ACF2/CICS parameter datasets are not protected in accordance with the proper security requirements.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-224308 | ZCICA011 | SV-224308r1141393_rule | CCI-001499 | medium |
| Description | ||||
| CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to ACF2/CICS parameter datasets (i.e., product, security) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data. | ||||
| STIG | Date | |||
| z/OS IBM CICS Transaction Server for ACF2 Security Technical Implementation Guide | 2025-09-23 | |||
Details
Check Text (C-224308r1141393_chk)
Refer to the following report produced by the ACF2 Data Collection:
- SENSITVE.RPT(CICSRPT).
Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.
WRITE and/or greater access to the ACF2/CICS parameter dataset, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel. If this guidance is true, this is not a finding.
Fix Text (F-25973r1141392_fix)
The ISSO will ensure that WRITE and/or greater access to the ACF2/CICS parameter dataset is limited to systems programmers and security personnel.
Review the access authorizations for CICS system datasets.
WRITE and/or greater access to the ACF2/CICS parameter dataset, specified on the ACF2PARM DD statement, is restricted to systems programming personnel and security personnel.
Example:
$KEY(S3C)
$PREFIX(SYS3)
CICSTS.SYSIN UID(syspaudt) R(A) W(L) A(L) E(A)
CICSTS.SYSIN UID(secaaudt) R(A) W(L) A(L) E(A)
CICSTS.SYSIN UID(*) PREVENT
SET RULE
COMPILE 'ACF2.MVA.DSNRULES(S3C)' STORE