STIGQter: STIG Summary: z/OS IBM CICS Transaction Server for TSS STIG Version: 6 Release: 6 Benchmark Date: 24 Apr 2020:

Control options for the Top Secret CICS facilities must meet minimum requirements.

DISA Rule

SV-8032r4_rule

Vulnerability Number

V-7555

Group Title

ZCICT050

Rule Version

ZCICT050

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Review the TSS control option values for all CICS facilities.
Ensure the following items are in effect for each CICS region’s facility:

1) The TSS CICS facility is defined with the control option values specified in table - "TOP SECRET INITIALIZATION PARAMETERS FOR CICS REGION" , in the zOS STIG Addendum. Note: An exception is MRO CICS regions in production will use SIGN(M) appropriately.
2) XUSER=YES must be coded in each CICS facility.
3) CICS transactions defined in the BYPASS list are not sensitive transactions.

Check Contents

a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(CICSPROC)

Refer to the following reports produced by the TSS Data Collection:

- TSSCMDS.RPT(FACLIST) - Preferred report containing all control option values in effect including default values
- TSSCMDS.RPT(TSSPRMFL) - Alternate report containing only control option values explicitly coded at TSS startup

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

b) Ensure the following items are in effect for each CICS region’s facility:

1) The TSS CICS facility is defined with the control option values specified in the TOP SECRET INITIALIZATION PARAMETERS FOR CICS REGION Table in the z/OS STIG Addendum .

Note: An exception to the STIG is MRO CICS regions in production will use SIGN(M) appropriately.

2) XUSER=YES must be coded in each CICS facility.
3) CICS transactions defined in the BYPASS list are not sensitive transactions.

c) If the items in (b) are true for all CICS region’s facility, there is NO FINDING.

d) If any item in (b) is untrue for a CICS region’s facility, this is a FINDING.

Vulnerability Number

V-7555

Documentable

False

Rule Version

ZCICT050

Severity Override Guidance

a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(CICSPROC)

Refer to the following reports produced by the TSS Data Collection:

- TSSCMDS.RPT(FACLIST) - Preferred report containing all control option values in effect including default values
- TSSCMDS.RPT(TSSPRMFL) - Alternate report containing only control option values explicitly coded at TSS startup

Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010.

b) Ensure the following items are in effect for each CICS region’s facility:

1) The TSS CICS facility is defined with the control option values specified in the TOP SECRET INITIALIZATION PARAMETERS FOR CICS REGION Table in the z/OS STIG Addendum .

Note: An exception to the STIG is MRO CICS regions in production will use SIGN(M) appropriately.

2) XUSER=YES must be coded in each CICS facility.
3) CICS transactions defined in the BYPASS list are not sensitive transactions.

c) If the items in (b) are true for all CICS region’s facility, there is NO FINDING.

d) If any item in (b) is untrue for a CICS region’s facility, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

199

Comments