IBM z/VM tapes must use Tape Encryption.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-237928 | IBMZ-VM-000750 | SV-237928r858991_rule | CCI-001199 | medium |
| Description | ||||
| Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. Guest operating systems, such as CMS, that are not capable of enabling the hardware encryption available with the 3592 Model E05 tape drive are able to use z/VM facilities that enable the encryption on behalf of the guest. Guest operating systems that do support tape encryption, such as z/OS with proper service, will be able to do so without interference from z/VM. | ||||
| STIG | Date | |||
| IBM zVM Using CA VM:Secure Security Technical Implementation Guide | 2022-08-31 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-28
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.16
1.00
- DISA · V2R2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001199
1.00
- DISA · V2R2 · disa_xccdf · related
Details
Check Text (C-237928r858991_chk)
Verify Tape Encryption is in use.
For IBM drives issue the following command:
Class B:
QUERY TAPES DETAIL
or
Class G:
QUERY VIRTUAL TAPES
If resulting text includes "ACTIVE KEY LABELS", this is not a finding.
Regardless of the drive type if there is no encryption available, this is a finding.
Fix Text (F-41097r649623_fix)
Consult CP Administration manual for procedures to set up IBM Device Encryption.
For any other drive type consult manufacturer for encryption procedures.