Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
If the Mainframe Product has no log on capability, this requirement is not applicable. Examine installation and configuration settings. If concurrent sessions are not limited to three per account by type of user, this is a finding.
Configure the Mainframe Product to limit current sessions to three per account by type of user.
If the Mainframe Product has no data screen capability, this requirement is not applicable. Examine configuration parameters to determine whether information previously displayed on the screen is concealed at a session lock. If information is not concealed, this is a finding.
Configure the Mainframe Product to conceal previously displayed information at a session lock.
If the Mainframe Product has no data screen capability, this requirement is not applicable. Examine configuration parameters to determine whether the Mainframe Product performs a session lock after 15 minutes of inactivity. If it does not, this is a finding.
Configure the Mainframe Product to perform a session lock after 15 minutes of inactivity.
If the Mainframe Product has no data screen capability, this requirement is not applicable. Determine whether the Mainframe Product allows users to directly initiate a session lock. If it does not this is a finding. Examine the Mainframe Product configuration parameters and user attributes to determine whether user can initiate a session lock. If the parameters are not properly set and/or user is not permitted, this is a finding.
Configure the Mainframe Product user's attributes to enable ability to initiate a session lock. Verify the external security manager permits it.
If the Mainframe Product has no data screen capability, this requirement is not applicable. Determine whether the Mainframe Product has the capability to retain the session lock until user reestablishes access using established Identification and authentication procedures. If it does not, this is a finding. Examine configuration settings to determine if sessions locks are held until the user reestablishes access. If they are not properly set, this is a finding.
Configure the Mainframe Product setting to retain session locks until user reestablishes access using established identification and authentication procedures.
Examine installation and configuration settings. If the Mainframe Product does not use an external security manager to support all account management functions, this is a finding.
Configure the Mainframe Product to use an external security manager for all account management functions.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If temporary users are not removed or disabled after 72 hours, this is a finding.
Configure the Mainframe Product account management settings to automatically remove or disable temporary user accounts after 72 hours.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product automatically disables accounts after 35 days of inactivity, this is not a finding.
Configure the Mainframe Product account management settings to automatically disable accounts after 35 days of account inactivity.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not automatically audit account creation, this is a finding.
Configure the Mainframe Product account management settings to automatically audit account creation.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not automatically audit account modification, this is a finding.
Configure the Mainframe Product account management settings to automatically audit account modification.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not automatically audit account disabling actions, this is a finding.
Configure the Mainframe Product account management settings to automatically audit account disabling actions.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not automatically audit account removal actions, this is a finding.
Configure the Mainframe Product account management settings to automatically audit account removal actions.
If an external security manager is used, check the external security manager rules and configuration. If there are no rules for these resources or the rules do not restrict user access in accordance with applicable access control policies, this is a finding. Examine mainframe product installation and configuration settings. Verify that the Mainframe Product enforces role and/or resource access in accordance with applicable access control policies. If it does not, this is a finding.
Configure the Mainframe Product to enforce role and/or resource access in accordance with applicable access control policies. This can be accomplished using an external security manager. Configure the external security manager to restrict user access according to applicable access control policies.
If an external security manager is used, check the external security manager rules and configuration. If there are no rules for these resources or the rules do not restrict security administrator access in accordance with applicable access control policies, this is a finding. Examine installation and configuration settings. Verify that the Mainframe Product enforces security administrator access to information and system resources in accordance with applicable access control policies. If it does not, this is a finding.
Configure the Mainframe Product to enforce role and/or resource access in accordance with applicable access control policies. This can be accomplished using an external security manager. Configure the external security manager to restrict security administrator access according to applicable access control policies.
If an external security manager (ESM) is used, check the ESM rules and configuration. If there are no rules for these resources or the rules do not restrict system programmer access in accordance with applicable access control policies, this is a finding. If an ESM is not in use, examine installation and configuration settings. Verify that the Mainframe Product enforces system programmer access to information and system resources in accordance with applicable access control policies. If it does not, this is a finding.
Configure the Mainframe Product to enforce role and/or resource access in accordance with applicable access control policies. This can be accomplished using an ESM. Configure the ESM to restrict system programmer access according to applicable access control policies.
Examine installation and configuration settings. Verify that the Mainframe Product enforces approved authorizations for controlling the flow of information within the system with applicable access control policies. If it does not, this is a finding.
Configure the Mainframe Product to enforce approved authorizations for controlling the flow of information within the system with applicable access control policies.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine Mainframe Product configuration settings. Verify that the Mainframe Product account management settings enforce a limit of three consecutive invalid logon attempts by a user during a 15 minute time period. If it does not, this is a finding.
Configure the Mainframe Product account management settings to enforce a limit of three consecutive invalid logon attempts by a user during a 15 minute time period.
If the Mainframe Product has no function or capability for scanning activity, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to scan all media brought into the organization for diagnostic and testing purposes for intentional or unintentionally included malicious code prior to use, this is a finding.
Configure the Mainframe Product to scan all media used in maintenance prior to use.
If the Mainframe Product does not perform tasks on the behalf of other users, this is not applicable. Examine configuration settings. Determine whether settings identify initiating user for authentication. If it does not, this is a finding.
Configure the Mainframe Product to identify initiating user for authentication for all tasks.
If the Mainframe Product does not perform audit record aggregation, this is not applicable. Examine configuration settings. If the Mainframe Product settings do not use the operating system clock for time stamps, this is a finding.
Configure the Mainframe Product to use the operating system clock for time stamps.
Examine Mainframe Product documentation. Refer to NIST SP 800-53 AU-2 or the Risk Management Knowledge Service (RMKS) for DoD auditing events. Examine configuration settings. Compare available auditing events. If available auditing events do not include all DoD-defined auditing events, this is a finding. If auditing is not available for all components of the Mainframe Product, this is a finding.
Configure the Mainframe Product to audit all DoD-defined auditing events within all Mainframe Product components.
Examine the configuration settings. Verify the capability to select auditable events is restricted to security administrators (or individuals or roles appointed by the ISSM). If it is not, this is a finding.
Configure the Mainframe Product to restrict selection of auditable events to security administrators (or individuals or roles appointed by the ISSM).
Examine the installation and configuration settings. Verify that the Mainframe Product identifies privileged functions and writes to SMF and/or uses an external security manager to generate audit records when successful/unsuccessful attempts to access privileges occur. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF call for the external security manager when successful/unsuccessful attempts to access privileges occur.
If the Mainframe Product has no function or capability for session operations, this is not applicable. Examine installation and configuration settings. Verify that session auditing is initiated at session startup. If it is not, this is a finding.
Configure the Mainframe Product to initiate session auditing upon startup.
Examine installation and configuration settings. Verify data written to external security manager audit files and/or SMF records contain information that details what type of events occurred. If it does not, this is a finding.
Configure the Mainframe Product audit records written to external security manager audit files and/or SMF records to contain information that details what type of events occurred.
Examine installation and configuration settings. Ensure data written to external security manager audit files and/or SMF records contain information that details when events occurred. If it does not, this is a finding.
Configure the Mainframe Product audit records written to external security manager audit files and/or SMF records to contain information that details when (date and time) the events occurred.
Examine installation and configuration settings. Verify data written to external security manager audit files and/or SMF records contain information that details where events occurred. If it does not, this is a finding.
Configure the Mainframe Product audit records written to external security manager audit files and/or SMF records to contain information that details where the events occurred.
Examine installation and configuration settings. Verify data written to external security manager audit files and/or SMF records contain information that details the source of events. If it does not, this is a finding.
Configure the Mainframe Product audit records written to external security manager audit files and/or SMF records to contain information to establish the source of the events.
Examine installation and configuration settings. Verify data written to external security manager audit files and/or SMF records contain information that details the outcome of events. If it does not, this is a finding.
Configure the Mainframe Product audit records written to external security manager audit files and/or SMF records to contain information to establish the outcome of the events.
Examine installation and configuration settings. Verify data written to external security manager audit files and/or SMF records contain information that details the identity of individuals or processes associated with the event. If it does not, this is a finding.
Configure the Mainframe Product audit records written to external security manager audit files and/or SMF records to contain information to establish the identity of any individual or process associated with the event.
Examine installation and configuration settings. Verify data written to external security manager audit files and/or SMF records contain information that details contain full-text recording of privileged commands or the individual identities of group account users associated with the event. If it does not, this is a finding.
Configure the Mainframe Product audit records written to external security manager audit files and/or SMF records to contain full-text recording of privileged commands or the individual identities of group account users.
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine configuration settings. Determine if Mainframe Product alerts system programmers or security administrators in the event of audit processing failure. If it does not, this is a finding.
Configure the Mainframe Product to alert system programmers or security administrators in the event of audit processing failure.
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine configuration settings for audit failure parameters. If Mainframe Product does not shut down by default in the event of audit processing failure, this is a finding. Note: This depends on whether availability is an overriding concern.
Configure the Mainframe Product to shut down by default upon audit failure (unless availability is an overriding concern).
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product has the capability to centrally review and analyze audit records from multiple components in the system. If it does not, this is a finding.
Configure the Mainframe Product to centrally review and analyze audit records from multiple components in the system.
If the Mainframe Product has no function or capability for mobile code use, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to prevent the execution of prohibited mobile code, this is a finding.
Configure the Mainframe Product to prevent the execution of prohibited mobile code.
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine installation and configuration settings. Refer to the site's auditing policies. Verify the Mainframe Product filters audit record events of interest based on Site defined criteria. If it does not, this is a finding.
Configure the Mainframe Product to filter audit record events of interest based on Site defined criteria
Examine installation and configuration settings. If the Mainframe Product does not use the z/OS system clock for audit time stamps, this is a finding.
Configure the Mainframe Product to use the z/OS system clock for audit time stamps.
Examine installation and configuration settings. Verify the Mainframe Product restricts audit information read access to system programmers, security administrators, and audit personnel. If access is not restricted, this is a finding. If an external security manager (ESM) is being used, examine external security configuration and rules. If the rules do not restrict read access to system programmers, security managers, and audit personnel, this is a finding.
Verify the Mainframe Product restricts read access to system programmers, security administrators, and audit personnel. This can be accomplished using an ESM. Configure the Mainframe Product to provide a SAF call for audit information access. Verify ESM rules restrict read access to system programmers, security administrators, and audit personnel.
Examine installation and configuration settings. Verify that the Mainframe Product restricts audit information update access to system programmers, security administrators, and audit personnel. If access is not restricted, this is a finding. If an external security manager (ESM) is being used, examine the external security configuration and rules. If the rules do not restrict update access to system programmers, security managers, and audit personnel, this is a finding.
Verify the Mainframe Product restricts update or greater access to system programmers, security administrators, and audit personnel. This can be accomplished using an ESM. Configure the Mainframe Product to provide an SAF call for audit information access. Verify ESM rules restrict update or greater access to system programmers, security administrators, and audit personnel.
Examine installation and configuration settings. Verify the Mainframe Product restricts audit information delete access to system programmers, security administrators, and audit personnel. If access is not restricted, this is a finding. If an external security manager (ESM) is being used, examine external security configuration and rules. If the rules do not restrict update or greater access to system programmers, security managers, and audit personnel, this is a finding.
Verify the Mainframe Product restricts update or greater access to the system's programmers, security administrators, and audit personnel. This can be accomplished using an ESM. Configure the Mainframe Product to provide SAF call for audit information access. Ensure external security manager restricts update or greater access to the system's programmers, security administrators, and audit personnel.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product restricts audit tool access to system programmers, security administrator, and audit personnel. If access is not restricted, this is a finding.
Configure the Mainframe Product to restrict audit tool access to system programmers, security administrators, and audit personnel.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product restricts audit tool modification to system programmers, security administrator, and audit personnel. If access is not restricted, this is a finding.
Configure the Mainframe Product to restrict audit tool modification to system programmers, security administrators, and audit personnel.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product restricts the ability to delete audit tool to system programmers, security administrators, and audit personnel. If access is not restricted, this is a finding.
Configure the Mainframe Product to restrict audit tool deletion to system programmers, security administrators, and audit personnel.
Examine installation and configuration settings for change management. If the Mainframe Product does not prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization, this is a finding.
Configure installation and configuration settings for change management to prevent the installation of patches, service packs, or application components without verification that the software component has been digitally signed using a certificate that is recognized and approved by the organization.
If an external security manager (ESM) is in use, examine the ESM configurations and rules. If the ESM does not restrict update or greater access to installation datasets to system programmers or security managers or other authorized users as directed by applicable access control policies, this is a finding. If an ESM is NOT in use, examine the Mainframe Product installation and configuration settings. If the Mainframe Product does not restrict update or greater access to Installation datasets to system programmers or security managers or other authorized users as directed by applicable access control policies, this is a finding.
Configure the Mainframe Product to limit privileges to changing Mainframe Product installation datasets to system programmers or security managers or other authorized users as directed by applicable access control policies. This can be accomplished with an ESM. Configure the ESM to restrict update and greater access to Mainframe Product installation datasets to system programmers or security managers or other authorized users in accordance with applicable access control policies.
If an external security manager (ESM) is in use, examine the ESM configurations and rules. If the ESM does not restrict update or greater access to started task and job datasets to system programmers or security managers or other authorized users as directed by applicable access control policies, this is a finding. If an ESM is NOT in use, examine the Mainframe Product installation and configuration settings. If the Mainframe Product does not restrict update or greater access to installation and job datasets to system programmers or security managers or other authorized users as directed by applicable access control policies, this is a finding.
Configure the Mainframe Product to limit privileges to Mainframe Products started tasks and sob datasets to system programmers or other authorized users in accordance with applicable access control policies. This can be accomplished with an ESM. Configure the ESM to restrict update and greater access to Mainframe Product started tasks and job datasets to system programmers or other authorized users in accordance with applicable access control policies.
If an external security manager (ESM) is in use, check the ESM rules and configuration. If there are no rules for Mainframe Product user datasets or the rules do not restrict access to Mainframe Product user datasets to authorized users as directed by applicable access control policies, this is a finding. If an ESM is NOT in use, examine installation and configuration settings. If the Mainframe Product does not restrict access to Mainframe Product user datasets to authorized users as directed by applicable access control policies, this is a finding.
Configure the Mainframe Product to limit privileges to changing the software resident within software libraries. This can be accomplished with an ESM. Configure the ESM to restrict update and greater access to Mainframe Product started tasks and job datasets to security administrators in accordance with applicable access control policies.
Refer to Mainframe Product installation documentation to determine sample and default demonstrative components. Examine installation settings. If there are any sample or default demonstrative components in the installation, this is a finding.
Configure the Mainframe Product installation and/or configurations to remove sample and demonstrative components.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account configurations. If the Mainframe Product does not uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users), this is a finding.
Configure the Mainframe Product account management settings to uniquely identify and authenticate organizational users (or processes acting on behalf of organizational users).
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product is configured to require multifactor authentication for network access to privileged accounts, this is not a finding
Configure the Mainframe Product account management settings to require multifactor authentication for network access to privileged accounts.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product is configured to require multifactor authentication for network access to non-privileged accounts, this is not a finding
Configure the Mainframe Product account management settings to require multifactor authentication for network access to non-privileged accounts.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product is configured to require multifactor authentication for local access to privileged accounts, this is not a finding.
Configure the Mainframe Product account management settings to require multifactor authentication for local access to privileged accounts.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product is configured to require multifactor authentication for local access to nonprivileged accounts, this is not a finding.
Configure the Mainframe Product account management settings to require multifactor authentication for local access to nonprivileged accounts.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product is configured to require users to authenticate with an individual authenticator prior to using a group authenticator, this is not a finding.
Configure the Mainframe Product account management settings to require users to authenticate with an individual authenticator prior to using a group authenticator.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product account management configuration does not enforce a minimum 15-character password length, this is a finding.
Configure the Mainframe Product account management to enforce a minimum 15-character password length.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product does not require at least one uppercase character be used in passwords, this is a finding.
Configure the Mainframe Product account management settings to require the use of at least one uppercase character in passwords.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product account management configurations do not require at least one lowercase character be used in passwords, this is a finding.
Configure the Mainframe Product account management settings to require the use of at least one lowercase character in passwords.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product account management configurations do not require at least one numeric character be used in passwords, this is a finding.
Configure the Mainframe Product account management settings to require the use of at least one numeric character in passwords.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product does not enforce password complexity by requiring at least one special character be used, this is a finding.
Configure the Mainframe Product to enforce password complexity by requiring the use of at least one special character in passwords.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product account management settings do not require the change of at least eight of the total characters when passwords are changed, this is a finding.
Configure the Mainframe Product account management settings to require the change of at least 8 of the total characters when passwords are changed.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product account management configuration does not require that only cryptographically protected passwords are stored, this is a finding.
Configure the Mainframe Product account management to store only cryptographically protected passwords.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product account management configuration does not require transmittal of only cryptographically protected passwords, this is a finding.
Configure the Mainframe Product account management to transmit only cryptographically protected passwords.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product account management configuration does not enforce 24 hours/1 day as the minimum password lifetime, this is a finding.
Configure the Mainframe Product account management to enforce 24 hours/1 day as the minimum password lifetime.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product account management configuration does not enforce a 60-day maximum password lifetime restriction, this is a finding.
Configure the Mainframe Product account management settings to enforce a 60-day maximum password lifetime restriction.
If the Mainframe Product uses an external security manager (ESM) for all account management, this is not applicable. Examine user account management configurations. If the Mainframe Product account management is not configured to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor when using PKI-based authentication, this is a finding.
Configure the Mainframe Product account management settings to validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor when using PKI-based authentication.
If the Mainframe Product employs an external security manager (ESM) for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product account management configurations do not enforce authorized access to the corresponding private key when using PKI-based authentication, this is a finding.
Configure the Mainframe Product account management settings to enforce authorized access to the corresponding private key when using PKI-based authentication.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account configurations. If the Mainframe Product is not configured to map the authenticated identity to the individual user or group account for PKI-based authentication, this is a finding.
Configure the Mainframe Product account management settings to map the authenticated identity to the individual user or group account for PKI-based authentication.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine Mainframe Product installation settings; examine user account configurations. If the Mainframe Product is not configured to obscure feedback of authentication information during the authentication process, this is a finding.
Configure the Mainframe Product account management settings to obscure feedback of authentication information during the authentication process.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account configurations. If the Mainframe Product is configured to be FIPS 140 compliant, this is not a finding.
Configure the Mainframe Product account management settings to be FIPS 140 compliant.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine installation and configuration settings. Examine user account configurations. If the Mainframe Product does not uniquely identify and authenticate non-organizational users, this is a finding.
Configure the Mainframe Product account management settings to uniquely identify and authenticate non-organizational users
If the Mainframe Product does not perform audit data management or storage functions, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product audit reduction capability supports on-demand reporting. If it does not, this is a finding.
Configure the Mainframe Product audit reduction capability to support on-demand reporting.
If the Mainframe Product has no function for the use of mobile code, this is not applicable. Examine installation and configuration settings. If the Mainframe Product does not identify mobile code in the installation, this is a finding.
Configure the Mainframe Product to identify mobile code in the installation.
If the Mainframe Product has no function for the use of mobile code, this is not applicable. Examine installation and configuration settings. If the Mainframe Product does not block and/or alert system programmers and security administrators when prohibited mobile code is identified, this is a finding.
Configure the Mainframe Product to block and/or alert system programmers and security administrators when prohibited mobile code is identified.
If the Mainframe Product has no function or capability for mobile code use, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to prevent the download of prohibited mobile code, this is a finding.
Configure the Mainframe Product to prevent the download of prohibited mobile code.
If the Mainframe Product has no function or capability for mobile code use, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to prevent the automatic execution of mobile code in all applications, this is a finding.
Configure the Mainframe Product to prevent the automatic execution of mobile code in all applications.
Examine installation and configuration settings. User module should be loaded into a separate dataset than system management modules. If the Mainframe Product does not differentiate user functionality from product management functionality, this is a finding.
Configure the Mainframe Product to load user modules into a separate dataset than system management modules.
Examine installation and configuration settings. If the Mainframe Product is not configured to secure all processes to a secure state (i.e., not allowing access to protected privileges and procedures in the event of failure), this is a finding.
Configure the Mainframe Product to secure all processes to a secure state (i.e., not allowing access to protected privileges and procedures in the event of failure).
Examine installation and configuration settings. If the Mainframe Product is not configured to preserve information necessary to determine cause of failure and to assist in the return to normal operation, this is a finding.
Configure the Mainframe Product to preserve information necessary to determine cause of failure and to assist in the return to normal operation.
Examine installation and configuration settings. Verify that the Mainframe Product identifies product system-related files and user files for dataset/resource protection. If the Mainframe Product is not configured to protect product system and user files for dataset/resources from unauthorized access, this is a finding. If an external security manager (ESM) is in use, examine ESM configuration and rules. If the configuration and rules do not protect product system-related files and user files for dataset resources from unauthorized access, this is a finding.
Configure the Mainframe Product to protect the product system and user files for dataset/resources from unauthorized access in accordance with applicable access control policies. This can be accomplished using an ESM. Configure the ESM to restrict access to authorized users only in accordance with applicable access control policies.
Examine installation and configuration settings. Security modules should be loaded into different datasets than nonsecurity modules. If the Mainframe Product does not differentiate between security and nonsecurity functions and provide procedure to isolate the functions, this is a finding.
Configure the Mainframe Product to load security modules into a separate dataset than nonsecurity modules.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If emergency accounts are configured to never be automatically removed or disabled, this is not a finding.
Configure the Mainframe Product account management settings to never automatically remove or disable emergency accounts. Accounts should be configured to terminate within 72 hours or until crisis has passed.
If the Mainframe Product has no function or capability for user/data input, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to validate input, this is a finding.
Configure the Mainframe Product to validate input.
Examine product documentation and code. If error messages do not limit information provided to only that which is necessary for corrective actions, this is a finding.
Configure the Mainframe Product to limit information provided to only that which is necessary for corrective actions.
Examine product documentation and code. If full text detailed error message are not restricted to system programmers and/or security administrators, this is a finding.
Configure the Mainframe Product to restrict full text detailed error message to system programmers and/or security administrators only.
If the Mainframe Product has no function or capability for providing malicious code scanning or protection, this is not applicable. Refer to organizational configuration management policy. Examine installation and configuration settings. If the Mainframe Product is not configured to receive automatic updates using organizational-defined configuration management policy, this is a finding.
Configure the Mainframe Product to install new releases using organizational configuration management policy.
Review Mainframe Product Installation instructions and settings. If the Mainframe Product does not provide a message to the system programmer and security administrator to notify of failed security verification tests, this is a finding.
Configure the Mainframe Product to notify the system programmer and security administrator of failed security verification tests.
If the Mainframe Product has no function or capability for providing malicious code scanning or protection, this is not applicable. Refer to organizational configuration management procedures. Examine installation and configuration settings. If the Mainframe Product is not configured to install new releases using organizational-defined configuration management procedure, this is a finding.
Configure the Mainframe Product to install new releases using organizational configuration management procedures.
If the Mainframe Product has no function or capability for providing malicious code scanning or protection, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to perform periodic scans of information system every seven days, this is a finding.
Configure the Mainframe Product to perform periodic scans of information system every seven days.
If the Mainframe Product does not perform audit data management or storage functions, this is not applicable. Examine the Mainframe Product Installation settings. If the Mainframe Product does not use cryptographic mechanisms to protect the integrity of audit tools, this is a finding.
Configure the Mainframe Product to use cryptographic mechanisms to protect the integrity of audit tools.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not notify system programmers and security administrators when accounts are created, this is a finding.
Configure the Mainframe Product account management settings to notify system programmers and security administrators when accounts are created.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not notify system programmers and security administrators when accounts are modified, this is a finding.
Configure the Mainframe Product account management settings to notify system programmers and security administrators when accounts are modified.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not notify System programmers and security administrators of account disabling actions, this is a finding.
Configure the Mainframe Product account management settings to notify system programmers and security administrators when there are account disabling actions performed.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not notify system programmers and security administrators of account removal actions, this is a finding.
Configure the Mainframe Product account management settings to notify system programmers and security administrators when there are account removal actions performed.
If the Mainframe Product has no data screen capability, this requirement is not applicable. Determine whether the Mainframe Product has capability to terminate user sessions according to conditions as defined in site security plan and triggers. If it cannot, this is a finding. Examine Configuration settings to determine whether the Mainframe Product is configured to automatically terminate sessions. If it is not, this is a finding.
Configure the Mainframe Product to automatically terminate a user session after any conditions as defined in site security plan or trigger requiring disconnect.
If the Mainframe Product has no logon capability, this requirement is not applicable. If the Mainframe Product does not provide a logout capability for user initiated communication sessions, this is a finding. Examine the Mainframe Product configuration settings to determine whether a user can logoff. If the configurations are not properly set, this is a finding.
Configure the Mainframe Product settings to provide capability of user-initiated logoff.
If the Mainframe Product has no logon capability, this requirement is not applicable. Examine the Mainframe Product configuration settings to determine whether the Mainframe Product displays an explicit logoff message. If it does not, this is a finding
Configure the Mainframe Product to display a specific logoff message.
If the Mainframe Product does not perform data management or storage function this is not applicable. Examine installation and configuration settings and / or specific meta-data for security attributes as defined by the organization. If there is no data labeling or tagging, this is a finding.
Configure the Mainframe Product to associate organization-defined security attributes to managed data sets in storage. Verify the datasets attributes are labeled and/or tagged appropriately.
If the Mainframe Product does not perform data management or storage function this is not applicable. Examine installation and configuration settings and / or specific meta-data for individual types of security attributes as defined by the organization. If there is no specific data labeling or tagging, this is a finding.
Configure the Mainframe Product to associate organization-defined security attributes to managed data sets in process. Verify the datasets attributes are labeled and/or tagged appropriately.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If Shared/group credentials are not terminated when members leave the group, this is a finding.
Configure the Mainframe Product account management settings to terminate shared/group account credentials when members leave the group.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not automatically audit account creation, this is a finding.
Configure the Mainframe Product account management settings to automatically audit account enabling actions.
If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine account management settings. If the Mainframe Product does not notify system programmers and security administrators of account enabling actions, this is a finding.
Configure the Mainframe Product account management settings to notify system programmers and security administrators of account enabling actions.
Examine installation, configuration, and product documentation. If the Mainframe Product does not enforce organization-defined discretionary access control policies over defined subjects and objects, this is a finding.
If necessary, configure the Mainframe Product installation and configuration settings to enforce organization-defined discretionary access control policies over defined subjects and objects.
Examine installation and configuration settings. Determine the Mainframe Product privileged functions. If the Mainframe Product uses an external security manager (ESM) for access authorizations, verify the ESM prevents access to privileged functions to appropriate privileged users. If it does not, this is a finding. If the Mainframe Product does not use an ESM to verify installation and configuration settings to prevent access to privileged functions to appropriate privileged users, this is a finding.
Configure the Mainframe Product to prevent non-privileged users from executing privileged functions. This can be accomplished using the ESM. Configure the ESM to restrict update and higher access to privileged functions to privileged users.
Examine installation and configuration settings. Determine that the Mainframe Product identifies functions requiring elevated privileges. If the Mainframe Product uses an external security manager ensure that execution uses authority of the initiating user rather than that of the Mainframe Product. If it does not, this is a finding. The Mainframe Product does not use an external security manager ensure installation and configuration settings use the authority of the initiating user rather than that of the Mainframe Product. If it does not, this is a finding.
Using information from the Mainframe Product about privileged function, configure the external security manager to enforce submitting jobs on behalf of another user parameters.
Examine installation and configuration settings. Verify the Mainframe Product provides logging for execution of privileged functions through use of SMF, the SYSLOG, the external security management software log, or to some other reliable log file. If it does not, this is a finding.
Configure the Mainframe Product to log the execution of privileged functions using the external security manager, SMF, and/or the SYSLOG.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine Mainframe Product configuration settings. Verify that the Mainframe Product account management setting automatically locks the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded. If it does not, this is a finding.
Configure the Mainframe Product account management settings to automatically lock the account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are exceeded.
If the Mainframe Product uses MVS System Management Facility (SMF) recording or ESM log files for auditing purposes, this is not applicable. Examine the Mainframe Product installation and configuration auditing settings. If the installation and/or configuration setting for auditing do not allocate audit record storage capacity in accordance with organization-defined audit record storage requirements, this is a finding.
Configure installation and/or configuration auditing settings to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
If the Mainframe Product uses MVS System Management Facility (SMF) recording or external security manager (ESM) log files for auditing purposes, this is not applicable. Examine the Mainframe Product installation and configuration auditing settings. If the installation and/or configuration setting for auditing do not require the off-loading of audit records onto a different system or media than the system being audited, this is a finding.
Configure the Mainframe Product installation and/or configurations settings to off-load audit records onto a different system or media than the system being audited.
If the Mainframe Product uses MVS System Management Facility (SMF) recording or external security manager (ESM) log files for auditing purposes, this is not applicable. Examine the Mainframe Product installation and configuration auditing settings. If the installation and/or configuration setting for auditing do not provide an immediate warning to the system programmer and security administrator (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity, this is a finding.
Configure the Mainframe Product installation and configuration settings for auditing to provide an immediate warning to the system programmer and security administrator (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity.
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine configuration settings. If the Mainframe Product does not provide for immediate real-time alerts to operations staff, system programmers, and/or security administrators for audit failures requiring real-time alerts, this is a finding.
Configure the Mainframe Product to provide for immediate real-time alerts to operations staff, system programmers, and/or security administrators for audit failures requiring real-time alerts.
If the Mainframe Product does not perform audit data management or storage functions, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product audit reduction capability supports on-demand review and analysis. If it does not, this is a finding.
Configure the Mainframe Product audit reduction capability to support on-demand review and analysis.
If the Mainframe Product does not perform audit data management or storage function this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product audit reduction capability supports after-the-fact investigations of security incidents. If it does not, this is a finding.
Configure the Mainframe Product audit reduction capability to support after-the-fact investigations of security incidents.
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product audit report generations support on-demand review and analysis. If it does not, this is a finding.
Configure the Mainframe Product audit report generations to support on-demand review and analysis.
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product report generation capability supports on-demand reporting. If it does not, this is a finding.
Configure the Mainframe Product report generation capability to support on-demand reporting.
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product report generation capability supports after-the-fact investigations of security incidents. If it does not, this is a finding.
Configure the Mainframe Product report generation capability to support after-the-fact investigations of security incidents.
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product audit reduction capability does not alter original content or time ordering of audit records. If it does, this is a finding.
Configure the Mainframe Product audit reduction capability to not alter original content or time ordering of audit records.
If the Mainframe Product does not perform audit data management or storage function, this is not applicable. Examine installation and configuration settings. Verify the Mainframe Product report generation does not alter original content or time ordering of audit records. If it does, this is a finding.
Configure the Mainframe Product report generation to not alter original content or time ordering of audit records.
Examine installation and configuration settings for change management. If the Mainframe Product does not identify installation privilege roles and prohibit user installation of software without explicit privileged status, this is a finding. If the Mainframe Product uses an external security manager (ESM) and there are no rules for the identified roles and access is not restricted to appropriate privileged users according to site security plan, this is a finding.
Configure the Mainframe Product to prohibit user installation of software without explicit privileged status. If the Mainframe Product uses an ESM, configure the ESM to include rules for installation of software-privileged roles. Configure the roles to restrict access for software installation to the user with privilege status.
Examine Installation configuration settings. If the Mainframe Product does not implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner, this is a finding.
Configure installation and/or configuration auditing settings to implement organization-defined automated security responses if baseline configurations are changed in an unauthorized manner.
Examine Configuration settings. Examine organization change management policies. If the Mainframe Product does not enforce access restriction associated with changes to the application in accordance with change management policies, this is a finding. If the Mainframe Product uses an external security manager (ESM), examine rules for change management access. If there are no rules for this access or access is not restricted to users in accordance with change management policies, this is a finding.
Configure Mainframe Product change management settings to enforce access restrictions associated with changes to application configuration to appropriate users according to organizational change policies. If the Mainframe Product uses an ESM, configure rules to restrict access associated with application configuration change to appropriate users according to organizational change policies.
Examine Configuration settings. Examine organization change management policies. If the Mainframe Product does not audit the enforcement actions used to access restriction associated with changes to the application in accordance with change management policies using System Management Facility (SMF) or an external security manager audit, this is a finding.
Configure Mainframe Product change management settings to audit the enforcement actions used to restrict access associated with changes to application configuration to appropriate users according to organizational change policies.
If the Mainframe Product uses an external security manager for all account management, this is not applicable. Examine user account management configurations. If the Mainframe Product account management is not configured to accept PIV credentials, this is a finding.
Configure the Mainframe Product account management settings to accept PIV credentials.
If the Mainframe Product uses an external security manager (ESM) for all account management, this is not applicable. Examine user account management configurations. If the Mainframe Product account management settings are not configured to electronically verify PIV credentials, this is a finding.
Configure the Mainframe Product account management settings to electronically verify PIV credentials.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account management configurations. If the Mainframe Product is configured to prohibit the use of cached authenticators after one hour, this is not a finding.
Configure the Mainframe Product account management settings to prohibit the use of cached authenticators after one hour.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account configurations. If the Mainframe Product is not configured to accept PIV credentials from other federal agencies, this is a finding.
Configure the Mainframe Product account management settings to accept PIV credentials from other federal agencies.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account configurations. If the Mainframe Product is not configured to electronically verify PIV credentials from other federal agencies, this is a finding.
Configure the Mainframe Product account management settings to electronically verify PIV credentials from other federal agencies.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account configurations. If the Mainframe Product is not configured to accept FICAM-approved third-party credentials, this is a finding.
Configure the Mainframe Product account management settings to accept FICAM-approved third-party credentials.
If the Mainframe Product has no function or capability for user logon, this is not applicable. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. Examine user account configurations. If the Mainframe Product is not configured to conform to FICAM-issued profiles, this is a finding.
Configure the Mainframe Product account management settings to conform to FICAM-issued profiles.
If the Mainframe Product has no function or capability for nonlocal maintenance this is not applicable. Examine installation and configuration settings. If the Mainframe Product does not audit the nonlocal maintenance and diagnostic sessions audit events defined in site security plan using external security manager files and/or SMF records, this is a finding.
Configure the Mainframe Product to audit the nonlocal maintenance and diagnostic sessions audit events defined in site security plan using external security manager files and/or SMF records.
If the Mainframe Product has no function or capability for nonlocal maintenance, this is not applicable. Examine installation and configuration settings. If the Mainframe Product does not use FIPS 140 compliant modules to protect the integrity of nonlocal maintenance and diagnostic communications, this is a finding.
Configure the Mainframe Product to use FIPS 140 compliant modules to protect the integrity of nonlocal maintenance and diagnostic communications.
If the Mainframe Product has no function or capability for nonlocal maintenance, this is not applicable. Examine installation and configuration settings. If the Mainframe Product does not use FIPS 140 compliant modules to protect the confidentiality of nonlocal maintenance and diagnostic communications, this is a finding.
Configure the Mainframe Product to use FIPS 140 compliant modules to protect the confidentiality of nonlocal maintenance and diagnostic communications.
If the Mainframe Product has no function or capability for nonlocal maintenance, this is not applicable. Examine installation and configuration settings. If the Mainframe Product does not verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions, this is a finding.
Configure the Mainframe Product to verify remote disconnection at the termination of nonlocal maintenance and diagnostic sessions.
If the Mainframe Product has no function or capability to perform vulnerability scanning function this is not applicable. Examine installation and configuration settings. If the Mainframe Product employs an external security manager for all account management functions, this is not applicable. If the Mainframe Product does not restrict privilege access to all information system infrastructure components to appropriate personnel, this is a finding.
Configure the Mainframe Product account management settings to restrict privilege access to all information system infrastructure components to appropriate personnel.
Examine installation and configuration settings. Review requirements for relevant organizational or site-defined information. If the Mainframe Product does not have cryptographic mechanisms implemented to prevent unauthorized modification of all information not cleared for public release at rest on system components outside of organization facilities, this is a finding.
Configure the Mainframe Product to implement cryptographic mechanisms to prevent unauthorized modification of all information not cleared for public release at rest on system components outside of organization facilities.
Examine installation and configuration settings. Review requirements for relevant organization or site-defined information. If the Mainframe Product does not have cryptographic mechanisms implemented to prevent unauthorized disclosure of all information not cleared for public release at rest on system components outside of organization facilities, this is a finding.
Configure the Mainframe Product to implement cryptographic mechanisms to prevent unauthorized disclosure of all information not cleared for public release at rest on system components outside of organization facilities.
If the Mainframe Product has no function or capability for multi-session operation, this is not applicable. If the Mainframe Product is not configured to uniquely define and engineer each session to execute independently of any other session, this is a finding.
Configure the Mainframe Product to uniquely define and engineer each session to execute independently of any other session.
If the Mainframe Product has no function or capability for user/data input, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received, this is a finding.
Configure the Mainframe Product to behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received.
Examine installation and configuration settings. Determine if critical core programs to the operating system are identified. If the Mainframe Product does not protect critical core programs, this is a finding. If an external security manager (ESM) is in use verify that the ESM is configured and/or has rules to protect critical core programs. If it does not, this is a finding.
Configure the Mainframe Product to identify critical core programs to the operating system for protection in accordance with applicable access control policies. This can be accomplished by an external security manager (ESM). Configure the ESM to restrict access to these critical core programs to appropriate users in accordance with applicable access control policies.
Examine inventory of installed software components for the Mainframe Product. If the Mainframe Product does not remove all upgraded/replaced software components that are no longer required for operation, this is a finding.
Configure the Mainframe Product to remove all upgraded/replaced software components that are no longer required for operation.
Review Mainframe Product published Version release information. Review authoritative sources. If security relevant updates are not installed as required, this is a finding.
Install security relevant updates as required.
Examine the installation, configuration, and product documentation. If the Mainframe Product verification of the correct operation of security functions, which may include the valid connection to an external security manager (ESM), is not performed, this is a finding.
If necessary, configure the Mainframe Product configuration and installation settings to perform verification of the correct operation of security functions.
Examine the installation, configuration, and product documentation. If the Mainframe Product verification of the correct operation of security functions, which may include the valid connection to an external security manager (ESM), is not performed upon product startup/restart, or by a user with privileged access, and/or every 30 days, this is a finding.
If necessary, configure the Mainframe Product configuration and installation settings to perform verification of the correct operation of security functions, which may include the valid connection to an ESM, upon product startup/restart, or by a user with privileged access, and/or every 30 days.
Examine installation and configuration setting If the Mainframe Product is not configured to shut down; and/or restart and notify system programmer and operation staff when anomalies in the operation of security functions as defined by site security plan are discovered, this is a finding.
Configure the Mainframe Product to shut down; and/or restart and notify system programmer and operation staff when anomalies in the operation of the security functions as defined in site security plan are discovered.
If the Mainframe Product has no function or capability for integrity verification, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to perform an integrity check of all software from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity at startup, at transitional states as defined in site security plan or security-relevant events, or annually, this is a finding.
Configure the Mainframe Product to perform an integrity check of all software from vendors/sources that provide cryptographic mechanisms to enable the validation of code authenticity and integrity at startup, at transitional states as defined in site security plan or security-relevant events, or annually.
If the Mainframe Product has no function or capability for integrity verification, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to perform an integrity check of information as defined in site security plan at startup, at transitional states as defined in site security plan or security-relevant events, or annually, this is a finding.
Configure the Mainframe Product to perform integrity check of inform as defined in site security plan at startup, at transitional states as defined in site security plan or security-relevant events, or annually.
If the Mainframe Product has no function or capability for integrity verification, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to automatically shut down the information system, restart the information system, and/or implement security safeguards as conditions as defined in site security plan when integrity violations are discovered, this is a finding.
Configure the Mainframe Product to automatically shut down the information system, restart the information system, and/or implement security safeguards as conditions as defined in site security plan when integrity violations are discovered.
If the Mainframe Product has no function or capability for integrity verification, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to audit detected potential integrity violations, this is a finding.
Configure the Mainframe Product to audit detected potential integrity violations.
If the Mainframe Product has no function or capability for integrity verification, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to generate an audit record, alert the current user, alert personnel or roles as defined in site security plan, and/or perform other actions as defined in site security plan, this is a finding.
Configure the Mainframe Product to alert the current user, alert personnel or roles as defined in site security plan, and/or perform other actions as defined in site security plan.
If the Mainframe Product has no function or capability for mobile code use, this is not applicable. Examine installation and configuration settings. If the Mainframe Product is not configured to prompt user for action before executing mobile code, this is a finding.
Configure the Mainframe Product to prompt the user for action before executing mobile code.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security objects, writes to SMF, and/or uses an external security manager (ESM) to generate audit records when successful/unsuccessful attempts to access security objects. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to access security objects.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security levels and writes to SMF and/or uses an external security manager to generate audit records when successful/unsuccessful attempts to access security levels. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to access security levels.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security categories of information; writes to SMF and/or uses an external security manager to generate audit records when successful/unsuccessful attempts to access categories of information. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to access categories of information occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security privileges, writes to SMF, and/or uses an external security manager (ESM) to generate audit records successful/unsuccessful attempts to modify privileges occur. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to modify privileges occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security object; writes to SMF and/or uses an external security manager to generate audit records when successful/unsuccessful attempts to modify security objects. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to modify security objects occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security levels writes to SMF and/or uses an external security manager to generate audit records when successful/unsuccessful attempts to modify security levels. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to modify security levels occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security categories of information; writes to SMF and/or uses an external security manager to generate audit records when successful/unsuccessful attempts to modify categories of information. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies privileged functions, writes to SMF, and/or uses an external security manager (ESM) to generate audit records when successful/unsuccessful attempts to delete privileges occur. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to delete privileges occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security levels writes to SMF and/or uses an external security manager to generate audit records when successful/unsuccessful attempts to delete security levels. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to delete security levels occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security object writes to SMF and/or uses an external security manager to generate audit records when successful/unsuccessful attempts to delete security objects. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to delete security objects occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all security categories of information; writes to SMF and/or uses an external security manager to generate audit records when successful/unsuccessful attempts to delete categories of information. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call when successful/unsuccessful attempts to delete categories of information occur.
If the Mainframe Product does not have the function or capability for user logon, this is not applicable. Examine configuration settings. Determine if successful/unsuccessful logon attempts are audited. If they are not, this is a finding.
Configure the Mainframe Product to provide audit SAF to call when successful/unsuccessful logon attempts occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies privileged functions, writes to SMF, and/or provides an SAF call to an external security manager (ESM) to generate audit records for all privilege activities or other system-level access. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF to call for privileged activities or other system-level access.
If the Mainframe Product has no function or capability for user access this is not applicable. Examine configuration settings. If the Mainframe Product does not identify and audit start and end times of access to the systems, this is a finding.
Configure the Mainframe Product to provide audit SAF call for starting and ending time for user access to the system.
If the Mainframe Product has no function or capability for user logon, this is not applicable. Examine configuration settings. If the Mainframe Product does not generate audit records when concurrent logons from different workstations occur, this is a finding.
Configure the Mainframe Product to provide audit SAF call when concurrent logons from different workstations occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies access to all objects; writes to SMF and/or and uses an external security manager to generate audit records for all access. If it does not, this is a finding
Configure the Mainframe Product to write to SMF and/or provide audit SAF call when successful/unsuccessful accesses to objects occur.
Examine installation and configuration settings. Verify that the Mainframe Product identifies direct access to the Mainframe Product, writes to SMF, and/or uses an external security manager (ESM) to generate audit records for all direct access. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF call for all direct access to the information system.
If the Mainframe Product has no function or capability for account creations, this is not applicable. Examine installation and configuration settings. Verify that the Mainframe Product identifies account functions, writes to SMF, and/or uses an external security manager (ESM) to generate audit records for all account creations, modifications, disabling, and termination events. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF call for all account creations, modifications, disabling, and termination events.
Examine installation and configuration settings. Verify that the Mainframe Product identifies all Kernel module activities, writes to SMF, and/or uses an external security manager (ESM) to generate audit records for all kernel mode load, unload, and restart events, and for all program initiations. If it does not, this is a finding.
Configure the Mainframe Product to write to SMF and/or provide audit SAF call for all kernel module load, unload, and restart events, and for all program initiations.
Examine installation and configuration settings. If the Mainframe Product does not implement FIPS 140 cryptography to provision digital signatures in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards, this is a finding.
Configure the Mainframe Product settings to implement FIPS 140 cryptography to provision digital signatures in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
Examine installation and configuration settings. If the Mainframe Product does not implement FIPS 140 cryptography to generate and validate cryptographic hashes in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards, this is a finding.
Configure the Mainframe Product settings to implement FIPS 140 cryptography to generate and validate cryptographic hashes in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
Examine installation and configuration settings. If the Mainframe Product does not implement FIPS 140 cryptography to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards, this is a finding.
Configure the Mainframe Product settings to implement FIPS 140 cryptography to protect unclassified information requiring confidentiality and cryptographic protection in accordance with applicable federal laws, Executive orders, directives, policies, regulations, and standards.
Refer to site security configuration policies. Refer to Mainframe Product security documentation. Examine configuration settings. If configuration settings do not adhere to site policies, this is a finding.
Configure the Mainframe Product to adhere to site policies.
If the Mainframe Product has no function or capability for session operations, this is not applicable. Examine installation and configuration settings. Verify that the Mainframe Product has the capability to select user sessions for monitoring and allows system programmers and security administrators to select sessions to capture/record or view/hear in accordance with applicable access control policies. If it does not, this is a finding. If there is an external security manager (ESM) in use, verify that the ESM restricts the ability to select sessions to capture/record or view/hear in accordance with applicable access control policies to system programmers or security administrators. If it does not, this is a finding.
Configure the Mainframe Product to permit authorized users to select a user session to capture/record or view/hear. If there is an ESM in use, configure ESM to restrict the ability to select sessions to capture/record or view/hear in accordance with applicable access control policies to system programmers or security administrators.
If the Mainframe Product has no function or capability for session operations, this is not applicable. Examine installation and configuration settings. If the Mainframe Product does not have the capability to remotely view/hear, in real time, all content related to an established user session from a component separate from the Mainframe Product being monitored, this a finding. If the Mainframe Product does not restrict this capability to system programmers and security administrators, this is a finding. If an external security manager (ESM) is in use, verify that the ESM restricts the capability to remotely view/hear, in real time, all content related to an established user session from a component separate from the Mainframe Product being monitored to system programmers or security administrators. If it does not, this is a finding.
Configure the Mainframe Product to permit authorized users to remotely view/hear, in real time, all content related to an established user session from a component separate from the Mainframe Product being monitored. If an ESM is in use, configure rules to restrict the ability to remotely view/hear, in real time, all content related to an established user session from a component separate from the Mainframe Product being monitored to system programmers and security administrators.
If the Mainframe Product is deployed in an unclassified environment, this is not applicable. Examine installation and configuration settings. If the Mainframe Product does not implement NSA-approved cryptography to protect classified information using an external security manager (ESM), this is a finding.
Configure the Mainframe Product to implement NSA-approved cryptography to protect classified information using an external security manager.
Verify the Mainframe Product is configured to disable accounts when the accounts have expired. If the Mainframe Product is not configured to disable accounts when the accounts have expired, this is a finding.
Configure the Mainframe Product to disable accounts when the accounts have expired.
Verify the Mainframe Product is configured to disable accounts when the accounts are no longer associated to a user. If the Mainframe Product is not configured to disable accounts when the accounts are no longer associated to a user, this is a finding.
Configure the Mainframe Product to disable accounts when the accounts are no longer associated to a user.
Verify the Mainframe Product is configured to implement the capability to centrally review and analyze audit records from multiple components within the system. If the Mainframe Product is not configured to implement the capability to centrally review and analyze audit records from multiple components within the system, this is a finding.
Configure the Mainframe Product to implement the capability to centrally review and analyze audit records from multiple components within the system.
Verify the Mainframe Product is configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. If the Mainframe Product is not configured to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information, this is a finding.
Configure the Mainframe Product to alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information.
Verify the Mainframe Product is configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. If the Mainframe Product is not configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access, this is a finding.
Configure the Mainframe Product to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access.
Verify the Mainframe Product is configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements. If the Mainframe Product is not configured to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements, this is a finding.
Configure the Mainframe Product to implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements.
Verify the Mainframe Product is configured to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency. If the Mainframe Product is not configured to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency, this is a finding.
Configure the Mainframe Product to maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency.
Verify the Mainframe Product is configured to update the list of passwords on an organization-defined frequency. If the Mainframe Product is not configured to update the list of passwords on an organization-defined frequency, this is a finding.
Configure the Mainframe Product to update the list of passwords on an organization-defined frequency.
Verify the Mainframe Product is configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. If the Mainframe Product is not configured to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly, this is a finding.
Configure the Mainframe Product to update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly.
Verify the Mainframe Product is configured to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). If the Mainframe Product is not configured to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a), this is a finding.
Configure the Mainframe Product to verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a).
Verify the Mainframe Product is configured to require immediate selection of a new password upon account recovery. If the Mainframe Product is not configured to require immediate selection of a new password upon account recovery, this is a finding.
Configure the Mainframe Product to require immediate selection of a new password upon account recovery.
Verify the Mainframe Product is configured to allow user selection of long passwords and passphrases, including spaces and all printable characters. If the Mainframe Product is not configured to allow user selection of long passwords and passphrases, including spaces and all printable characters, this is a finding.
Configure the Mainframe Product to allow user selection of long passwords and passphrases, including spaces and all printable characters.
Verify the Mainframe Product is configured to employ automated tools to assist the user in selecting strong password authenticators. If the Mainframe Product is not configured to employ automated tools to assist the user in selecting strong password authenticators, this is a finding.
Configure the Mainframe Product to employ automated tools to assist the user in selecting strong password authenticators.
Verify the Mainframe Product is configured to implement a local cache of revocation data to support path discovery and validation. If the Mainframe Product is not configured to implement a local cache of revocation data to support path discovery and validation, this is a finding.
Configure the Mainframe Product to implement a local cache of revocation data to support path discovery and validation.
Verify the Mainframe Product is configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths. If the Mainframe Product is not configured to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths, this is a finding.
Configure the Mainframe Product to protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths.
Verify the Mainframe Product is configured to include only approved trust anchors in trust stores or certificate stores managed by the organization. If the Mainframe Product is not configured to include only approved trust anchors in trust stores or certificate stores managed by the organization, this is a finding.
Configure the Mainframe Product to include only approved trust anchors in trust stores or certificate stores managed by the organization.
Verify the Mainframe Product is configured to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store. If the Mainframe Product is not configured to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store, this is a finding.
Configure the Mainframe Product to provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store.
Verify the Mainframe Product is configured to synchronize system clocks within and between systems or system components. If the Mainframe Product is not configured to synchronize system clocks within and between systems or system components, this is a finding.
Configure the Mainframe Product to synchronize system clocks within and between systems or system components.
Verify the Mainframe Product is configured to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source. If the Mainframe Product is not configured to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source, this is a finding.
Configure the Mainframe Product to compare the internal system clocks on an organization-defined frequency with organization-defined authoritative time source.