Add requirement to review exemptions to smart card login.

[akegerreis]

If a site is using smart card login but is also allowing unmapped users, the exemption list should be documented with the ISSM.

[robertgendler]

@akegerreis do you have a suggestion on how this should appear in the project?

A note in supplemental where unmapped users is talked about? A separate rule?

[akegerreis]

@robertgendler we have this slated to go into the supplemental for our April release of the STIG.