length = 450
+        name = self._process_asset_name(asset, max_field_length)
+
+        return {
+            "name": name,
+            "azure_identifier": self._truncate_field(asset.azure_identifier, max_field_length, "azureIdentifier"),
+            "aws_identifier": self._truncate_field(asset.aws_identifier, max_field_length, "awsIdentifier"),
+            "google_identifier": self._truncate_field(asset.google_identifier, max_field_length, "googleIdentifier"),
+            "other_cloud_identifier": self._truncate_field(
+                asset.other_cloud_identifier, max_field_length, "otherCloudIdentifier"
+            ),
+            "software_name": self._truncate_field(asset.software_name, max_field_length, "softwareName"),
+            "other_tracking_number": self._truncate_field(
+                other_tracking_number, max_field_length, "otherTrackingNumber"
+            ),
+        }
+
+    def _process_asset_name(self, asset: IntegrationAsset, max_field_length: int) -> str:
+        """Process and truncate asset name, handling special cases like Azure resource paths."""
+        name = self._truncate_field(asset.name, max_field_length, "name")
+
+        # For very long Azure resource paths, extract meaningful parts
+        if asset.name and len(asset.name) > max_field_length and "/" in asset.name:
+            name = self._shorten_azure_resource_path(asset.name, max_field_length)
+
+        return name
+
+    def _shorten_azure_resource_path(self, full_name: str, max_field_length: int) -> str:
+        """Shorten long Azure resource paths to meaningful parts."""
+        parts = full_name.split("/")
+        if len(parts) >= 4:
+            # Extract key components from Azure resource path
+            resource_group = next(
+                (p for i, p in enumerate(parts) if i > 0 and parts[i - 1].lower() == "resourcegroups"), ""
+            )
+            resource_type = parts[-2] if len(parts) > 1 else ""
+            resource_name = parts[-1]
+
+            # Build a shortened but meaningful name
+            if resource_group:
+                name = f"../{resource_group}/.../{resource_type}/{resource_name}"
+            else:
+                name = f".../{resource_type}/{resource_name}"
+
+            # Ensure it fits within limits
+            if len(name) > max_field_length:
+                name = name[-(max_field_length):]
+
+            logger.info(
+                "Shortened long Azure resource path from %d to %d characters: %s", len(full_name), len(name), name
+            )
+            return name
 
+        return self._truncate_field(full_name, max_field_length, "name")
+
+    def _create_regscale_asset_model(
+        self, asset: IntegrationAsset, component: Optional[regscale_models.Component], asset_type: str, field_data: dict
+    ) -> regscale_models.Asset:
+        """Create the RegScale Asset model with all required fields."""
         new_asset = regscale_models.Asset(
-            name=asset.name,
+            name=field_data["name"],
             description=asset.description,
             bVirtual=asset.is_virtual,
-            otherTrackingNumber=asset.other_tracking_number or asset.identifier,
-            assetOwnerId=asset.asset_owner_id or "Unknown",
+            otherTrackingNumber=field_data["other_tracking_number"],
+            assetOwnerId=asset.asset_owner_id or regscale_models.Asset.get_user_id() or "Unknown",
             parentId=component.id if component else self.plan_id,
             parentModule=self.parent_module,
-            assetType=asset.asset_type,
+            assetType=asset_type,
             dateLastUpdated=asset.date_last_updated or get_current_datetime(),
             status=asset.status,
             assetCategory=asset.asset_category,
@@ -1127,7 +1478,7 @@ class ScannerIntegration(ABC):
             serialNumber=asset.serial_number,
             assetTagNumber=asset.asset_tag_number,
             bPublicFacing=asset.is_public_facing,
-            azureIdentifier=asset.azure_identifier,
+            azureIdentifier=field_data["azure_identifier"],
             location=asset.location,
             ipAddress=asset.ip_address,
             iPv6Address=asset.ipv6_address,
@@ -1141,13 +1492,13 @@ class ScannerIntegration(ABC):
             endOfLifeDate=asset.end_of_life_date,
             vlanId=asset.vlan_id,
             uri=asset.uri,
-            awsIdentifier=asset.aws_identifier,
-            googleIdentifier=asset.google_identifier,
-            otherCloudIdentifier=asset.other_cloud_identifier,
+            awsIdentifier=field_data["aws_identifier"],
+            googleIdentifier=field_data["google_identifier"],
+            otherCloudIdentifier=field_data["other_cloud_identifier"],
             patchLevel=asset.patch_level,
             cpe=asset.cpe,
             softwareVersion=asset.software_version,
-            softwareName=asset.software_name,
+            softwareName=field_data["software_name"],
             softwareVendor=asset.software_vendor,
             bLatestScan=asset.is_latest_scan,
             bAuthenticatedScan=asset.is_authenticated_scan,
@@ -1156,20 +1507,21 @@ class ScannerIntegration(ABC):
             softwareFunction=asset.software_function,
             baselineConfiguration=asset.baseline_configuration,
         )
+
         if self.asset_identifier_field:
             setattr(new_asset, self.asset_identifier_field, asset.identifier)
 
-        created, new_asset = new_asset.create_or_update_with_status(bulk_update=True)
-        # add to asset_map_by_identifier
-        self.asset_map_by_identifier[asset.identifier] = new_asset
-        logger.debug("Created new asset with identifier %s", asset.identifier)
+        return new_asset
 
+    def _handle_software_and_stig_processing(
+        self, new_asset: regscale_models.Asset, asset: IntegrationAsset, created: bool
+    ) -> None:
+        """Handle post-asset creation tasks like software inventory and STIG mapping."""
         self.handle_software_inventory(new_asset, asset.software_inventory, created)
         self.create_asset_data_and_link(new_asset, asset)
         self.create_or_update_ports_protocol(new_asset, asset)
         if self.stig_mapper:
             self.stig_mapper.map_associated_stigs_to_asset(asset=new_asset, ssp_id=self.plan_id)
-        return created, new_asset
 
     def handle_software_inventory(
         self, new_asset: regscale_models.Asset, software_inventory: List[Dict[str, Any]], created: bool
@@ -1211,7 +1563,6 @@ class ScannerIntegration(ABC):
                         name=software_name,
                         parentHardwareAssetId=new_asset.id,
                         version=software_version,
-                        # references=software.get("references", []),
                     )
                 )
             else:
@@ -1551,35 +1902,154 @@ class ScannerIntegration(ABC):
         finding_id = self.get_finding_identifier(finding)
         finding_id_lock = self._get_lock(finding_id)
 
+        self._log_finding_processing_info(finding, finding_id, issue_status, title)
+
         with finding_id_lock:
-            if ScannerVariables.issueCreation.lower() != "perasset":
-                # Check if we should consolidate open issues based on integrationFindingId
-                if issue_status == regscale_models.IssueStatus.Open:
-                    existing_issues = regscale_models.Issue.find_by_integration_finding_id(finding_id)
-                    # Find an open issue to update
-                    issue = next(
-                        (issue for issue in existing_issues if issue.status != regscale_models.IssueStatus.Closed), None
-                    )
-                    if issue:
-                        return self._create_or_update_issue(finding, issue_status, title, issue)
-
-                # Check if we should consolidate closed issues based on integrationFindingId and issueDueDates
-                elif issue_status == regscale_models.IssueStatus.Closed:
-                    existing_issues = regscale_models.Issue.find_by_integration_finding_id(finding_id)
-                    # Find a closed issue with matching due date to consolidate with
-                    matching_closed_issue = next(
-                        (
-                            issue
-                            for issue in existing_issues
-                            if issue.status == regscale_models.IssueStatus.Closed
-                            and date_str(issue.dueDate) == date_str(finding.due_date)
-                        ),
-                        None,
-                    )
-                    if matching_closed_issue:
-                        return self._create_or_update_issue(finding, issue_status, title, matching_closed_issue)
+            existing_issue = self._find_existing_issue_for_finding(finding_id, finding, issue_status)
+            return self._create_or_update_issue(finding, issue_status, title, existing_issue)
+
+    def _log_finding_processing_info(
+        self, finding: IntegrationFinding, finding_id: str, issue_status: regscale_models.IssueStatus, title: str
+    ) -> None:
+        """Log finding processing information for debugging."""
+        logger.debug(
+            f"PROCESSING FINDING: external_id={finding.external_id}, finding_id={finding_id}, status={issue_status}, title='{title[:50]}...'"
+        )
+
+        if issue_status == regscale_models.IssueStatus.Closed:
+            logger.debug(f"CLOSED FINDING: This will create/update a CLOSED issue (status={issue_status})")
+
+    def _find_existing_issue_for_finding(
+        self, finding_id: str, finding: IntegrationFinding, issue_status: regscale_models.IssueStatus
+    ) -> Optional[regscale_models.Issue]:
+        """Find existing issue for the finding based on status and creation type."""
+        if ScannerVariables.issueCreation.lower() == "perasset":
+            return None
+
+        existing_issues = self._get_existing_issues_for_finding(finding_id, finding)
+
+        if issue_status == regscale_models.IssueStatus.Open:
+            return self._find_issue_for_open_status(existing_issues, finding_id)
+        elif issue_status == regscale_models.IssueStatus.Closed:
+            return self._find_issue_for_closed_status(existing_issues, finding, finding_id)
+
+        return None
+
+    def _populate_issue_lookup_cache(self) -> None:
+        """
+        Populate the issue lookup cache by fetching all issues for the plan and indexing by integrationFindingId.
+
+        This eliminates N+1 API calls during findings processing by creating an in-memory index.
+        Thread-safe for concurrent access.
+        """
+        with self._issue_cache_lock:
+            # Double-check locking pattern - check if cache already populated
+            if self._integration_finding_id_cache is not None:
+                return
+
+            module_str = "component" if self.is_component else "security plan"
+            logger.info(f"Building issue lookup index for {module_str} {self.plan_id}...")
+            start_time = time.time()
+
+            # Fetch all issues for the security plan
+            all_issues = regscale_models.Issue.fetch_issues_by_ssp(app=self.app, ssp_id=self.plan_id)
+
+            # Build index: integrationFindingId -> List[Issue]
+            cache = ThreadSafeDict()
+            indexed_count = 0
 
-            return self._create_or_update_issue(finding, issue_status, title)
+            for issue in all_issues:
+                if issue.integrationFindingId:
+                    finding_id = issue.integrationFindingId
+                    if finding_id not in cache:
+                        cache[finding_id] = []
+                    cache[finding_id].append(issue)
+                    indexed_count += 1
+
+            self._integration_finding_id_cache = cache
+
+            elapsed = time.time() - start_time
+            logger.info(
+                f"Issue lookup index built: {indexed_count} issues indexed from {len(all_issues)} total issues "
+                f"({len(cache)} unique finding IDs) in {elapsed:.2f}s"
+            )
+
+    def _get_existing_issues_for_finding(
+        self, finding_id: str, finding: IntegrationFinding
+    ) -> List[regscale_models.Issue]:
+        """
+        Get existing issues for the finding using cached lookup (fast) or API fallback (slow).
+
+        NEW BEHAVIOR:
+        - First lookup uses cache (O(1) dictionary lookup, no API call)
+        - Cache is populated lazily on first call
+        - Falls back to API only if finding not in cache and has external_id
+        """
+        # Populate cache on first use (lazy initialization)
+        if self._integration_finding_id_cache is None:
+            self._populate_issue_lookup_cache()
+
+        # FAST PATH: Check cache first (O(1) lookup, no API call)
+        existing_issues = self._integration_finding_id_cache.get(finding_id, [])
+
+        # FALLBACK PATH: Only if no issues found in cache AND external_id exists
+        # This handles edge cases where integrationFindingId might be missing but other identifiers exist
+        if not existing_issues and finding.external_id:
+            logger.debug(f"Issue not found in cache for finding_id={finding_id}, trying identifier fallback")
+            existing_issues = self._find_issues_by_identifier_fallback(finding.external_id)
+
+            # Cache the fallback result to avoid future API lookups
+            if existing_issues:
+                with self._issue_cache_lock:
+                    self._integration_finding_id_cache[finding_id] = existing_issues
+
+        return existing_issues
+
+    def _find_issue_for_open_status(
+        self, existing_issues: List[regscale_models.Issue], finding_id: str
+    ) -> Optional[regscale_models.Issue]:
+        """Find appropriate issue when the finding status is Open."""
+        # Find an open issue to update first
+        open_issue = next(
+            (issue for issue in existing_issues if issue.status != regscale_models.IssueStatus.Closed), None
+        )
+        if open_issue:
+            return open_issue
+
+        # If no open issue found, look for a closed issue to reopen
+        closed_issue = next(
+            (issue for issue in existing_issues if issue.status == regscale_models.IssueStatus.Closed), None
+        )
+        if closed_issue:
+            logger.debug(f"Reopening closed issue {closed_issue.id} for finding {finding_id}")
+            return closed_issue
+
+        return None
+
+    def _find_issue_for_closed_status(
+        self, existing_issues: List[regscale_models.Issue], finding: IntegrationFinding, finding_id: str
+    ) -> Optional[regscale_models.Issue]:
+        """Find appropriate issue when the finding status is Closed."""
+        # Find a closed issue with matching due date to consolidate with
+        matching_closed_issue = next(
+            (
+                issue
+                for issue in existing_issues
+                if issue.status == regscale_models.IssueStatus.Closed
+                and date_str(issue.dueDate) == date_str(finding.due_date)
+            ),
+            None,
+        )
+        if matching_closed_issue:
+            return matching_closed_issue
+
+        # If no matching closed issue, look for any existing issue to update
+        any_existing_issue = next(iter(existing_issues), None) if existing_issues else None
+        if any_existing_issue:
+            logger.debug(f"Closing existing issue {any_existing_issue.id} for finding {finding_id}")
+            return any_existing_issue
+
+        return None
 
     def _create_or_update_issue(
         self,
@@ -1615,7 +2085,124 @@ class ScannerIntegration(ABC):
         # Get consolidated asset identifier
         asset_identifier = self.get_consolidated_asset_identifier(finding, existing_issue)
 
-        # Update all fields
+        # Set basic issue fields
+        self._set_basic_issue_fields(issue, finding, issue_status, issue_title, asset_identifier)
+
+        # Set due date
+        self._set_issue_due_date(issue, finding)
+
+        # Set additional issue fields
+        self._set_additional_issue_fields(issue, finding, description, remediation_description)
+
+        # Set control-related fields
+        self._set_control_fields(issue, finding)
+
+        # Set risk and operational fields
+        self._set_risk_and_operational_fields(issue, finding, is_poam)
+
+        # Update KEV data if CVE exists
+        if finding.cve:
+            issue = self.lookup_kev_and_update_issue(cve=finding.cve, issue=issue, cisa_kevs=self._kev_data)
+
+        # Save or create the issue
+        self._save_or_create_issue(issue, finding, existing_issue, is_poam)
+
+        self._handle_property_and_milestone_creation(issue, finding, existing_issue)
+        return issue
+
+    def _find_issues_by_identifier_fallback(self, external_id: str) -> List[regscale_models.Issue]:
+        """
+        Find issues by identifier fields (otherIdentifier or integration-specific field) as fallback.
+        This helps with deduplication when integrationFindingId lookup fails.
+
+        :param str external_id: The external ID to search for
+        :return: List of matching issues
+        :rtype: List[regscale_models.Issue]
+        """
+        fallback_issues = []
+
+        try:
+            # Get all issues for this plan/component
+            all_issues = regscale_models.Issue.get_all_by_parent(
+                parent_id=self.plan_id,
+                parent_module=self.parent_module,
+            )
+
+            # Filter by source report to only check our integration's issues
+            source_issues = [issue for issue in all_issues if issue.sourceReport == self.title]
+
+            # Look for matches by otherIdentifier
+            for issue in source_issues:
+                if getattr(issue, "otherIdentifier", None) == external_id:
+                    fallback_issues.append(issue)
+                    logger.debug(f"Found issue {issue.id} by otherIdentifier fallback: {external_id}")
+
+                # Also check integration-specific identifier field if configured
+                elif (
+                    self.issue_identifier_field
+                    and hasattr(issue, self.issue_identifier_field)
+                    and getattr(issue, self.issue_identifier_field) == external_id
+                ):
+                    fallback_issues.append(issue)
+                    logger.debug(f"Found issue {issue.id} by {self.issue_identifier_field} fallback: {external_id}")
+
+            if fallback_issues:
+                logger.debug(
+                    f"Fallback deduplication found {len(fallback_issues)} existing issue(s) for external_id: {external_id}"
+                )
+
+        except Exception as e:
+            logger.warning(f"Error in fallback issue lookup for {external_id}: {e}")
+
+        return fallback_issues
+
+    def _set_issue_identifier_fields_internal(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+        """Set issue identifier fields (e.g., wizId) on the issue object without saving."""
+        if not finding.external_id:
+            logger.debug(f"finding.external_id is empty: {finding.external_id}")
+            return
+
+        logger.debug(f"Setting issue identifier fields: external_id={finding.external_id}")
+
+        # Set otherIdentifier field (the external ID field in Issue model)
+        if not getattr(issue, "otherIdentifier", None):  # Only set if not already set
+            issue.otherIdentifier = finding.external_id
+            logger.debug(f"Set otherIdentifier = {finding.external_id}")
+
+        # Set the specific identifier field if configured (e.g., wizId for Wiz)
+        if self.issue_identifier_field and hasattr(issue, self.issue_identifier_field):
+            current_value = getattr(issue, self.issue_identifier_field)
+            if not current_value:  # Only set if not already set
+                setattr(issue, self.issue_identifier_field, finding.external_id)
+                logger.debug(f"Set {self.issue_identifier_field} = {finding.external_id}")
+            else:
+                logger.debug(f"{self.issue_identifier_field} already set to: {current_value}")
+        else:
+            if self.issue_identifier_field:  # Only log warning if field is configured
+                logger.warning(
+                    f"Cannot set issue_identifier_field: field='{self.issue_identifier_field}', hasattr={hasattr(issue, self.issue_identifier_field)}"
+                )
+
+    def _set_issue_identifier_fields(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+        """Set issue identifier fields (e.g., wizId) and save them to the database."""
+        self._set_issue_identifier_fields_internal(issue, finding)
+
+        # Explicitly save the issue to persist the identifier fields
+        try:
+            issue.save(bulk=True)
+            logger.info(f"Saved issue {issue.id} with identifier fields")
+        except Exception as e:
+            logger.error(f"Failed to save issue identifier fields: {e}")
+
+    def _set_basic_issue_fields(
+        self,
+        issue: regscale_models.Issue,
+        finding: IntegrationFinding,
+        issue_status: regscale_models.IssueStatus,
+        issue_title: str,
+        asset_identifier: str,
+    ) -> None:
+        """Set basic fields for the issue."""
         issue.parentId = self.plan_id
         issue.parentModule = self.parent_module
         issue.vulnerabilityId = finding.vulnerability_id
@@ -1632,40 +2219,65 @@ class ScannerIntegration(ABC):
         issue.securityPlanId = self.plan_id if not self.is_component else None
         issue.identification = finding.identification
         issue.dateFirstDetected = finding.first_seen
-        # Ensure a due date is always set using configured policy defaults (e.g., FedRAMP)
+        issue.assetIdentifier = finding.issue_asset_identifier_value or asset_identifier
+
+        # Set organization ID based on Issue Owner or SSP Owner hierarchy
+        issue.orgId = self.determine_issue_organization_id(issue.issueOwnerId)
+
+    def _set_issue_due_date(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+        """Set the due date for the issue using DueDateHandler."""
+        # Always calculate or validate due date to ensure it's not in the past
         if not finding.due_date:
+            # No due date set, calculate new one
             try:
                 base_created = finding.date_created or issue.dateCreated
-                finding.due_date = issue_due_date(
+                finding.due_date = self.due_date_handler.calculate_due_date(
                     severity=finding.severity,
                     created_date=base_created,
-                    title=self.title,
+                    cve=finding.cve,
+                    title=finding.title or self.title,
                 )
-            except Exception:
+            except Exception as e:
+                logger.warning(f"Error calculating due date with DueDateHandler: {e}")
                 # Final fallback to a Low severity default if anything goes wrong
                 base_created = finding.date_created or issue.dateCreated
-                finding.due_date = issue_due_date(
+                finding.due_date = self.due_date_handler.calculate_due_date(
                     severity=regscale_models.IssueSeverity.Low,
                     created_date=base_created,
-                    title=self.title,
+                    cve=finding.cve,
+                    title=finding.title or self.title,
                 )
+        else:
+            # Due date already exists, but validate it's not in the past (if noPastDueDates is enabled)
+            finding.due_date = self.due_date_handler._ensure_future_due_date(
+                finding.due_date, self.due_date_handler.integration_timelines.get(finding.severity, 60)
+            )
+
         issue.dueDate = finding.due_date
+
+    def _set_additional_issue_fields(
+        self, issue: regscale_models.Issue, finding: IntegrationFinding, description: str, remediation_description: str
+    ) -> None:
+        """Set additional fields for the issue."""
         issue.description = description
         issue.sourceReport = finding.source_report or self.title
         issue.recommendedActions = finding.recommendation_for_mitigation
-        issue.assetIdentifier = asset_identifier
         issue.securityChecks = finding.security_check or finding.external_id
         issue.remediationDescription = remediation_description
         issue.integrationFindingId = self.get_finding_identifier(finding)
         issue.poamComments = finding.poam_comments
         issue.cve = finding.cve
         issue.assessmentId = finding.assessment_id
+
+        # Set issue identifier fields (e.g., wizId, otherIdentifier) before save/create
+        self._set_issue_identifier_fields_internal(issue, finding)
+
+    def _set_control_fields(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+        """Set control-related fields for the issue."""
         control_id = self.get_control_implementation_id_for_cci(finding.cci_ref) if finding.cci_ref else None
-        issue.controlId = control_id  # TODO REMOVE
-        # Add the control implementation ids and the cci ref if it exists
-        # Get control implementation ID for CCI if it exists
-        # Only add CCI control ID if it exists
+        # Note: controlId is deprecated, using controlImplementationIds instead
         cci_control_ids = [control_id] if control_id is not None else []
+
         # Ensure failed control labels (e.g., AC-4(21)) are present in affectedControls
         if finding.affected_controls:
             issue.affectedControls = finding.affected_controls
@@ -1673,15 +2285,17 @@ class ScannerIntegration(ABC):
             issue.affectedControls = ", ".join(sorted({cl for cl in finding.control_labels if cl}))
 
         issue.controlImplementationIds = list(set(finding._control_implementation_ids + cci_control_ids))  # noqa
-        # Always ensure isPoam reflects current settings, even when updating existing issues
+
+    def _set_risk_and_operational_fields(
+        self, issue: regscale_models.Issue, finding: IntegrationFinding, is_poam: bool
+    ) -> None:
+        """Set risk and operational fields for the issue."""
         issue.isPoam = is_poam
         issue.basisForAdjustment = (
             finding.basis_for_adjustment if finding.basis_for_adjustment else f"{self.title} import"
         )
         issue.pluginId = finding.plugin_id
         issue.originalRiskRating = regscale_models.Issue.assign_risk_rating(finding.severity)
-        # Current: changes
-        # Planned: planned changes
         issue.changes = "<p>Current: {}</p><p>Planned: {}</p>".format(
             finding.milestone_changes, finding.planned_milestone_changes
         )
@@ -1690,21 +2304,32 @@ class ScannerIntegration(ABC):
         issue.operationalRequirement = finding.operational_requirements
         issue.deviationRationale = finding.deviation_rationale
         issue.dateLastUpdated = get_current_datetime()
-        ## set affected controls if they exist
         issue.affectedControls = finding.affected_controls
 
-        if finding.cve:
-            issue = self.lookup_kev_and_update_issue(cve=finding.cve, issue=issue, cisa_kevs=self._kev_data)
-
+    def _save_or_create_issue(
+        self,
+        issue: regscale_models.Issue,
+        finding: IntegrationFinding,
+        existing_issue: Optional[regscale_models.Issue],
+        is_poam: bool,
+    ) -> None:
+        """Save or create the issue."""
         if existing_issue:
+            logger.debug(f"UPDATING EXISTING ISSUE: {existing_issue.id} with external_id={finding.external_id}")
             logger.debug("Saving Old Issue: %s  with assetIdentifier: %s", issue.id, issue.assetIdentifier)
             issue.save(bulk=True)
             logger.debug("Saved existing issue %s with assetIdentifier: %s", issue.id, issue.assetIdentifier)
-
         else:
+            logger.debug(
+                f"➕ CREATING NEW ISSUE: external_id={finding.external_id}, title='{finding.title[:50]}...', status={finding.status}"
+            )
             issue = issue.create_or_update(
                 bulk_update=True, defaults={"otherIdentifier": self._get_other_identifier(finding, is_poam)}
             )
+            if issue.id:
+                logger.debug(f"NEW ISSUE CREATED: RegScale ID={issue.id}, external_id={finding.external_id}")
+            else:
+                logger.warning(f"ISSUE CREATION FAILED: No ID assigned for external_id={finding.external_id}")
             self.extra_data_to_properties(finding, issue.id)
 
         self._handle_property_and_milestone_creation(issue, finding, existing_issue)
@@ -1721,65 +2346,91 @@ class ScannerIntegration(ABC):
 
         :param regscale_models.Issue issue: The issue to handle properties for
         :param IntegrationFinding finding: The finding data
-        :param bool new_issue: Whether this is a new issue
+        :param Optional[regscale_models.Issue] existing_issue: Existing issue for milestone comparison
         :rtype: None
         """
+        # Handle property creation
+        self._create_issue_properties(issue, finding)
+
+        # Handle milestone creation
+        self._create_issue_milestones(issue, finding, existing_issue)
+
+    def _create_issue_properties(self, issue: regscale_models.Issue, finding: IntegrationFinding) -> None:
+        """
+        Create properties for an issue based on finding data.
+
+        :param regscale_models.Issue issue: The issue to create properties for
+        :param IntegrationFinding finding: The finding data
+        """
         if poc := finding.point_of_contact:
-            regscale_models.Property(
-                key="POC",
-                value=poc,
-                parentId=issue.id,
-                parentModule="issues",
-            ).create_or_update()
-            logger.debug("Added POC property %s to issue %s", poc, issue.id)
+            self._create_property_safe(issue, "POC", poc, "POC property")
 
         if finding.is_cwe:
+            self._create_property_safe(issue, "CWE", finding.plugin_id, "CWE property")
+
+    def _create_property_safe(self, issue: regscale_models.Issue, key: str, value: str, property_type: str) -> None:
+        """
+        Safely create a property with error handling.
+        Validates that the issue has a valid ID before attempting to create the property.
+
+        :param regscale_models.Issue issue: The issue to create property for
+        :param str key: The property key
+        :param str value: The property value
+        :param str property_type: Description for logging purposes
+        """
+        # Validate that the issue has a valid ID, if not, create the issue
+        if not issue or not issue.id or issue.id == 0:
+            issue = issue.create_or_update()
+
+        # Validate that the issue has a valid ID, if not, skip the property creation
+        if not issue or not issue.id or issue.id == 0:
+            logger.debug(
+                "Skipping %s creation: issue ID is invalid (issue=%s, id=%s)",
+                property_type,
+                "None" if not issue else "present",
+                issue.id if issue else "N/A",
+            )
+            return
+
+        try:
             regscale_models.Property(
-                key="CWE",
-                value=finding.plugin_id,
+                key=key,
+                value=value,
                 parentId=issue.id,
                 parentModule="issues",
             ).create_or_update()
-            logger.debug("Added CWE property %s to issue %s", finding.plugin_id, issue.id)
+            logger.debug("Added %s %s to issue %s", property_type, value, issue.id)
+        except Exception as e:
+            logger.warning("Failed to create %s for issue %s: %s", property_type, issue.id, str(e))
 
-        if ScannerVariables.useMilestones:
-            if (
-                existing_issue
-                and existing_issue.status == regscale_models.IssueStatus.Closed
-                and issue.status == regscale_models.IssueStatus.Open
-            ):
-                regscale_models.Milestone(
-                    title=f"Issue reopened from {self.title} scan",
-                    milestoneDate=get_current_datetime(),
-                    responsiblePersonId=self.assessor_id,
-                    parentID=issue.id,
-                    parentModule="issues",
-                ).create_or_update()
-                logger.debug("Added milestone for issue %s from finding %s", issue.id, finding.external_id)
-            elif (
-                existing_issue
-                and existing_issue.status == regscale_models.IssueStatus.Open
-                and issue.status == regscale_models.IssueStatus.Closed
-            ):
-                regscale_models.Milestone(
-                    title=f"Issue closed from {self.title} scan",
-                    milestoneDate=issue.dateCompleted,
-                    responsiblePersonId=self.assessor_id,
-                    parentID=issue.id,
-                    parentModule="issues",
-                ).create_or_update()
-                logger.debug("Added milestone for issue %s from finding %s", issue.id, finding.external_id)
-            elif not existing_issue:
-                regscale_models.Milestone(
-                    title=f"Issue created from {self.title} scan",
-                    milestoneDate=self.scan_date,
-                    responsiblePersonId=self.assessor_id,
-                    parentID=issue.id,
-                    parentModule="issues",
-                ).create_or_update()
-                logger.debug("Created milestone for issue %s from finding %s", issue.id, finding.external_id)
-            else:
-                logger.debug("No milestone created for issue %s from finding %s", issue.id, finding.external_id)
+    def _create_issue_milestones(
+        self,
+        issue: regscale_models.Issue,
+        finding: IntegrationFinding,
+        existing_issue: Optional[regscale_models.Issue],
+    ) -> None:
+        """
+        Create milestones for an issue based on status transitions.
+
+        Delegates to MilestoneManager for cleaner separation of concerns.
+        Also ensures existing issues have creation milestones (backfills if missing).
+
+        :param regscale_models.Issue issue: The issue to create milestones for
+        :param IntegrationFinding finding: The finding data
+        :param Optional[regscale_models.Issue] existing_issue: Existing issue for comparison
+        """
+        milestone_manager = self.get_milestone_manager()
+
+        # For existing issues, ensure they have a creation milestone (backfill if missing)
+        if existing_issue:
+            milestone_manager.ensure_creation_milestone_exists(issue=issue, finding=finding)
+
+        # Handle status transition milestones
+        milestone_manager.create_milestones_for_issue(
+            issue=issue,
+            finding=finding,
+            existing_issue=existing_issue,
+        )
 
     @staticmethod
     def extra_data_to_properties(finding: IntegrationFinding, issue_id: int) -> None:
@@ -1825,13 +2476,17 @@ class ScannerIntegration(ABC):
         :rtype: str
         """
         delimiter = "\n"
+
+        # Use issue_asset_identifier_value if available (e.g., providerUniqueId from Wiz)
+        # This provides more meaningful asset identification for eMASS exports
+        current_asset_identifier = finding.issue_asset_identifier_value or finding.asset_identifier
         if not existing_issue or ScannerVariables.issueCreation.lower() == "perasset":
-            return finding.asset_identifier
+            return current_asset_identifier
 
         # Get existing asset identifiers
         existing_asset_identifiers = set((existing_issue.assetIdentifier or "").split(delimiter))
-        if finding.asset_identifier not in existing_asset_identifiers:
-            existing_asset_identifiers.add(finding.asset_identifier)
+        if current_asset_identifier not in existing_asset_identifiers:
+            existing_asset_identifiers.add(current_asset_identifier)
 
         return delimiter.join(existing_asset_identifiers)
 
@@ -1862,16 +2517,14 @@ class ScannerIntegration(ABC):
         """
         Determine if the cve is part of the published CISA KEV list
 
+        Note: Due date handling is now managed by DueDateHandler. This method only sets kevList field.
+
         :param str cve: The CVE to lookup in CISAs KEV list
-        :param regscale_models.Issue issue: The issue to update kevList field and dueDate if found in KEV List
+        :param regscale_models.Issue issue: The issue to update kevList field
         :param Optional[ThreadSafeDict[str, Any]] cisa_kevs: The CISA KEV data to search the findings
         :return: The updated issue
         :rtype: regscale_models.Issue
         """
-        from datetime import datetime
-
-        from regscale.core.app.utils.app_utils import convert_datetime_to_regscale_string
-
         issue.kevList = "No"
 
         if cisa_kevs:
@@ -1884,14 +2537,6 @@ class ScannerIntegration(ABC):
                 None,
             )
             if kev_data:
-                # If kev due date is before the issue date created, add the difference to the date created
-                calculated_due_date = ScannerIntegration._calculate_kev_due_date(kev_data, issue.dateCreated)
-                if calculated_due_date:
-                    issue.dueDate = calculated_due_date
-                else:
-                    issue.dueDate = convert_datetime_to_regscale_string(
-                        datetime.strptime(kev_data["dueDate"], "%Y-%m-%d")
-                    )
                 issue.kevList = "Yes"
 
         return issue
@@ -1952,6 +2597,8 @@ class ScannerIntegration(ABC):
             if found_issue.controlImplementationIds:
                 for control_id in found_issue.controlImplementationIds:
                     self.update_control_implementation_status_after_close(control_id)
+                    # Update assessment status to reflect the control implementation status
+                    self.update_assessment_status_from_control_implementation(control_id)
 
     def handle_failing_checklist(
         self,
@@ -1976,11 +2623,13 @@ class ScannerIntegration(ABC):
                 if failing_objective.name.lower().startswith("cci-"):
                     implementation_id = self.get_control_implementation_id_for_cci(failing_objective.name)
                 else:
-                    control_label = objective_to_control_dot(failing_objective.name)
-                    if control_label not in self.control_implementation_id_map:
-                        logger.warning("Control %s not found for %s", control_label, control_label)
-                        continue
-                    implementation_id = self.control_implementation_id_map[control_label]
+                    implementation_id = self._fallback_implementation_id(failing_objective)
+
+                if not implementation_id or implementation_id is None:
+                    logger.warning(
+                        "Could not map objective to a Control Implementation for objective #%i.", failing_objective.id
+                    )
+                    continue
 
                 failing_option = regscale_models.ImplementationOption(
                     name="Failed STIG",
@@ -2002,13 +2651,36 @@ class ScannerIntegration(ABC):
                 ).create_or_update()
 
                 # Create assessment and control test result
-                assessment = self.get_or_create_assessment(implementation_id)
+                assessment = self.get_or_create_assessment(
+                    implementation_id, status=regscale_models.AssessmentResultsStatus.FAIL
+                )
                 if implementation_id:
                     control_test = self.create_or_get_control_test(finding, implementation_id)
                     self.create_control_test_result(
                         finding, control_test, assessment, regscale_models.ControlTestResultStatus.FAIL
                     )
 
+    def _fallback_implementation_id(self, objective: regscale_models.ControlObjective) -> Optional[int]:
+        """
+        Fallback method to get control implementation ID from objective name if CCI mapping fails.
+
+        :param regscale_models.ControlObjective objective: The control objective
+        :return: The control implementation ID if found, None otherwise
+        :rtype: Optional[int]
+        """
+        control_label = objective_to_control_dot(objective.name)
+        if implementation_id := self.control_implementation_id_map.get(control_label):
+            return implementation_id
+
+        if control_id := self.control_id_to_implementation_map.get(objective.securityControlId):
+            if control_label := self.control_map.get(control_id):
+                implementation_id = self.control_implementation_id_map.get(control_label)
+                if not implementation_id:
+                    print("No dice.")
+                return implementation_id
+        logger.debug("Could not find fallback implementation ID for objective #%i", objective.id)
+        return None
+
     def handle_passing_checklist(
         self,
         finding: IntegrationFinding,
@@ -2032,15 +2704,12 @@ class ScannerIntegration(ABC):
                 if passing_objective.name.lower().startswith("cci-"):
                     implementation_id = self.get_control_implementation_id_for_cci(passing_objective.name)
                 else:
-                    control_label = objective_to_control_dot(passing_objective.name)
-                    if control_label not in self.control_implementation_id_map:
-                        logger.warning("Control %s not found for %s", control_label, control_label)
-                        continue
-                    implementation_id = self.control_implementation_id_map[control_label]
-
-                # Skip if we couldn't determine the implementation ID
-                if implementation_id is None:
-                    logger.warning("Could not determine implementation ID for objective %s", passing_objective.name)
+                    implementation_id = self._fallback_implementation_id(passing_objective)
+
+                if not implementation_id or implementation_id is None:
+                    logger.warning(
+                        "Could not map objective to a Control Implementation for objective #%i.", passing_objective.id
+                    )
                     continue
 
                 passing_option = regscale_models.ImplementationOption(
@@ -2063,7 +2732,9 @@ class ScannerIntegration(ABC):
                 ).create_or_update()
 
                 # Create assessment and control test result
-                assessment = self.get_or_create_assessment(implementation_id)
+                assessment = self.get_or_create_assessment(
+                    implementation_id, status=regscale_models.AssessmentResultsStatus.PASS
+                )
                 control_test = self.create_or_get_control_test(finding, implementation_id)
                 self.create_control_test_result(
                     finding, control_test, assessment, regscale_models.ControlTestResultStatus.PASS
@@ -2089,17 +2760,45 @@ class ScannerIntegration(ABC):
 
     def get_asset_by_identifier(self, identifier: str) -> Optional[regscale_models.Asset]:
         """
-        Gets an asset by its identifier
+        Gets an asset by its identifier with fallback lookups.
+
+        REG-17044: Enhanced to support multiple identifier fields (qualysId, IP, FQDN)
+        to improve asset matching and reduce "asset not found" errors.
 
         :param str identifier: The identifier of the asset
         :return: The asset
         :rtype: Optional[regscale_models.Asset]
         """
-        asset = self.asset_map_by_identifier.get(identifier)
+        # Try primary identifier field first
+        if asset := self.asset_map_by_identifier.get(identifier):
+            return asset
+
+        # Fallback: Try common identifier fields
+        # This helps when asset_identifier_field doesn't match or assets use different identifiers
+        if not asset and identifier:
+            for cached_asset in self.asset_map_by_identifier.values():
+                # Try IP address lookup
+                if getattr(cached_asset, "ipAddress", None) == identifier:
+                    logger.debug(f"Found asset {cached_asset.id} by IP address fallback: {identifier}")
+                    return cached_asset
+                # Try FQDN lookup
+                if getattr(cached_asset, "fqdn", None) == identifier:
+                    logger.debug(f"Found asset {cached_asset.id} by FQDN fallback: {identifier}")
+                    return cached_asset
+                # Try DNS lookup
+                if getattr(cached_asset, "dns", None) == identifier:
+                    logger.debug(f"Found asset {cached_asset.id} by DNS fallback: {identifier}")
+                    return cached_asset
+
+        # Log error if still not found
         if not asset and identifier not in self.alerted_assets:
             self.alerted_assets.add(identifier)
             if not getattr(self, "suppress_asset_not_found_errors", False):
-                self.log_error("1. Asset not found for identifier %s", identifier)
+                self.log_error(
+                    "Asset not found for identifier '%s' (tried %s, ipAddress, fqdn, dns)",
+                    identifier,
+                    self.asset_identifier_field,
+                )
         return asset
 
     def get_issue_by_integration_finding_id(self, integration_finding_id: str) -> Optional[regscale_models.Issue]:
@@ -2128,7 +2827,11 @@ class ScannerIntegration(ABC):
                 logger.error("2. Asset not found for identifier %s", finding.asset_identifier)
             return 0
 
-        tool = regscale_models.ChecklistTool.STIGs
+        tool = (
+            regscale_models.ChecklistTool.CISBenchmarks
+            if "simp.cis" in str(finding.vulnerability_number).lower()
+            else regscale_models.ChecklistTool.STIGs
+        )
         if finding.vulnerability_type == "Vulnerability Scan":
             tool = regscale_models.ChecklistTool.VulnerabilityScanner
 
@@ -2190,33 +2893,70 @@ class ScannerIntegration(ABC):
         scan_history = self.create_scan_history()
         current_vulnerabilities: Dict[int, Set[int]] = defaultdict(set)
         processed_findings_count = 0
-        loading_findings = self.finding_progress.add_task(
-            f"[#f8b737]Processing {f'{self.num_findings_to_process} ' if self.num_findings_to_process else ''}finding(s) from {self.title}",
-            total=self.num_findings_to_process if self.num_findings_to_process else None,
+
+        # Convert iterator to list so we can check findings and avoid re-iteration issues
+        findings_list = list(findings)
+
+        # Set the number of findings to process for progress tracking
+        self.num_findings_to_process = len(findings_list)
+        loading_findings = self._setup_finding_progress()
+
+        # Pre-load CCI to control map before threading ONLY if:
+        # 1. The integration has CCI mapping enabled (enable_cci_mapping = True)
+        # 2. Findings contain actual CCI references
+        # This avoids expensive unnecessary API calls for integrations that don't use CCIs (e.g., AWS)
+        if self.enable_cci_mapping:
+            has_cci_refs = any(
+                getattr(f, "cci_ref", None) is not None and getattr(f, "cci_ref", None) != "" for f in findings_list
+            )
+            if has_cci_refs:
+                logger.debug("Pre-loading CCI to control map...")
+                _ = self.get_cci_to_control_map()
+
+        # Process findings
+        processed_findings_count = self._process_findings_with_threading(
+            iter(findings_list), scan_history, current_vulnerabilities, loading_findings
         )
 
-        # Locks for thread-safe operations
+        # Finalize processing
+        self._finalize_finding_processing(scan_history, current_vulnerabilities)
+
+        # Complete the finding progress bar
+        self._complete_finding_progress(loading_findings, processed_findings_count)
+
+        logger.info(f"Successfully processed {processed_findings_count} findings from {self.title}")
+
+        return processed_findings_count
+
+    def _setup_finding_progress(self):
+        """Setup progress tracking for findings processing."""
+        # Backwards compatibility: check if finding_progress exists and has add_task method
+        if self.finding_progress is not None and hasattr(self.finding_progress, "add_task"):
+            return self.finding_progress.add_task(
+                f"[#f8b737]Processing {f'{self.num_findings_to_process} ' if self.num_findings_to_process else ''}finding(s) from {self.title}",
+                total=self.num_findings_to_process if self.num_findings_to_process else None,
+            )
+        return None
+
+    def _process_findings_with_threading(
+        self,
+        findings: Iterator[IntegrationFinding],
+        scan_history: regscale_models.ScanHistory,
+        current_vulnerabilities: Dict[int, Set[int]],
+        loading_findings,
+    ) -> int:
+        """Process findings using threading or sequential processing."""
+        processed_findings_count = 0
         count_lock = threading.RLock()
 
         def process_finding_with_progress(finding_to_process: IntegrationFinding) -> None:
-            """
-            Process a single finding and update progress.
-
-            :param IntegrationFinding finding_to_process: The finding to process
-            :rtype: None
-            """
+            """Process a single finding and update progress."""
             nonlocal processed_findings_count
             try:
                 self.process_finding(finding_to_process, scan_history, current_vulnerabilities)
                 with count_lock:
                     processed_findings_count += 1
-                    if self.num_findings_to_process:
-                        self.finding_progress.update(
-                            loading_findings,
-                            total=self.num_findings_to_process,
-                            description=f"[#f8b737]Processing {self.num_findings_to_process} findings from {self.title}.",
-                        )
-                    self.finding_progress.advance(loading_findings, 1)
+                    self._update_finding_progress(loading_findings)
             except Exception as exc:
                 self.log_error(
                     "An error occurred when processing finding %s: %s",
@@ -2228,30 +2968,87 @@ class ScannerIntegration(ABC):
             for finding in findings:
                 process_finding_with_progress(finding)
         else:
-            # Process findings in batches to control memory usage
-            batch_size = get_thread_workers_max() * 2  # Set batch size based on thread count
-            with concurrent.futures.ThreadPoolExecutor(max_workers=get_thread_workers_max()) as executor:
-                batch = []
-                for finding in findings:
-                    batch.append(finding)
-                    if len(batch) >= batch_size:
-                        # Process this batch
-                        list(executor.map(process_finding_with_progress, batch))
-                        # Clear the batch
-                        batch = []
-
-                # Process any remaining items
-                if batch:
+            processed_findings_count = self._process_findings_in_batches(findings, process_finding_with_progress)
+
+        return processed_findings_count
+
+    def _update_finding_progress(self, loading_findings):
+        """Update the finding progress bar."""
+        # Backwards compatibility: check if finding_progress exists and has required methods
+        if self.finding_progress is None or not hasattr(self.finding_progress, "update"):
+            return
+
+        if self.num_findings_to_process:
+            self.finding_progress.update(
+                loading_findings,
+                total=self.num_findings_to_process,
+                description=f"[#f8b737]Processing {self.num_findings_to_process} findings from {self.title}.",
+            )
+        if hasattr(self.finding_progress, "advance"):
+            self.finding_progress.advance(loading_findings, 1)
+
+    def _complete_finding_progress(self, loading_findings, processed_count):
+        """Complete the finding progress bar with final status."""
+        # Backwards compatibility: check if finding_progress exists and has update method
+        if self.finding_progress is not None and hasattr(self.finding_progress, "update"):
+            self.finding_progress.update(
+                loading_findings,
+                completed=processed_count,
+                total=max(processed_count, self.num_findings_to_process or processed_count),
+                description=f"[green] Completed processing {processed_count} finding(s) from {self.title}",
+            )
+
+    def _process_findings_in_batches(
+        self, findings: Iterator[IntegrationFinding], process_finding_with_progress
+    ) -> int:
+        """Process findings in batches using thread pool executor."""
+        processed_findings_count = 0
+        batch_size = get_thread_workers_max() * 2
+
+        with concurrent.futures.ThreadPoolExecutor(max_workers=get_thread_workers_max()) as executor:
+            batch = []
+            for finding in findings:
+                batch.append(finding)
+                if len(batch) >= batch_size:
+                    # Process this batch
                     list(executor.map(process_finding_with_progress, batch))
+                    processed_findings_count += len(batch)
+                    # Clear the batch
+                    batch = []
+
+            # Process any remaining items
+            if batch:
+                list(executor.map(process_finding_with_progress, batch))
+                processed_findings_count += len(batch)
+
+        return processed_findings_count
 
-        # Close outdated issues
-        self._results["scan_history"] = scan_history.save()
+    def _finalize_finding_processing(
+        self, scan_history: regscale_models.ScanHistory, current_vulnerabilities: Dict[int, Set[int]]
+    ) -> None:
+        """Finalize the finding processing by saving scan history and closing outdated vulnerabilities and issues."""
+        logger.info(
+            f"Saving scan history with final counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
+        )
+
+        # Ensure scan history is properly saved with updated counts
+        try:
+            scan_history.save()
+        except Exception as e:
+            logger.error(f"Error saving scan history: {e}")
+            # Try to save again with a fresh fetch
+            try:
+                scan_history.fetch()
+                scan_history.save()
+            except Exception as e2:
+                logger.error(f"Failed to save scan history after retry: {e2}")
+
+        self._results["scan_history"] = scan_history
         self.update_result_counts("issues", regscale_models.Issue.bulk_save(progress_context=self.finding_progress))
+        self.close_outdated_vulnerabilities(current_vulnerabilities)
         self.close_outdated_issues(current_vulnerabilities)
         self._perform_batch_operations(self.finding_progress)
 
-        return processed_findings_count
-
     @staticmethod
     def parse_poam_id(poam_identifier: str) -> Optional[int]:
         """
@@ -2285,15 +3082,15 @@ class ScannerIntegration(ABC):
                     parent_id=self.plan_id,
                     parent_module=self.parent_module,
                 )
-                self._max_poam_id = max(
-                    (
-                        parsed_id
-                        for issue in issues
-                        if issue.otherIdentifier
-                        and (parsed_id := self.parse_poam_id(issue.otherIdentifier)) is not None
-                    ),
-                    default=0,
-                )
+                # Extract parsed IDs for valid identifiers
+                parsed_ids = []
+                for issue in issues:
+                    if issue.otherIdentifier:
+                        parsed_id = self.parse_poam_id(issue.otherIdentifier)
+                        if parsed_id is not None:
+                            parsed_ids.append(parsed_id)
+
+                self._max_poam_id = max(parsed_ids, default=0)
 
             # Increment the cached max ID and store it
             self._max_poam_id = (self._max_poam_id or 0) + 1
@@ -2351,99 +3148,312 @@ class ScannerIntegration(ABC):
 
         # Process checklist if applicable
         if self.type == ScannerIntegrationType.CHECKLIST:
-            if not (asset := self.get_asset_by_identifier(finding.asset_identifier)):
-                if not getattr(self, "suppress_asset_not_found_errors", False):
-                    logger.error("2. Asset not found for identifier %s", finding.asset_identifier)
-                return
-
-            tool = regscale_models.ChecklistTool.STIGs
-            if finding.vulnerability_type == "Vulnerability Scan":
-                tool = regscale_models.ChecklistTool.VulnerabilityScanner
-
-            if not finding.cci_ref:
-                finding.cci_ref = "CCI-000366"
-
-            # Convert checklist status to string
-            checklist_status_str = str(finding.checklist_status.value)
-
-            logger.debug("Create or update checklist for %s", finding.external_id)
-            regscale_models.Checklist(
-                status=checklist_status_str,
-                assetId=asset.id,
-                tool=tool,
-                baseline=finding.baseline,
-                vulnerabilityId=finding.vulnerability_number,
-                results=finding.results,
-                check=finding.title,
-                cci=finding.cci_ref,
-                ruleId=finding.rule_id,
-                version=finding.rule_version,
-                comments=finding.comments,
-                datePerformed=finding.date_created,
-            ).create_or_update()
-
-            # For failing findings, handle control implementation updates
-            if finding.status != regscale_models.IssueStatus.Closed:
-                logger.debug("Handling failing checklist for %s", finding.external_id)
-                if self.type == ScannerIntegrationType.CHECKLIST:
-                    self.handle_failing_checklist(finding=finding, plan_id=self.plan_id)
-            else:
-                logger.debug("Handling passing checklist for %s", finding.external_id)
-                self.handle_passing_checklist(finding=finding, plan_id=self.plan_id)
+            self._process_checklist_finding(finding)
 
         # Process vulnerability if applicable
+        # IMPORTANT: Always track vulnerabilities regardless of status to enable proper issue closure logic
+        # This ensures that current_vulnerabilities dict accurately reflects the scan state
+        vulnerability_created = self._process_vulnerability_finding(finding, scan_history, current_vulnerabilities)
+
+        # Only create/update issues for non-closed findings (unless ingestClosedIssues is enabled)
         if finding.status != regscale_models.IssueStatus.Closed or ScannerVariables.ingestClosedIssues:
-            if asset := self.get_asset_by_identifier(finding.asset_identifier):
-                if vulnerability_id := self.handle_vulnerability(finding, asset, scan_history):
-                    current_vulnerabilities[asset.id].add(vulnerability_id)
             self.handle_failing_finding(
                 issue_title=finding.issue_title or finding.title,
                 finding=finding,
             )
-            # Update scan history severity counts
-            self.set_severity_count_for_scan(finding.severity, scan_history)
+
+        # Update scan history severity counts only if vulnerability was successfully created
+        if vulnerability_created:
+            logger.debug(
+                f"Updating severity count for successfully created vulnerability with severity: {finding.severity}"
+            )
+            self.set_severity_count_for_scan(finding.severity, scan_history, self.scan_history_lock)
+        else:
+            logger.debug(f"Skipping severity count update for finding {finding.external_id} - no vulnerability created")
+
+    def _process_checklist_finding(self, finding: IntegrationFinding) -> None:
+        """Process a checklist finding."""
+        asset = self.get_asset_by_identifier(finding.asset_identifier)
+        if not asset:
+            if not getattr(self, "suppress_asset_not_found_errors", False):
+                logger.error("2. Asset not found for identifier %s", finding.asset_identifier)
+            if not getattr(self, "import_all_findings", False):
+                return
+
+        tool = regscale_models.ChecklistTool.STIGs
+        if finding.vulnerability_type == "Vulnerability Scan":
+            tool = regscale_models.ChecklistTool.VulnerabilityScanner
+
+        if not finding.cci_ref:
+            finding.cci_ref = "CCI-000366"
+
+        # Convert checklist status to string
+        checklist_status_str = str(finding.checklist_status.value)
+
+        logger.debug("Create or update checklist for %s", finding.external_id)
+        regscale_models.Checklist(
+            status=checklist_status_str,
+            assetId=asset.id if asset else None,
+            tool=tool,
+            baseline=finding.baseline,
+            vulnerabilityId=finding.vulnerability_number,
+            results=finding.results,
+            check=finding.title,
+            cci=finding.cci_ref,
+            ruleId=finding.rule_id,
+            version=finding.rule_version,
+            comments=finding.comments,
+            datePerformed=finding.date_created,
+        ).create_or_update()
+
+        # Handle checklist status
+        self._handle_checklist_status(finding)
+
+    def _handle_checklist_status(self, finding: IntegrationFinding) -> None:
+        """Handle the status of a checklist finding."""
+        if finding.status != regscale_models.IssueStatus.Closed:
+            logger.debug("Handling failing checklist for %s", finding.external_id)
+            if self.type == ScannerIntegrationType.CHECKLIST:
+                self.handle_failing_checklist(finding=finding, plan_id=self.plan_id)
+        else:
+            logger.debug("Handling passing checklist for %s", finding.external_id)
+            self.handle_passing_checklist(finding=finding, plan_id=self.plan_id)
+
+    def _process_vulnerability_finding(
+        self,
+        finding: IntegrationFinding,
+        scan_history: regscale_models.ScanHistory,
+        current_vulnerabilities: Dict[int, Set[int]],
+    ) -> bool:
+        """Process a vulnerability finding and return whether vulnerability was created."""
+        logger.debug(f"Processing vulnerability for finding {finding.external_id} with status {finding.status}")
+
+        asset = self.get_asset_by_identifier(finding.asset_identifier)
+        if asset:
+            logger.debug(f"Found asset {asset.id} for finding {finding.external_id}")
+            if vulnerability_id := self.handle_vulnerability(finding, asset, scan_history):
+                current_vulnerabilities[asset.id].add(vulnerability_id)
+                logger.debug(
+                    f"Vulnerability created successfully for finding {finding.external_id} with ID {vulnerability_id}"
+                )
+                return True
+            else:
+                logger.debug(f"Vulnerability creation failed for finding {finding.external_id}")
+        else:
+            logger.debug(f"No asset found for finding {finding.external_id} with identifier {finding.asset_identifier}")
+            if getattr(self, "import_all_findings", False):
+                logger.debug("import_all_findings is True, attempting to create vulnerability without asset")
+                if vulnerability_id := self.handle_vulnerability(finding, None, scan_history):
+                    logger.debug(
+                        f"Vulnerability created successfully for finding {finding.external_id} with ID {vulnerability_id}"
+                    )
+                    return True
+                else:
+                    logger.debug(f"Vulnerability creation failed for finding {finding.external_id}")
+
+        return False
+
+    def handle_vulnerability(
+        self,
+        finding: IntegrationFinding,
+        asset: Optional[regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+    ) -> Optional[int]:
+        """
+        Handles the vulnerabilities for a finding.
+
+        :param IntegrationFinding finding: The integration finding
+        :param Optional[regscale_models.Asset] asset: The associated asset
+        :param regscale_models.ScanHistory scan_history: The scan history
+        :rtype: Optional[int]
+        :return: The vulnerability ID
+        """
+        logger.debug(f"Processing vulnerability for finding: {finding.external_id} - {finding.title}")
+
+        # Validate required fields
+        if not self._has_required_vulnerability_fields(finding):
+            return None
+
+        # Check asset requirements
+        if not self._check_asset_requirements(finding, asset):
+            return None
+
+        if asset:
+            logger.debug(f"Found asset: {asset.id} for finding {finding.external_id}")
+
+        # Create vulnerability with retry logic
+        return self._create_vulnerability_with_retry(finding, asset, scan_history)
+
+    def _has_required_vulnerability_fields(self, finding: IntegrationFinding) -> bool:
+        """Check if finding has required fields (plugin_name or cve)."""
+        plugin_name = getattr(finding, "plugin_name", None)
+        cve = getattr(finding, "cve", None)
+
+        if not plugin_name and not cve:
+            logger.warning("No Plugin Name or CVE found for finding %s", finding.title)
+            logger.debug(f"Finding plugin_name: {plugin_name}, cve: {cve}")
+            return False
+
+        logger.debug(f"Finding plugin_name: {plugin_name}, cve: {cve}")
+        return True
+
+    def _check_asset_requirements(self, finding: IntegrationFinding, asset: Optional[regscale_models.Asset]) -> bool:
+        """Check if asset requirements are met."""
+        if asset:
+            return True
+
+        if getattr(self, "import_all_findings", False):
+            logger.debug("Asset not found but import_all_findings is True, continuing without asset")
+            return True
+
+        if not getattr(self, "suppress_asset_not_found_errors", False):
+            logger.warning("VulnerabilityMapping Error: Asset not found for identifier %s", finding.asset_identifier)
+        return False
+
+    def _create_vulnerability_with_retry(
+        self,
+        finding: IntegrationFinding,
+        asset: Optional[regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+    ) -> Optional[int]:
+        """Create vulnerability with retry logic."""
+        max_retries = 3
+        retry_delay = 2  # seconds
+
+        for attempt in range(max_retries):
+            vulnerability_id = self._try_create_vulnerability(
+                finding, asset, scan_history, attempt, max_retries, retry_delay
+            )
+            if vulnerability_id is not None:
+                return vulnerability_id
+
+            if attempt < max_retries - 1:
+                time.sleep(retry_delay)
+                retry_delay *= 2  # Exponential backoff
+
+        return None
+
+    def _try_create_vulnerability(
+        self,
+        finding: IntegrationFinding,
+        asset: Optional[regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+        attempt: int,
+        max_retries: int,
+        retry_delay: int,
+    ) -> Optional[int]:
+        """Try to create vulnerability for a single attempt."""
+        try:
+            logger.debug(f"Creating vulnerability for finding {finding.external_id} (attempt {attempt + 1})")
+            vulnerability = self.create_vulnerability_from_finding(finding, asset, scan_history)
+            finding.vulnerability_id = vulnerability.id
+            logger.debug(f"Successfully created vulnerability {vulnerability.id} for finding {finding.external_id}")
+
+            self._handle_associated_issue(finding)
+            return vulnerability.id
+
+        except Exception as e:
+            self._handle_vulnerability_creation_error(e, finding, attempt, max_retries, retry_delay)
+            return None
+
+    def _handle_associated_issue(self, finding: IntegrationFinding) -> None:
+        """Handle associated issue creation if needed."""
+        if ScannerVariables.vulnerabilityCreation.lower() != "noissue":
+            self.create_or_update_issue_from_finding(
+                title=finding.title,
+                finding=finding,
+            )
+
+    def _handle_vulnerability_creation_error(
+        self, error: Exception, finding: IntegrationFinding, attempt: int, max_retries: int, retry_delay: int
+    ) -> None:
+        """Handle error during vulnerability creation."""
+        if attempt < max_retries - 1:
+            logger.warning(
+                f"Vulnerability creation failed for finding {finding.external_id} "
+                f"(attempt {attempt + 1}/{max_retries}): {error}. "
+                f"Retrying in {retry_delay} seconds..."
+            )
+        else:
+            logger.error(
+                f"Failed to create vulnerability for finding {finding.external_id} "
+                f"after {max_retries} attempts: {error}"
+            )
 
     def create_vulnerability_from_finding(
-        self, finding: IntegrationFinding, asset: regscale_models.Asset, scan_history: regscale_models.ScanHistory
+        self,
+        finding: IntegrationFinding,
+        asset: Optional[regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
     ) -> regscale_models.Vulnerability:
         """
         Creates a vulnerability from an integration finding.
 
         :param IntegrationFinding finding: The integration finding
-        :param regscale_models.Asset asset: The associated asset
+        :param Optional[regscale_models.Asset] asset: The associated asset (can be None if import_all_findings is True)
         :param regscale_models.ScanHistory scan_history: The scan history
         :return: The created vulnerability
         :rtype: regscale_models.Vulnerability
         """
-        vulnerability = regscale_models.Vulnerability(
+        logger.debug(f"Creating vulnerability object for finding {finding.external_id}")
+
+        # Create vulnerability object
+        vulnerability = self._build_vulnerability_object(finding, asset, scan_history)
+
+        # Save vulnerability
+        logger.debug(f"Calling create_or_update for vulnerability with title: {vulnerability.title}")
+        vulnerability = vulnerability.create_or_update()
+        logger.debug(f"Vulnerability created/updated with ID: {vulnerability.id}")
+
+        # Create mapping if asset exists
+        if asset:
+            self._create_vulnerability_mapping(vulnerability, finding, asset, scan_history)
+        else:
+            logger.debug(
+                f"Skipping VulnerabilityMapping creation for vulnerability {vulnerability.id} - no asset provided"
+            )
+
+        return vulnerability
+
+    def _build_vulnerability_object(
+        self,
+        finding: IntegrationFinding,
+        asset: Optional[regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+    ) -> regscale_models.Vulnerability:
+        """Build the vulnerability object from finding data."""
+        # Get mapped values
+        severity = self._get_mapped_severity(finding)
+        ip_address = self._get_ip_address(finding, asset)
+        dns = self._get_dns(asset)
+        operating_system = self._get_operating_system(asset)
+
+        return regscale_models.Vulnerability(
             title=finding.title,
             cve=finding.cve,
-            vprScore=(
-                finding.vpr_score if hasattr(finding, "vprScore") else None
-            ),  # If this is the VPR score, otherwise use a different field
-            cvsSv3BaseScore=finding.cvss_v3_base_score or finding.cvss_v3_score or finding.cvss_score,
+            vprScore=self._get_vpr_score(finding),
+            cvsSv3BaseScore=self._get_cvss_v3_score(finding),
             cvsSv2BaseScore=finding.cvss_v2_score,
             cvsSv3BaseVector=finding.cvss_v3_vector,
             cvsSv2BaseVector=finding.cvss_v2_vector,
             scanId=scan_history.id,
-            severity=self.issue_to_vulnerability_map.get(finding.severity, regscale_models.VulnerabilitySeverity.Low),
+            severity=severity,
             description=finding.description,
             dateLastUpdated=finding.date_last_updated,
             parentId=self.plan_id,
             parentModule=self.parent_module,
-            dns=asset.fqdn or "unknown",
+            dns=dns,
             status=regscale_models.VulnerabilityStatus.Open,
-            ipAddress=finding.ip_address or asset.ipAddress or "",
+            ipAddress=ip_address,
             firstSeen=finding.first_seen,
             lastSeen=finding.last_seen,
-            plugInName=finding.cve or finding.plugin_name,  # Use CVE if available, otherwise use plugin name
-            plugInId=finding.plugin_id,
-            exploitAvailable=None,  # Set this if you have information about exploit availability
-            plugInText=finding.plugin_text
-            or finding.observations,  # or finding.evidence, whichever is more appropriate
-            port=finding.port if hasattr(finding, "port") else None,
-            protocol=finding.protocol if hasattr(finding, "protocol") else None,
-            operatingSystem=asset.operatingSystem if hasattr(asset, "operatingSystem") else None,
+            plugInName=finding.cve or finding.plugin_name,
+            plugInId=finding.plugin_id or finding.external_id,
+            exploitAvailable=None,
+            plugInText=finding.plugin_text or finding.observations,
+            port=getattr(finding, "port", None),
+            protocol=getattr(finding, "protocol", None),
+            operatingSystem=operating_system,
             fixedVersions=finding.fixed_versions,
             buildVersion=finding.build_version,
             fixStatus=finding.fix_status,
@@ -2454,8 +3464,68 @@ class ScannerIntegration(ABC):
             affectedPackages=finding.affected_packages,
         )
 
-        vulnerability = vulnerability.create_or_update()
-        regscale_models.VulnerabilityMapping(
+    def _get_mapped_severity(self, finding: IntegrationFinding) -> regscale_models.VulnerabilitySeverity:
+        """Get mapped severity for the finding."""
+        logger.debug(f"Finding severity: '{finding.severity}' (type: {type(finding.severity)})")
+        mapped_severity = self.issue_to_vulnerability_map.get(
+            finding.severity, regscale_models.VulnerabilitySeverity.Low
+        )
+        logger.debug(f"Mapped severity: {mapped_severity}")
+        return mapped_severity
+
+    def _get_ip_address(self, finding: IntegrationFinding, asset: Optional[regscale_models.Asset]) -> str:
+        """Get IP address from finding or asset."""
+        if finding.ip_address:
+            return finding.ip_address
+        if asset and hasattr(asset, "ipAddress") and asset.ipAddress:
+            return asset.ipAddress
+        return ""
+
+    def _get_dns(self, asset: Optional[regscale_models.Asset]) -> str:
+        """Get DNS from asset."""
+        if asset and hasattr(asset, "fqdn") and asset.fqdn:
+            return asset.fqdn
+        return "unknown"
+
+    def _get_operating_system(self, asset: Optional[regscale_models.Asset]) -> Optional[str]:
+        """Get operating system from asset."""
+        if asset and hasattr(asset, "operatingSystem"):
+            return asset.operatingSystem
+        return None
+
+    def _get_vpr_score(self, finding: IntegrationFinding) -> Optional[float]:
+        """Get VPR score from finding."""
+        if hasattr(finding, "vprScore"):
+            return finding.vpr_score
+        return None
+
+    def _get_cvss_v3_score(self, finding: IntegrationFinding) -> Optional[float]:
+        """Get CVSS v3 score from finding."""
+        return finding.cvss_v3_base_score or finding.cvss_v3_score or finding.cvss_score
+
+    def _create_vulnerability_mapping(
+        self,
+        vulnerability: regscale_models.Vulnerability,
+        finding: IntegrationFinding,
+        asset: regscale_models.Asset,
+        scan_history: regscale_models.ScanHistory,
+    ) -> None:
+        """Create vulnerability mapping with retry logic."""
+        logger.debug(f"Creating vulnerability mapping for vulnerability {vulnerability.id}")
+        logger.debug(f"Scan History ID: {scan_history.id}, Asset ID: {asset.id}, Plan ID: {self.plan_id}")
+
+        mapping = self._build_vulnerability_mapping(vulnerability, finding, asset, scan_history)
+        self._create_mapping_with_retry(mapping, vulnerability.id)
+
+    def _build_vulnerability_mapping(
+        self,
+        vulnerability: regscale_models.Vulnerability,
+        finding: IntegrationFinding,
+        asset: regscale_models.Asset,
+        scan_history: regscale_models.ScanHistory,
+    ) -> regscale_models.VulnerabilityMapping:
+        """Build vulnerability mapping object."""
+        return regscale_models.VulnerabilityMapping(
             vulnerabilityId=vulnerability.id,
             assetId=asset.id,
             scanId=scan_history.id,
@@ -2468,46 +3538,77 @@ class ScannerIntegration(ABC):
             lastSeen=finding.last_seen,
             status=finding.status,
             dateLastUpdated=get_current_datetime(),
-        ).create_unique()
-        return vulnerability
+        )
 
-    def handle_vulnerability(
-        self,
-        finding: IntegrationFinding,
-        asset: Optional[regscale_models.Asset],
-        scan_history: regscale_models.ScanHistory,
-    ) -> Optional[int]:
-        """
-        Handles the vulnerabilities for a finding.
+    def _create_mapping_with_retry(self, mapping: regscale_models.VulnerabilityMapping, vulnerability_id: int) -> None:
+        """Create vulnerability mapping with retry logic."""
+        import logging
+
+        max_retries = 3
+        retry_delay = 0.5
+        regscale_logger = logging.getLogger("regscale")
+        original_level = regscale_logger.level
 
-        :param IntegrationFinding finding: The integration finding
-        :param Optional[regscale_models.Asset] asset: The associated asset
-        :param regscale_models.ScanHistory scan_history: The scan history
-        :rtype: Optional[int]
-        :return: The vulnerability ID
-        """
-        if not (finding.plugin_name or finding.cve):
-            logger.warning("No Plugin Name or CVE found for finding %s", finding.title)
-            return None
+        for attempt in range(max_retries):
+            if self._try_create_mapping(
+                mapping, vulnerability_id, attempt, max_retries, regscale_logger, original_level
+            ):
+                break
 
-        if not asset:
-            if not getattr(self, "suppress_asset_not_found_errors", False):
-                logger.warning(
-                    "VulnerabilityMapping Error: Asset not found for identifier %s", finding.asset_identifier
-                )
-            return None
+            if attempt < max_retries - 1:
+                time.sleep(retry_delay)
+                retry_delay *= 2  # Exponential backoff
 
-        vulnerability = self.create_vulnerability_from_finding(finding, asset, scan_history)
-        finding.vulnerability_id = vulnerability.id
+    def _try_create_mapping(
+        self,
+        mapping: regscale_models.VulnerabilityMapping,
+        vulnerability_id: int,
+        attempt: int,
+        max_retries: int,
+        regscale_logger: logging.Logger,
+        original_level: int,
+    ) -> bool:
+        """Try to create mapping for a single attempt."""
+        try:
+            # Suppress error logging during retry attempts (but not the final attempt)
+            if attempt < max_retries - 1:
+                regscale_logger.setLevel(logging.CRITICAL)
 
-        if ScannerVariables.vulnerabilityCreation.lower() != "noissue":
-            # Handle associated issue
-            self.create_or_update_issue_from_finding(
-                title=finding.title,
-                finding=finding,
+            mapping.create_unique()
+
+            # Restore original log level
+            regscale_logger.setLevel(original_level)
+
+            if attempt > 0:
+                logger.info(
+                    f"VulnerabilityMapping created successfully on attempt {attempt + 1} for vulnerability {vulnerability_id}"
+                )
+            else:
+                logger.debug(f"Vulnerability mapping created for vulnerability {vulnerability_id}")
+            return True
+
+        except Exception as mapping_error:
+            # Restore original log level before handling the exception
+            regscale_logger.setLevel(original_level)
+            return self._handle_mapping_error(mapping_error, attempt, max_retries)
+
+    def _handle_mapping_error(self, error: Exception, attempt: int, max_retries: int) -> bool:
+        """Handle error during mapping creation."""
+        if attempt >= max_retries - 1:
+            logger.error(f"Failed to create VulnerabilityMapping after {max_retries} attempts: {error}")
+            # Convert to a more specific exception type
+            raise RuntimeError(f"VulnerabilityMapping creation failed after {max_retries} attempts") from error
+
+        # Check if it's a reference error
+        error_str = str(error)
+        if "400" in error_str and "Object reference" in error_str:
+            logger.debug(
+                f"VulnerabilityMapping creation failed due to reference error (attempt {attempt + 1}/{max_retries}). Retrying..."
             )
+            return False
 
-        return vulnerability.id
+        # Different error, re-raise with more context
+        raise RuntimeError(f"Unexpected error during VulnerabilityMapping creation: {error}") from error
 
     def _filter_vulns_open_by_other_tools(
         self, all_vulns: list[regscale_models.Vulnerability]
@@ -2532,13 +3633,34 @@ class ScannerIntegration(ABC):
                 vuln_list.append(vuln)
         return vuln_list
 
-    def close_outdated_vulnerabilities(self, current_vulnerabilities: Dict[int, Set[int]]) -> None:
+    def close_outdated_vulnerabilities(self, current_vulnerabilities: Dict[int, Set[int]]) -> int:
         """
         Closes vulnerabilities that are not in the current set of vulnerability IDs for each asset.
 
         :param Dict[int, Set[int]] current_vulnerabilities: Dictionary of asset IDs to lists of current vulnerability IDs
-        :rtype: None
+        :return: Number of vulnerabilities closed
+        :rtype: int
         """
+        if not self.close_outdated_findings:
+            logger.info("Skipping closing outdated vulnerabilities.")
+            return 0
+
+        # Check global preventAutoClose setting
+        from regscale.core.app.application import Application
+
+        app = Application()
+        if app.config.get("preventAutoClose", False):
+            logger.info("Skipping closing outdated vulnerabilities due to global preventAutoClose setting.")
+            return 0
+
+        # REG-17044: Add defensive logging to track vulnerability closure state
+        logger.debug(f"Vulnerability Closure Analysis for {self.title}:")
+        logger.debug(f"  - Assets with current vulnerabilities: {len(current_vulnerabilities)}")
+        total_current_vulns = sum(len(vuln_set) for vuln_set in current_vulnerabilities.values())
+        logger.debug(f"  - Total current vulnerabilities tracked: {total_current_vulns}")
+        if total_current_vulns == 0:
+            logger.warning("No current vulnerabilities tracked - this may close all vulnerabilities!")
+
         # Get all current vulnerability IDs
         current_vuln_ids = {vuln_id for vuln_ids in current_vulnerabilities.values() for vuln_id in vuln_ids}
 
@@ -2561,9 +3683,14 @@ class ScannerIntegration(ABC):
                 vuln.dateClosed = get_current_datetime()
                 vuln.save()
                 closed_count += 1
-                logger.info("Closed vulnerability %d", vuln.id)
+                logger.debug("Closed vulnerability %d", vuln.id)
 
-        logger.info("Closed %d outdated vulnerabilities.", closed_count)
+        (
+            logger.info("Closed %d outdated vulnerabilities.", closed_count)
+            if closed_count > 0
+            else logger.info("No outdated vulnerabilities to close.")
+        )
+        return closed_count
 
     @classmethod
     def close_mappings_list(cls, vuln: regscale_models.Vulnerability) -> None:
@@ -2601,31 +3728,101 @@ class ScannerIntegration(ABC):
         :return: Number of issues closed
         :rtype: int
         """
-        if not self.close_outdated_findings:
-            logger.info("Skipping closing outdated issues.")
+        if not self._should_close_issues(current_vulnerabilities):
             return 0
 
-        closed_count = 0
+        self._log_vulnerability_closure_analysis(current_vulnerabilities)
+
         affected_control_ids = set()
         count_lock = threading.Lock()
 
         open_issues = regscale_models.Issue.fetch_issues_by_ssp(
             None, ssp_id=self.plan_id, status=regscale_models.IssueStatus.Open.value
         )
-        task_id = self.finding_progress.add_task(
-            f"[cyan]Analyzing {len(open_issues)} issue(s) and closing any outdated issue(s)...", total=len(open_issues)
+
+        task_id = self._init_closure_task(len(open_issues))
+        self._process_issues_for_closure(
+            open_issues, current_vulnerabilities, count_lock, affected_control_ids, task_id
         )
+        self._update_affected_control_statuses(affected_control_ids)
 
-        def _process_single_issue(iss: regscale_models.Issue):
-            """
-            Process a single issue and update its status if necessary.
+        closed_count = len(affected_control_ids)
+        self._log_closure_results(closed_count)
+        return closed_count
+
+    def _should_close_issues(self, current_vulnerabilities: Dict[int, Set[int]]) -> bool:
+        """
+        Check if issues should be closed based on settings.
+
+        :param Dict[int, Set[int]] current_vulnerabilities: Current vulnerabilities
+        :return: True if should proceed with closing, False otherwise
+        :rtype: bool
+        """
+        if not self.close_outdated_findings:
+            logger.info("Skipping closing outdated issues.")
+            return False
+
+        from regscale.core.app.application import Application
+
+        app = Application()
+        if app.config.get("preventAutoClose", False):
+            logger.info("Skipping closing outdated issues due to global preventAutoClose setting.")
+            return False
+
+        return True
+
+    def _log_vulnerability_closure_analysis(self, current_vulnerabilities: Dict[int, Set[int]]) -> None:
+        """
+        Log analysis of current vulnerabilities for debugging.
+
+        :param Dict[int, Set[int]] current_vulnerabilities: Current vulnerabilities
+        :rtype: None
+        """
+        logger.debug(f"Issue Closure Analysis for {self.title}:")
+        total_current_vulns = sum(len(vuln_set) for vuln_set in current_vulnerabilities.values())
+        logger.debug(f"  - Total current vulnerabilities to check against: {total_current_vulns}")
+        if total_current_vulns == 0:
+            logger.warning("No current vulnerabilities tracked - this may close all issues!")
+
+    def _init_closure_task(self, total_issues: int):
+        """
+        Initialize progress task for issue closure.
+
+        :param int total_issues: Total number of issues
+        :return: Task ID or None
+        """
+        if self.finding_progress is not None and hasattr(self.finding_progress, "add_task"):
+            return self.finding_progress.add_task(
+                f"[cyan]Analyzing {total_issues} issue(s) and closing any outdated issue(s)...",
+                total=total_issues,
+            )
+        return None
+
+    def _process_issues_for_closure(
+        self,
+        open_issues: list,
+        current_vulnerabilities: Dict[int, Set[int]],
+        count_lock,
+        affected_control_ids: set,
+        task_id,
+    ) -> None:
+        """
+        Process all issues for potential closure.
+
+        :param list open_issues: Open issues to process
+        :param Dict[int, Set[int]] current_vulnerabilities: Current vulnerabilities
+        :param count_lock: Threading lock
+        :param set affected_control_ids: Set to track affected controls
+        :param task_id: Progress task ID
+        :rtype: None
+        """
 
-            :param regscale_models.Issue iss: The issue to process
-            """
+        def _process_single_issue(iss: regscale_models.Issue):
             if self.should_close_issue(iss, current_vulnerabilities):
                 self._close_issue(iss, count_lock, affected_control_ids)
-            with count_lock:
-                self.finding_progress.update(task_id, advance=1)
+            if task_id is not None and self.finding_progress is not None and hasattr(self.finding_progress, "update"):
+                with count_lock:
+                    self.finding_progress.update(task_id, advance=1)
 
         max_workers = get_thread_workers_max()
         if max_workers == 1:
@@ -2634,15 +3831,28 @@ class ScannerIntegration(ABC):
         else:
             self._process_issues_multithreaded(open_issues, _process_single_issue, max_workers)
 
+    def _update_affected_control_statuses(self, affected_control_ids: set) -> None:
+        """
+        Update status for all affected control implementations.
+
+        :param set affected_control_ids: Control IDs to update
+        :rtype: None
+        """
         for control_id in affected_control_ids:
             self.update_control_implementation_status_after_close(control_id)
+            self.update_assessment_status_from_control_implementation(control_id)
 
-        (
+    def _log_closure_results(self, closed_count: int) -> None:
+        """
+        Log results of issue closure operation.
+
+        :param int closed_count: Number of issues closed
+        :rtype: None
+        """
+        if closed_count > 0:
             logger.info("Closed %d outdated issues.", closed_count)
-            if closed_count > 0
-            else logger.info("No outdated issues to close.")
-        )
-        return closed_count
+        else:
+            logger.info("No outdated issues to close.")
 
     def _close_issue(self, issue: regscale_models.Issue, count_lock: threading.Lock, affected_control_ids: set):
         """
@@ -2661,15 +3871,18 @@ class ScannerIntegration(ABC):
         issue.dateLastUpdated = get_current_datetime()
         issue.save()
 
-        if ScannerVariables.useMilestones:
-            regscale_models.Milestone(
-                title=f"Issue closed from {self.title} scan",
-                milestoneDate=issue.dateCompleted,
-                responsiblePersonId=self.assessor_id,
-                completed=True,
-                parentID=issue.id,
-                parentModule="issues",
-            ).create_or_update()
+        if ScannerVariables.useMilestones and issue.id:
+            try:
+                regscale_models.Milestone(
+                    title=f"Issue closed from {self.title} scan",
+                    milestoneDate=issue.dateCompleted,
+                    responsiblePersonId=self.assessor_id,
+                    completed=True,
+                    parentID=issue.id,
+                    parentModule="issues",
+                ).create_or_update()
+            except Exception as e:
+                logger.warning("Failed to create closed issue milestone: %s", str(e))
             logger.debug("Created milestone for issue %s from %s tool", issue.id, self.title)
 
         with count_lock:
@@ -2735,7 +3948,103 @@ class ScannerIntegration(ABC):
         if control_implementation.status != new_status:
             control_implementation.status = new_status
             self.control_implementation_map[control_id] = control_implementation.save()
-            logger.info("Updated control implementation %d status to %s", control_id, new_status)
+            logger.debug("Updated control implementation %d status to %s", control_id, new_status)
+
+    def update_assessment_status_from_control_implementation(self, control_implementation_id: int) -> None:
+        """
+        Updates the assessment status based on the control implementation status.
+        Treats the ControlImplementation status as the source of truth.
+
+        Sets assessment to PASS if ControlImplementation status is FULLY_IMPLEMENTED,
+        otherwise sets it to FAIL.
+
+        This method should be called after update_control_implementation_status_after_close
+        to ensure assessments reflect the final control implementation state.
+
+        :param int control_implementation_id: The ID of the control implementation
+        :rtype: None
+        """
+        # Get the cached assessment for this control implementation
+        assessment = self.assessment_map.get(control_implementation_id)
+
+        if not assessment:
+            logger.debug(
+                "No assessment found in cache for control implementation %d, skipping assessment update",
+                control_implementation_id,
+            )
+            return
+
+        # Get the control implementation to check its status
+        control_implementation = self.control_implementation_map.get(
+            control_implementation_id
+        ) or regscale_models.ControlImplementation.get_object(object_id=control_implementation_id)
+
+        if not control_implementation:
+            logger.warning("Control implementation %d not found, cannot update assessment", control_implementation_id)
+            return
+
+        # Determine assessment result based on control implementation status
+        # Treat ControlImplementation status as the source of truth
+        new_assessment_result = (
+            regscale_models.AssessmentResultsStatus.PASS
+            if control_implementation.status == regscale_models.ImplementationStatus.FULLY_IMPLEMENTED.value
+            else regscale_models.AssessmentResultsStatus.FAIL
+        )
+
+        # Only update if the status has changed
+        if assessment.assessmentResult != new_assessment_result.value:
+            assessment.assessmentResult = new_assessment_result.value
+            assessment.save()
+            logger.debug(
+                "Updated assessment %d for control implementation %d: assessmentResult=%s (based on control status: %s)",
+                assessment.id,
+                control_implementation_id,
+                new_assessment_result.value,
+                control_implementation.status,
+            )
+        else:
+            logger.debug(
+                "Assessment %d already has correct status %s for control implementation %d",
+                assessment.id,
+                assessment.assessmentResult,
+                control_implementation_id,
+            )
+
+    @staticmethod
+    def is_issue_protected_from_auto_close(issue: regscale_models.Issue) -> bool:
+        """
+        Check if an issue is protected from automatic closure.
+
+        :param regscale_models.Issue issue: The issue to check
+        :return: True if the issue should not be auto-closed
+        :rtype: bool
+        """
+        try:
+            # Check global configuration setting
+            app = Application()
+            if app.config.get("preventAutoClose", False):
+                logger.debug(f"Issue {issue.id} is protected from auto-closure by global preventAutoClose setting")
+                return True
+
+            # Check for protection property
+            properties = Property.get_all_by_parent(parent_id=issue.id, parent_module="issues")
+
+            for prop in properties:
+                if prop.key == "PREVENT_AUTO_CLOSE" and prop.value.lower() == "true":
+                    logger.debug(f"Issue {issue.id} is protected from auto-closure by PREVENT_AUTO_CLOSE property")
+                    return True
+
+            # Check for manual reopen indicators in changes
+            if issue.changes and "manually reopened" in issue.changes.lower():
+                logger.debug(f"Issue {issue.id} is protected from auto-closure due to manual reopen indicator")
+                return True
+
+            return False
+
+        except Exception as e:
+            # If we can't check, err on the side of caution and protect the issue
+            logger.warning(f"Could not check protection status for issue {issue.id}: {e}")
+            return True
 
     def should_close_issue(self, issue: regscale_models.Issue, current_vulnerabilities: Dict[int, Set[int]]) -> bool:
         """
@@ -2754,6 +4063,11 @@ class ScannerIntegration(ABC):
             )
             return False
 
+        # Check if the issue is protected from auto-closure
+        if self.is_issue_protected_from_auto_close(issue):
+            logger.debug(f"Issue {issue.id} is protected from automatic closure")
+            return False
+
         # If the issue has a vulnerability ID, check if it's still current for any asset
         if issue.vulnerabilityId:
             # Get vulnerability mappings for this issue
@@ -2779,23 +4093,55 @@ class ScannerIntegration(ABC):
         return True
 
     @staticmethod
-    def set_severity_count_for_scan(severity: str, scan_history: regscale_models.ScanHistory) -> None:
+    def set_severity_count_for_scan(
+        severity: str, scan_history: regscale_models.ScanHistory, lock: Optional[threading.RLock] = None
+    ) -> None:
         """
-        Increments the count of the severity
+        Increments the count of the severity in a thread-safe manner.
+
+        NOTE: This method does NOT save the scan_history object. The caller is responsible
+        for saving the scan_history after all increments are complete to avoid race conditions
+        and excessive database writes in multi-threaded environments.
+
         :param str severity: Severity of the vulnerability
         :param regscale_models.ScanHistory scan_history: Scan history object
+        :param Optional[threading.RLock] lock: Thread lock for synchronization (recommended in multi-threaded context)
         :rtype: None
         """
-        if severity == regscale_models.IssueSeverity.Low:
-            scan_history.vLow += 1
-        elif severity == regscale_models.IssueSeverity.Moderate:
-            scan_history.vMedium += 1
-        elif severity == regscale_models.IssueSeverity.High:
-            scan_history.vHigh += 1
-        elif severity == regscale_models.IssueSeverity.Critical:
-            scan_history.vCritical += 1
+
+        def _increment_severity():
+            """Internal method to perform the actual increment."""
+            logger.debug(f"Setting severity count for scan {scan_history.id}: severity='{severity}'")
+            logger.debug(
+                f"Current counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
+            )
+
+            if severity.lower() == regscale_models.IssueSeverity.Low.value.lower():
+                scan_history.vLow += 1
+                logger.debug(f"Incremented vLow count to {scan_history.vLow}")
+            elif severity.lower() == regscale_models.IssueSeverity.Moderate.value.lower():
+                scan_history.vMedium += 1
+                logger.debug(f"Incremented vMedium count to {scan_history.vMedium}")
+            elif severity.lower() == regscale_models.IssueSeverity.High.value.lower():
+                scan_history.vHigh += 1
+                logger.debug(f"Incremented vHigh count to {scan_history.vHigh}")
+            elif severity.lower() == regscale_models.IssueSeverity.Critical.value.lower():
+                scan_history.vCritical += 1
+                logger.debug(f"Incremented vCritical count to {scan_history.vCritical}")
+            else:
+                scan_history.vInfo += 1
+                logger.debug(f"Incremented vInfo count to {scan_history.vInfo}")
+
+            logger.debug(
+                f"Updated counts - Low: {scan_history.vLow}, Medium: {scan_history.vMedium}, High: {scan_history.vHigh}, Critical: {scan_history.vCritical}, Info: {scan_history.vInfo}"
+            )
+
+        # Use lock if provided for thread-safe increments
+        if lock:
+            with lock:
+                _increment_severity()
         else:
-            scan_history.vInfo += 1
+            _increment_severity()
 
     @classmethod
     def cci_assessment(cls, plan_id: int) -> None:
@@ -2944,13 +4290,10 @@ class ScannerIntegration(ABC):
         APIHandler().log_api_summary()
         created_count = instance._results.get("assets", {}).get("created_count", 0)
         updated_count = instance._results.get("assets", {}).get("updated_count", 0)
-        dedupe_count = (instance.num_assets_to_process or assets_processed) - (created_count + updated_count)
-        # Ensure dedupe_count is always a positive value
-        dedupe_count = dedupe_count if dedupe_count >= 0 else dedupe_count * -1
+        total_assets = created_count + updated_count
         logger.info(
-            "%d assets processed and %d asset(s) deduped. %d asset(s) created & %d asset(s) updated in RegScale.",
-            assets_processed,
-            dedupe_count,
+            "%d asset(s) synced to RegScale: %d created, %d updated.",
+            total_assets,
             created_count,
             updated_count,
         )
@@ -3096,11 +4439,11 @@ class ScannerIntegration(ABC):
         :return: None
         :rtype: None
         """
-        finding.due_date = issue_due_date(
+        finding.due_date = self.due_date_handler.calculate_due_date(
             severity=finding.severity,
             created_date=finding.date_created or self.scan_date,
-            title=self.title,
-            config=self.app.config,
+            cve=finding.cve,
+            title=finding.title or self.title,
         )
 
     def _update_last_seen_date(self, finding: IntegrationFinding) -> None:
@@ -3209,30 +4552,14 @@ class ScannerIntegration(ABC):
         :rtype: int
         """
         logger.info("Updating RegScale checklists...")
-        loading_findings = self.finding_progress.add_task(
-            f"[#f8b737]Creating and updating checklists from {self.title}."
-        )
+        loading_findings = self._init_checklist_progress_task()
         checklists_processed = 0
 
         def process_finding(finding_to_process: IntegrationFinding) -> None:
-            """
-            Process a single finding and update the progress bar.
-
-            :param IntegrationFinding finding_to_process: The finding to process
-            :rtype: None
-            """
             nonlocal checklists_processed
             try:
                 self.process_checklist(finding_to_process)
-                if self.num_findings_to_process and self.finding_progress.tasks[loading_findings].total != float(
-                    self.num_findings_to_process
-                ):
-                    self.finding_progress.update(
-                        loading_findings,
-                        total=self.num_findings_to_process,
-                        description=f"[#f8b737]Creating and updating {self.num_findings_to_process} checklists from {self.title}.",
-                    )
-                self.finding_progress.advance(loading_findings, 1)
+                self._update_checklist_progress(loading_findings)
                 checklists_processed += 1
             except Exception as exc:
                 self.log_error(
@@ -3242,6 +4569,64 @@ class ScannerIntegration(ABC):
                     exc,
                 )
 
+        self._execute_checklist_processing(findings, process_finding)
+        return checklists_processed
+
+    def _init_checklist_progress_task(self):
+        """
+        Initialize progress task for checklist processing.
+
+        :return: Task ID or None
+        """
+        if self.finding_progress is not None and hasattr(self.finding_progress, "add_task"):
+            return self.finding_progress.add_task(f"[#f8b737]Creating and updating checklists from {self.title}.")
+        return None
+
+    def _update_checklist_progress(self, loading_findings) -> None:
+        """
+        Update checklist processing progress.
+
+        :param loading_findings: Progress task ID
+        :rtype: None
+        """
+        if not (
+            loading_findings is not None
+            and self.finding_progress is not None
+            and hasattr(self.finding_progress, "tasks")
+            and hasattr(self.finding_progress, "update")
+        ):
+            return
+
+        if self._should_update_progress_total(loading_findings):
+            self.finding_progress.update(
+                loading_findings,
+                total=self.num_findings_to_process,
+                description=f"[#f8b737]Creating and updating {self.num_findings_to_process} checklists from {self.title}.",
+            )
+
+        if hasattr(self.finding_progress, "advance"):
+            self.finding_progress.advance(loading_findings, 1)
+
+    def _should_update_progress_total(self, loading_findings) -> bool:
+        """
+        Check if progress total should be updated.
+
+        :param loading_findings: Progress task ID
+        :return: True if should update, False otherwise
+        :rtype: bool
+        """
+        return self.num_findings_to_process and self.finding_progress.tasks[loading_findings].total != float(
+            self.num_findings_to_process
+        )
+
+    def _execute_checklist_processing(self, findings: List[IntegrationFinding], process_finding) -> None:
+        """
+        Execute checklist processing sequentially or in parallel.
+
+        :param List[IntegrationFinding] findings: Findings to process
+        :param process_finding: Function to process each finding
+        :rtype: None
+        """
         if get_thread_workers_max() == 1:
             for finding in findings:
                 process_finding(finding)
@@ -3249,8 +4634,6 @@ class ScannerIntegration(ABC):
             with concurrent.futures.ThreadPoolExecutor(max_workers=get_thread_workers_max()) as executor:
                 list(executor.map(process_finding, findings))
 
-        return checklists_processed
-
     def create_control_test_result(
         self,
         finding: IntegrationFinding,
@@ -3309,3 +4692,151 @@ class ScannerIntegration(ABC):
                 datetime.strptime(issue_date_created, "%Y-%m-%d %H:%M:%S") + diff
             )
         return None
+
+    def create_vulnerabilities_bulk(
+        self,
+        findings: List[IntegrationFinding],
+        assets: Dict[str, regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+    ) -> Dict[str, int]:
+        """
+        Create vulnerabilities in bulk to improve performance and reduce API calls.
+
+        :param List[IntegrationFinding] findings: List of findings to create vulnerabilities for
+        :param Dict[str, regscale_models.Asset] assets: Dictionary of assets by identifier
+        :param regscale_models.ScanHistory scan_history: The scan history
+        :return: Dictionary mapping finding external_id to vulnerability_id
+        :rtype: Dict[str, int]
+        """
+        vulnerabilities_to_create, finding_to_vuln_map = self._prepare_vulnerabilities_for_bulk(
+            findings, assets, scan_history
+        )
+
+        if not vulnerabilities_to_create:
+            logger.warning("No vulnerabilities to create in bulk")
+            return {}
+
+        return self._execute_bulk_vulnerability_creation(
+            vulnerabilities_to_create, finding_to_vuln_map, findings, assets, scan_history
+        )
+
+    def _prepare_vulnerabilities_for_bulk(
+        self,
+        findings: List[IntegrationFinding],
+        assets: Dict[str, regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+    ) -> tuple[List, Dict]:
+        """Prepare vulnerability objects for bulk creation."""
+        vulnerabilities_to_create = []
+        finding_to_vuln_map = {}
+
+        for finding in findings:
+            if not self._is_finding_valid_for_vulnerability(finding):
+                continue
+
+            asset = assets.get(finding.asset_identifier)
+            if not self._is_asset_valid(asset, finding):
+                continue
+
+            vulnerability = self._create_vulnerability_object(finding, asset, scan_history)
+            if vulnerability:
+                vulnerabilities_to_create.append(vulnerability)
+                finding_to_vuln_map[finding.external_id] = vulnerability
+
+        return vulnerabilities_to_create, finding_to_vuln_map
+
+    def _is_finding_valid_for_vulnerability(self, finding: IntegrationFinding) -> bool:
+        """Check if a finding is valid for vulnerability creation."""
+        if not (finding.plugin_name or finding.cve):
+            logger.warning("No Plugin Name or CVE found for finding %s", finding.title)
+            return False
+        return True
+
+    def _is_asset_valid(self, asset: Optional[regscale_models.Asset], finding: IntegrationFinding) -> bool:
+        """Check if an asset is valid for vulnerability creation."""
+        if not asset:
+            if not getattr(self, "suppress_asset_not_found_errors", False):
+                logger.warning(
+                    "VulnerabilityMapping Error: Asset not found for identifier %s", finding.asset_identifier
+                )
+            return False
+        return True
+
+    def _create_vulnerability_object(
+        self,
+        finding: IntegrationFinding,
+        asset: regscale_models.Asset,
+        scan_history: regscale_models.ScanHistory,
+    ) -> Optional[regscale_models.Vulnerability]:
+        """Create a vulnerability object from a finding."""
+        try:
+            return self.create_vulnerability_from_finding(finding, asset, scan_history)
+        except Exception as e:
+            logger.error(f"Failed to prepare vulnerability for finding {finding.external_id}: {e}")
+            return None
+
+    def _execute_bulk_vulnerability_creation(
+        self,
+        vulnerabilities_to_create: List,
+        finding_to_vuln_map: Dict,
+        findings: List[IntegrationFinding],
+        assets: Dict[str, regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+    ) -> Dict[str, int]:
+        """Execute bulk vulnerability creation with fallback to individual creation."""
+        try:
+            created_vulnerabilities = regscale_models.Vulnerability.batch_create(
+                vulnerabilities_to_create, progress_context=self.finding_progress
+            )
+
+            result = self._map_vulnerabilities_to_findings(
+                created_vulnerabilities, vulnerabilities_to_create, finding_to_vuln_map
+            )
+
+            logger.info(f"Successfully created {len(created_vulnerabilities)} vulnerabilities in bulk")
+            return result
+
+        except Exception as e:
+            logger.error(f"Bulk vulnerability creation failed: {e}")
+            logger.info("Falling back to individual vulnerability creation...")
+            return self._create_vulnerabilities_individual(findings, assets, scan_history)
+
+    def _map_vulnerabilities_to_findings(
+        self,
+        created_vulnerabilities: List,
+        vulnerabilities_to_create: List,
+        finding_to_vuln_map: Dict,
+    ) -> Dict[str, int]:
+        """Map created vulnerabilities back to findings."""
+        result = {}
+        for i, created_vuln in enumerate(created_vulnerabilities):
+            if i < len(vulnerabilities_to_create):
+                original_vuln = vulnerabilities_to_create[i]
+                # Find the finding that corresponds to this vulnerability
+                for finding_id, vuln in finding_to_vuln_map.items():
+                    if vuln == original_vuln:
+                        result[finding_id] = created_vuln.id
+                        break
+        return result
+
+    def _create_vulnerabilities_individual(
+        self,
+        findings: List[IntegrationFinding],
+        assets: Dict[str, regscale_models.Asset],
+        scan_history: regscale_models.ScanHistory,
+    ) -> Dict[str, int]:
+        """
+        Create vulnerabilities individually as fallback.
+
+        :param List[IntegrationFinding] findings: List of findings
+        :param Dict[str, regscale_models.Asset] assets: Dictionary of assets
+        :param regscale_models.ScanHistory scan_history: The scan history
+        :return: Dictionary mapping finding external_id to vulnerability_id
+        :rtype: Dict[str, int]
+        """
+        result = {}
+        for finding in findings:
+            vulnerability_id = self.handle_vulnerability(finding, assets.get(finding.asset_identifier), scan_history)
+            if vulnerability_id:
+                result[finding.external_id] = vulnerability_id
+        return result