IBM z/VM tapes must use Tape Encryption.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-237928	IBMZ-VM-000750	SV-237928r649624_rule		Medium

Description
Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. Guest operating systems, such as CMS, that are not capable of enabling the hardware encryption available with the 3592 Model E05 tape drive are able to use z/VM facilities that enable the encryption on behalf of the guest. Guest operating systems that do support tape encryption, such as z/OS with proper service, will be able to do so without interference from z/VM.

Description

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system. Guest operating systems, such as CMS, that are not capable of enabling the hardware encryption available with the 3592 Model E05 tape drive are able to use z/VM facilities that enable the encryption on behalf of the guest. Guest operating systems that do support tape encryption, such as z/OS with proper service, will be able to do so without interference from z/VM.

STIG	Date
IBM zVM Using CA VM:Secure Security Technical Implementation Guide	2021-06-16

Details

Check Text ( C-41138r649622_chk )
Verify Tape Encryption is in use. For IBM drives issue the following command: Class B: QUERY TAPES DETAIL or Class G: QUERY VIRTUAL TAPES If resulting text includes “ACTIVE KEY LABELS”, this is not a finding. Regardless of the drive type if there is no encryption available, this is a finding.

Fix Text (F-41097r649623_fix)
Consult CP Administration manual for procedures to set up IBM Device Encryption. For any other drive type consult manufacturer for encryption procedures.