UCF STIG Viewer Logo

The number of CA-TSS control ACIDs must be justified and properly assigned.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223937 TSS0-ES-000640 SV-223937r856090_rule Medium
Description
Configuring the operating system to implement organization-wide security implementation guides and security checklists ensures compliance with federal standards and establishes a common security baseline across DoD that reflects the most restrictive security posture consistent with operational requirements. Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the system that affect the security posture and/or functionality of the system. Security-related parameters are those parameters impacting the security state of the system, including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: registry settings; account, file, directory permission settings; and settings for functions, ports, protocols, services, and remote connections.
STIG Date
IBM z/OS TSS Security Technical Implementation Guide 2022-09-19

Details

Check Text ( C-25610r516210_chk )
From the ISPF Command Shell enter:
TSS LIST(ACIDS) TYPE(SCA) DATA(BASIC)

If the persons listed agree with the site security plan this is not a finding.
Fix Text (F-25598r516211_fix)
Review all security administrator ACIDs. Evaluate the impact of correcting the deficiency. Develop a plan of action and reduce the number of control ACIDs if not justified. Use information below as guidance.

TYPE=CENTRAL, TYPE=MASTER or also known as "SCA" and "MSCA" level of ACIDS will adhere to the following restrictions based upon documented role/function an individual performs:

-Domain level Information System Security Officer (ISSO) – full administrative authorities and access rights needed to perform required and documented role/responsibilities/function.
-Assistance Domain Level Information System Security Officer or "backup" or ISSO (up to same access as 1).
-DISA SRR Auditor, DoD IG Auditor, SAS70 Auditor – only "view" administrative authorities must be granted and only for those roles/functions that have been formally documented as DISA, DoD IG or SAS70 Auditors and approved by the DISA AO for those position/functions/roles.

Exception: Until scoping is worked out and resolved, DISA OST team members may be defined as TYPE=CENTRAL with limited authority such as ACID(INFO,MAINTAIN). All OST Team member ACIDS will be changed to TYPE=LIMITED and scoped accordingly to allow password resets upon verification of users, yet to limit and eliminate any potential risk associated with resetting of MSCA or other SCA level accounts. NO Other exceptions will exist.