RHEL-07-020260 requires that systems be up-to-date. It is not proscribed how this should be done.

The finding details in V2R2 are:

If package updates have not been performed on the system within the timeframe that the site/program documentation requires, this is a finding.

Typical update frequency may be overridden by Information Assurance Vulnerability Alert (IAVA) notifications from CYBERCOM.

If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding.

The Fix Text is

Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates.

Installing yum-cron and configuring it is toublesome for offline systems and systems whose "optional" repo name doesn't match the expected value for an online, subscribed system. Further, even setting

rhel7stig_auto_package_updates:
    enabled: no

fails because it tries to enable the problematic repos when removing the yum-cron package. The only workaround is to set rhel_07_020260: no, which makes it appear at first glance like the system is non-compliant with that rule.

I don't think we need yum-cron, but if we want to keep it, we should make it optional. If we're installing it from the 'optional' repo, we should enable that repo permanently in case there is a security bug with yum-cron itself. The most the role should do here, in my opinion is to do a one-off yum-update, perhaps only if not otherwise done within 30 days.

+1 on making yum-cron optional