| V-223871 | | All IBM z/OS digital certificates in use must have a valid path to a trusted Certification Authority (CA). | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-223872 | | Expired IBM z/OS digital certificates must not be used. | Without path validation, an informed trust decision by the relying party cannot be made when presented with any certificate not already explicitly tru... |
| V-223873 | | IBM z/OS must have Certificate Name Filtering implemented with appropriate authorization and documentation. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223875 | | The number of CA-TSS ACIDs possessing the tape Bypass Label Processing (BLP) privilege must be limited. | The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow con... |
| V-223877 | | The CA-TSS NPWRTHRESH Control Option must be properly set. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-223878 | | The CA-TSS NPPTHRESH Control Option must be properly set. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-223879 | | The CA-TSS PTHRESH Control Option must be set to 2. | By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force att... |
| V-223881 | | IBM z/OS must limit access for SMF collection files (i.e., SYS1.MANx) to appropriate users and/or batch jobs that perform SMF dump processing. | SMF data collection is the system activity journaling facility of the z/OS system. Unauthorized access could result in the compromise of logging and r... |
| V-223883 | | IBM z/OS for PKI-based authentication must use ICSF or the ESM to store keys. | If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure.
Th... |
| V-223885 | | The CA-TSS NEWPHRASE and PPSCHAR Control Options must be properly set. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-223886 | | The CA-TSS NEWPW control options must be properly set. | If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can us... |
| V-223888 | | The CA-TSS PWEXP Control Option must be set to 60. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not... |
| V-223889 | | The CA-TSS PPEXP Control Option must be properly set. | Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed periodically. If the operating system does not... |
| V-223890 | | The CA-TSS PWHIST Control Option must be set to 10 or greater. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-223891 | | The CA-TSS PPHIST Control Option must be properly set. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. If the in... |
| V-223893 | | CA-TSS access to SYS1.LINKLIB must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-223902 | | CA-TSS must limit WRITE or greater access to LINKLIST libraries to system programmers only. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-223905 | | CA-TSS allocate access to system user catalogs must be limited to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223906 | | CA-TSS must limit WRITE or greater access to all system-level product installation libraries to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223907 | | CA-TSS must limit WRITE or greater access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223909 | | CA-TSS must limit access to data sets used to back up and/or dump SMF collection files to appropriate users and/or batch jobs that perform SMF dump processing. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223910 | | CA-TSS must limit access to SYSTEM DUMP data sets to system programmers only. | System DUMP data sets are used to record system data areas and virtual storage associated with system task failures. Unauthorized access could result ... |
| V-223911 | | CA-TSS WRITE or Greater access to System backup files must be limited to system programmers and/or batch jobs that perform DASD backups. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223912 | | CA-TSS must limit access to SYS(x).TRACE to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223913 | | CA-TSS must limit access to System page data sets (i.e., PLPA, COMMON, and LOCALx) to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223916 | | CA-TSS must protect memory and privileged program dumps in accordance with proper security requirements. | Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: ac... |
| V-223918 | | IBM z/OS system commands must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223919 | | IBM z/OS MCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223920 | | CA-TSS must properly define users that have access to the CONSOLE resource in the TSOAUTH resource class. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223921 | | IBM z/OS Operating system commands (MVS.) of the OPERCMDS resource class must be properly owned. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223922 | | CA-TSS AUTH Control Option values specified must be set to (OVERRIDE,ALLOVER) or (MERGE,ALLOVER). | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223924 | | Data set masking characters must be properly defined to the CA-TSS security database. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223926 | | CA-TSS ACIDs must not have access to FAC(*ALL*). | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223927 | | The CA-TSS ALL record must have appropriate access to Facility Matrix Tables. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223928 | | Data set masking characters allowing access to all data sets must be properly restricted in the CA-TSS security database. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223930 | | IBM z/OS Sensitive Utility Controls must be properly defined and protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223931 | | IBM z/OS Started tasks must be properly defined to CA-TSS. | Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure t... |
| V-223932 | | The CA-TSS CANCEL Control Option must not be specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223933 | | The CA-TSS HPBPW Control Option must be set to three days maximum. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223934 | | The CA-TSS INSTDATA Control Option must be set to 0. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223935 | | The CA-TSS OPTIONS Control Option must include option 4 at a minimum. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223936 | | CA-TSS TEMPDS Control Option must be set to YES. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223937 | | The number of CA-TSS control ACIDs must be justified and properly assigned. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223938 | | The number of CA-TSS ACIDs with MISC9 authority must be justified. | Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the secur... |
| V-223939 | | The CA-TSS LUUPDONCE Control Option value specified must be set to NO. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223940 | | The CA-TSS Automatic Data Set Protection (ADSP) Control Option must be set to NO. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223941 | | CA-TSS RECOVER Control Option must be set to ON. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-223942 | | IBM z/OS must properly configure CONSOLxx members. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223943 | | IBM z/OS must properly protect MCS console userid(s). | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223944 | | The CA-TSS CPFRCVUND Control Option value specified must be set to NO. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223945 | | The CA-TSS CPFTARGET Control Option value specified must be set to LOCAL. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223950 | | CA-TSS Batch ACID(s) submitted through RJE and NJE must be sourced. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223951 | | IBM z/OS DASD management ACIDs must be properly defined to CA-TSS. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223952 | | CA-TSS user accounts must uniquely identify system users. | To assure individual accountability and prevent unauthorized access, organizational users must be individually identified and authenticated.
A group ... |
| V-223953 | | CA-TSS security administrator must develop a process to suspend userids found inactive for more than 35 days. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-223954 | | The CA-TSS INACTIVE Control Option must be properly set. | Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected ac... |
| V-223955 | | The CA-TSS AUTOERASE Control Option must be set to ALL for all systems. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-223956 | | CA-TSS DOWN Control Option values must be properly specified. | Failure to a known safe state helps prevent systems from failing to a state that may cause loss of data or unauthorized access to system resources. Op... |
| V-223958 | | CA-TSS ACID creation must use the EXP option. | Without providing this capability, an account may be created without a password. Nonrepudiation cannot be guaranteed once an account is created if a u... |
| V-223959 | | The CA-TSS SUBACID Control Option must be set to U,8. | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileg... |
| V-223960 | | CA-TSS must use propagation control to eliminate ACID inheritance. | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileg... |
| V-223961 | | IBM z/OS scheduled production batch ACIDs must specify the CA-TSS BATCH Facility, and the Batch Job Scheduler must be authorized to the Scheduled production CA-TSS batch ACID. | In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileg... |
| V-223962 | | CA-TSS ADMINBY Control Option must be set to ADMINBY. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-223963 | | CA-TSS LOG Control Option must be set to (SMF,INIT, SEC9, MSG). | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-223964 | | CA-TSS MSCA ACID password changes must be documented in the change log. | Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromise... |
| V-223965 | | The IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements. | Privileged functions include, for example, establishing accounts, performing system integrity checks, or administering cryptographic key management ac... |
| V-223966 | | CA-TSS Default ACID must be properly defined. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-223968 | | CA-TSS MSCA ACID must perform security administration only. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-223970 | | CA-TSS ACIDs defined as security administrators must have the NOATS attribute. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-223972 | | CA-TSS VTHRESH Control Option values specified must be set to (10,NOT,CAN). | Automatic session termination addresses the termination of user-initiated logical sessions in contrast to the termination of network connections that ... |
| V-223973 | | IBM z/OS FTP.DATA configuration statements must have a proper banner statement with the Standard Mandatory DOD Notice and Consent Banner. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-223974 | | IBM z/OS SMF recording options for the FTP server must be configured to write SMF records for all eligible events. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-223975 | | CA-TSS permission bits and user audit bits for HFS objects that are part of the FTP server component must be properly configured. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223976 | | IBM z/OS data sets for the FTP server must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223977 | | IBM z/OS FTP Control cards must be properly stored in a secure PDS file. | Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the secur... |
| V-223978 | | IBM z/OS user exits for the FTP server must not be used without proper approval and documentation. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-223979 | | The IBM z/OS FTP server daemon must be defined with proper security parameters. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223980 | | IBM z/OS FTP.DATA configuration for the FTP server must have the INACTIVE statement properly set. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-223981 | | IBM z/OS startup parameters for the FTP server must have the INACTIVE statement properly set. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-223982 | | IBM z/OS FTP.DATA configuration statements for the FTP server must specify the Standard Mandatory DoD Notice and Consent Banner statement. | Display of a standardized and approved use notification before granting access to the publicly accessible operating system ensures privacy and securit... |
| V-223984 | | The IBM z/OS TFTP server program must be properly protected. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-223985 | | IBM z/OS JES2.** resource must be properly protected in the CA-TSS database. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223986 | | IBM z/OS RJE workstations and NJE nodes must be controlled in accordance with STIG requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223987 | | IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223988 | | IBM z/OS JES2 input sources must be properly controlled. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223989 | | IBM z/OS JES2 output devices must be controlled in accordance with the proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223990 | | IBM z/OS JES2 output devices must be properly controlled for classified systems. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223991 | | IBM z/OS JESSPOOL resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223992 | | IBM z/OS JESNEWS resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223993 | | IBM z/OS JESTRACE and/or SYSLOG resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223994 | | IBM z/OS JES2 spool resources must be controlled in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223995 | | IBM z/OS JES2 system commands must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-223996 | | IBM z/OS Surrogate users must be controlled in accordance with proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223997 | | Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries. | Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized tran... |
| V-223998 | | IBM z/OS required SMF data record types must be collected. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-223999 | | IBM z/OS Session manager must properly configure wait time limits. | A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information syst... |
| V-224000 | | The IBM z/OS BPX.SMF resource must be properly configured. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-224001 | | IBM z/OS must specify SMF data options to ensure appropriate activation. | Without establishing when events occurred, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.
In... |
| V-224002 | | IBM z/OS BUFUSEWARN in the SMFPRMxx must be properly set. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-224003 | | IBM z/OS PASSWORD data set and OS passwords must not be used. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224004 | | The CA-TSS database must be on a separate physical volume from its backup and recovery data sets. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224005 | | The CA-TSS database must be backed up on a scheduled basis. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224006 | | The IBM z/OS Policy Agent must be configured to deny-all, allow-by-exception firewall policy for allowing connections to other systems. | Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the secur... |
| V-224007 | | IBM z/OS must not have Inaccessible APF libraries defined. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-224008 | | IBM z/OS inapplicable PPT entries must be invalidated. | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-224009 | | IBM z/OS LNKAUTH=APFTAB must be specified in the IEASYSxx member(s) in the currently active parmlib data set(s). | It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessa... |
| V-224010 | | IBM z/OS sensitive and critical system data sets must not exist on shared DASD. | Preventing unauthorized information transfers mitigates the risk of information, including encrypted representations of information, produced by the a... |
| V-224011 | | The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial-of-service (DoS) attacks. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-224013 | | The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are created. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-224014 | | The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are modified. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-224015 | | The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are deleted. | When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users o... |
| V-224016 | | The IBM z/OS system administrator (SA) must develop a process to notify appropriate personnel when accounts are removed. | When operating system accounts are disabled, user accessibility is affected. Accounts are utilized for identifying individual operating system users o... |
| V-224018 | | IBM z/OS must not allow nonexistent or inaccessible Link Pack Area (LPA) libraries. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-224019 | | IBM z/OS must not allow nonexistent or inaccessible LINKLIST libraries. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-224021 | | IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one weeks worth of audit data. | In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocat... |
| V-224022 | | IBM z/OS System Administrators must develop an automated process to collect and retain SMF data. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information s... |
| V-224023 | | The IBM z/OS SNTP daemon (SNTPD) must be active. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-224024 | | IBM z/OS SNTP daemon (SNTPD) permission bits must be properly configured. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-224025 | | IBM z/OS PARMLIB CLOCKxx must have the Accuracy PARM coded properly. | Inaccurate time stamps make it more difficult to correlate events and can lead to an inaccurate analysis. Determining the correct time a particular ev... |
| V-224026 | | The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of denial-of-service (DoS) attacks by ensuring IBM z/OS is implementing rate-limiting measures on impacted network interfaces. | DoS is a condition when a resource is not available for legitimate users. When this occurs, the organization either cannot accomplish its mission or m... |
| V-224031 | | IBM z/OS must configure system wait times to protect resource availability based on site priorities. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224032 | | IBM z/OS must employ a session manager to conceal, via the session lock, information previously visible on the display with a publicly viewable image. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-224034 | | IBM z/OS must employ a session manager to manage retaining a users session lock until that user reestablishes access using established identification and authentication procedures. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-224035 | | IBM z/OS system administrator (SA) must develop a procedure to remove or disable temporary user accounts after 72 hours. | If temporary user accounts remain active when no longer needed or for an excessive period, these accounts may be used to gain unauthorized access. To ... |
| V-224036 | | IBM z/OS system administrator (SA) must develop a procedure to remove or disable emergency accounts after the crisis is resolved or 72 hours. | Emergency accounts are privileged accounts that are established in response to crisis situations where the need for rapid account activation is requir... |
| V-224037 | | IBM z/OS system administrator (SA) must develop a procedure to notify SAs and information system security officers (ISSOs) of account enabling actions. | Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomp... |
| V-224038 | | IBM z/OS system administrator must develop a procedure to notify designated personnel if baseline configurations are changed in an unauthorized manner. | Unauthorized changes to the baseline configuration could make the system vulnerable to various attacks or allow unauthorized access to the operating s... |
| V-224040 | | IBM z/OS system administrator must develop a procedure to remove all software components after updated versions have been installed. | Previous versions of software components that are not removed from the information system after updates have been installed may be exploited by advers... |
| V-224041 | | IBM z/OS system administrator must develop a procedure to shut down the information system, restart the information system, and/or notify the system administrator when anomalies in the operation of any security functions are discovered. | If anomalies are not acted upon, security functions may fail to secure the system.
Security function is defined as the hardware, software, and/or fi... |
| V-224042 | | IBM z/OS system administrator must develop a procedure to offload SMF files to a different system or media than the system being audited. | The task of allocating audit record storage capacity is usually performed during initial installation of the operating system.... |
| V-224043 | | IBM z/OS must employ a session manager for users to directly initiate a session lock for all connection types. | A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but do... |
| V-224046 | | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Syslog daemon component must be configured properly. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224047 | | The IBM z/OS Syslog daemon must not be started at z/OS initialization. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-224048 | | The IBM z/OS Syslog daemon must be properly defined and secured. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-224049 | | IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224050 | | IBM z/OS DFSMS Program Resources must be properly defined and protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224051 | | IBM z/OS DFSMS control data sets must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-224052 | | IBM z/OS using DFSMS must properly specify SYS(x).PARMLIB(IGDSMSxx), SMS parameter settings. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224054 | | IBM z/OS SMF recording options for the SSH daemon must be configured to write SMF records for all eligible events. | SMF data collection is the basic unit of tracking of all system functions and actions. Included in this tracking data are the audit trails from each o... |
| V-224055 | | The IBM z/OS SSH daemon must be configured with the Standard Mandatory DoD Notice and Consent Banner. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-224056 | | IBM z/OS PROFILE.TCPIP configuration statements for the TCP/IP stack must be properly coded. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-224057 | | IBM z/OS permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224058 | | IBM z/OS TCP/IP resources must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224059 | | IBM z/OS data sets for the Base TCP/IP component must be properly protected. | MVS data sets of the Base TCP/IP component provide the configuration, operational, and executable properties of IBMs TCP/IP system product. Failure to... |
| V-224060 | | IBM z/OS Configuration files for the TCP/IP stack must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224061 | | IBM z/OS started tasks for the Base TCP/IP component must be defined in accordance with security requirements. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-224062 | | IBM z//OS must be configured to restrict all TCP/IP ports to ports, protocols, and/or services as defined in the PPSM CAL and vulnerability assessments. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, i... |
| V-224065 | | IBM z/OS TN3270 Telnet server configuration statement MSG10 text must have the Standard Mandatory DoD Notice and Consent Banner. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-224066 | | IBM z/OS SMF recording options for the TN3270 Telnet server must be properly specified. | Remote access services, such as those providing remote access to network devices and information systems, which lack automated monitoring capabilities... |
| V-224067 | | IBM z/OS SSL encryption options for the TN3270 Telnet server must be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS. | Without confidentiality protection mechanisms, unauthorized individuals may gain access to sensitive information via a remote access session.
Remote ... |
| V-224068 | | IBM z/OS VTAM session setup controls for the TN3270 Telnet server must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224069 | | IBM z/OS PROFILE.TCPIP configuration for the TN3270 Telnet server must have the INACTIVE statement properly specified. | Terminating network connections associated with communications sessions includes, for example, de-allocating associated TCP/IP address/port pairs at t... |
| V-224072 | | IBM Z/OS TSOAUTH resources must be restricted to authorized users. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224074 | | IBM z/OS UNIX HFS MapName file security parameters must be properly specified. | Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized tran... |
| V-224075 | | IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG). | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notificatio... |
| V-224076 | | IBM z/OS BPX resource(s) must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224077 | | IBM z/OS UNIX resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224079 | | IBM z/OS UNIX MVS data sets or HFS objects must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224080 | | IBM z/OS UNIX MVS data sets with z/OS UNIX components must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224081 | | IBM z/OS UNIX MVS data sets used as step libraries in /etc/steplib must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224082 | | IBM z/OS UNIX HFS permission bits and audit bits for each directory must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224083 | | IBM z/OS UNIX system file security settings must be properly protected or specified. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224084 | | IBM z/OS UNIX MVS HFS directory(s) with OTHER write permission bit set must be properly defined. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224086 | | IBM z/OS UNIX OMVS parameters in PARMLIB must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224087 | | IBM z/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224088 | | IBM z/OS UNIX security parameters in etc/profile must be properly specified. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224089 | | IBM z/OS UNIX security parameters in /etc/rc must be properly specified. | Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the secur... |
| V-224090 | | IBM z/OS Default profiles must not be defined in TSS OMVS UNIX security parameters for classified systems. | Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal... |
| V-224091 | | IBM z/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf must be properly specified. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-224092 | | IBM z/OS attributes of z/OS UNIX user accounts must have a unique GID in the range of 1-99. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-224093 | | The IBM z/OS user account for the UNIX kernel (OMVS) must be properly defined to the security database. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-224094 | | The IBM z/OS user account for the z/OS UNIX SUPERUSER userid must be properly defined. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-224095 | | The IBM z/OS user account for the UNIX (RMFGAT) must be properly defined. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-224097 | | IBM z/OS UNIX user accounts must be properly defined. | To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-224098 | | IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-224099 | | The IBM z/OS UNIX Telnet server etc/banner file must have the Standard Mandatory DoD Notice and Consent Banner. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-224100 | | The IBM z/OS startup user account for the z/OS UNIX Telnet server must be properly defined. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224101 | | IBM z/OS HFS objects for the z/OS UNIX Telnet server must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224102 | | The IBM z/OS UNIX Telnet server Startup parameters must be properly specified. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-224103 | | The IBM z/OS UNIX Telnet server warning banner must be properly specified. | Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbi... |
| V-224104 | | IBM z/OS System data sets used to support the VTAM network must be properly secured. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224105 | | IBM z/OS VTAM USSTAB definitions must not be used for unsecured terminals. | If the operating system were to allow any user to make changes to software libraries, then those changes might be implemented without undergoing the a... |
| V-245537 | | The IBM z/OS TCPIP.DATA configuration statement must contain the DOMAINORIGIN or DOMAIN specified for each TCP/IP defined. | If data origin authentication and data integrity verification are not performed, the resultant response could be forged, it may have come from a poiso... |
| V-252554 | | IBM z/OS TCP/IP AT-TLS policy must be properly configured in Policy Agent. | If events associated with nonlocal administrative access or diagnostic sessions are not logged, a major tool for assessing and investigating attacks w... |
| V-255896 | | IBM z/OS FTP.DATA configuration statements for the FTP Server must be specified in accordance with requirements. | This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occu... |
| V-255940 | | IBM Integrated Crypto Service Facility (ICSF) Configuration parameters must be correctly specified. | IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to pro... |
| V-255941 | | IBM Integrated Crypto Service Facility (ICSF) install data sets are not properly protected. | IBM Integrated Crypto Service Facility (ICSF) product has the ability to use privileged functions and/or have access to sensitive data. Failure to pro... |
| V-255942 | | IBM Integrated Crypto Service Facility (ICSF) Started Task name is not properly identified / defined to the system ACP. | IBM Integrated Crypto Service Facility (ICSF) requires a started task that will be restricted to certain resources, datasets and other system function... |
| V-255943 | | IBM Integrated Crypto Service Facility (ICSF) Started task(s) must be properly defined to the Started Task Table ACID for Top Secret. | Access to product resources should be restricted to only those individuals responsible for the application connectivity and who have a requirement to ... |
| V-255944 | | IBM Integrated Crypto Service Facility (ICSF) STC data sets must be properly protected. | IBM Integrated Crypto Service Facility (ICSF) STC data sets have the ability to use privileged functions and/or have access to sensitive data. Failur... |
| V-272878 | | IBM z/OS DFSMS control data sets must reside on separate storage volumes. | Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the secur... |
| V-275959 | | zOSMF resource class(es) must be properly owned in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275960 | | zOSMF resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275961 | | ICSF resource class(es) must be properly owned in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-275962 | | ICSF resources must be protected in accordance with security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DOD-approved PKIs, all DOD syst... |
| V-223901 | | CA-TSS must limit Write or greater access to libraries that contain PPT modules to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223946 | | CA-TSS User ACIDs and Control ACIDs must have the NAME field completed. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223948 | | Interactive ACIDs defined to CA-TSS must have the required fields completed. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223874 | | CA-TSS Security control ACIDs must be limited to the administrative authorities authorized and that require these privileges to perform their job duties. | The use of security policy filters provides protection for the confidentiality of data by restricting the flow of data. A crucial part of any flow con... |
| V-223876 | | CA-TSS MODE Control Option must be set to FAIL. | Enterprise environments make account management challenging and complex. A manual process for account management functions adds the risk of a potentia... |
| V-223882 | | IBM z/OS SYS1.PARMLIB must be properly protected. | Without the capability to restrict which roles and individuals can select which events are audited, unauthorized personnel may be able to prevent the ... |
| V-223887 | | IBM z/OS must use NIST FIPS-validated cryptography to protect passwords in the security database. | Passwords need to be protected at all times, and encryption is the standard method for protecting passwords. If passwords are not encrypted, they can ... |
| V-223894 | | CA-TSS must limit Write or greater access to SYS1.SVCLIB to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223895 | | CA-TSS must limit Write or greater access to SYS1.IMAGELIB to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223896 | | CA-TSS must limit Write or greater access to SYS1.LPALIB to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223897 | | CA-TSS must limit WRITE or greater access to all APF-authorized libraries to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223898 | | IBM z/OS libraries included in the system REXXLIB concatenation must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223899 | | CA-TSS must limit Write or greater access to all LPA libraries to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223900 | | CA-TSS must limit Write or greater access to SYS1.NUCLEUS to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223903 | | CA-TSS security data sets and/or databases must be properly protected. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223904 | | CA-TSS must limit access to the System Master Catalog to appropriate authorized users. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223908 | | CA-TSS must limit Write or greater access to SYS1.UADS to system programmers only, and Read and Update access must be limited to system programmer personnel and/or security personnel. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223914 | | CA-TSS must limit WRITE or greater access to libraries containing EXIT modules to system programmers only. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223915 | | CA-TSS must limit all system PROCLIB data sets to system programmers only and appropriate authorized users. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223917 | | IBM z/OS must protect dynamic lists in accordance with proper security requirements. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223923 | | Access to the CA-TSS MODE resource class must be appropriate. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223925 | | CA-TSS Emergency ACIDs must be properly limited and must audit all resource access. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223929 | | IBM z/OS DASD Volume access greater than CREATE found in the CA-TSS database must be limited to authorized information technology personnel requiring access to perform their job duties. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-223947 | | The CA-TSS PASSWORD(NOPW) option must not be specified for any ACID type. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-223957 | | The CA-TSS Facility Control Option must specify the sub option of MODE=FAIL. | Utilizing a whitelist provides a configuration management method for allowing the execution of only authorized software. Using only authorized softwar... |
| V-223967 | | The CA-TSS BYPASS attribute must be limited to trusted STCs only. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-223969 | | CA-TSS ACIDs granted the CONSOLE attribute must be justified. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-224017 | | Unsupported IBM z/OS system software must not be installed and/or active on the system. | Control of program execution is a mechanism used to prevent execution of unauthorized programs. Some operating systems may provide a capability that r... |
| V-224020 | | CA-TSS must be installed and properly configured. | Failure to provide logical access restrictions associated with changes to system configuration may have significant effects on the overall security of... |
| V-224044 | | The SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm. | Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/proc... |
| V-224045 | | IBM z/OS SSH daemon must be configured to only use the SSHv2 protocol. | In order to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling (i.e., embedding of data types... |
| V-224073 | | CA-TSS LOGONIDs must not be defined to SYS1.UADS for non-emergency use. | Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary... |
| V-224078 | | IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224085 | | The CA-TSS HFSSEC resource class must be defined with DEFPROT. | To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD syst... |
| V-224096 | | IBM z/OS UID(0) must be properly assigned. | To assure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and... |
| V-251108 | | The IBM z/OS systems requiring data at rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption. | This control addresses the confidentiality and integrity of information at rest and covers user information and system information. Information at res... |
