OpenControls Logo

STIG Viewer

The CA-TSS NEWPW control options must be properly set.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-223886TSS0-ES-000130SV-223886r998487_ruleCCI-004066medium
Description
If the private key is stolen, this will lead to the compromise of the authentication and nonrepudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Satisfies: SRG-OS-000071-GPOS-00039, SRG-OS-000072-GPOS-00040, SRG-OS-000075-GPOS-00043, SRG-OS-000480-GPOS-00225, SRG-OS-000266-GPOS-00101, SRG-OS-000279-GPOS-00109
STIGDate
IBM z/OS TSS Security Technical Implementation Guide2025-06-24

Related Frameworks

6 paths across 3 frameworks
NIST 800-531 mapping
IA-5(1)
1.00
  • DISA · 9 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1714 mappings
3.5.10
1.00
  • DISA · 9 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.7
1.00
  • DISA · 9 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.8
1.00
  • DISA · 9 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.5.9
1.00
  • DISA · 9 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-004066
1.00
  • DISA · 9 · disa_xccdf · related

Details

Check Text (C-223886r998487_chk)

From the ISPF Command Shell enter: TSS MODIFY STATUS If the NEWPW Control Option values conform to the following requirements, this is not a finding. NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.

Fix Text (F-25547r516058_fix)

Note: Support of mixed case passwords can only be set when the security file has been copied by TSSXTEND with the option NEWPWBLOCK. Configure the NEWPW Control Option values conform to the following requirements: NEWPW(MIN=8,WARN=10, MINDAYS=1, NR=0, ID, TS, SC, RS, FA, FN, MC, UC, LC) NOTE: For the Option SC, the PASSCHAR control option should be set to the allowable list defined in CA Top Secret for z/OS Control Options Guide. NOTE: For the Option RS, at a minimum use the reserved word prefix list found in the site security plan.