NIST FIPS-validated cryptography must be used to protect passwords in the security database.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-65647 | ACF0395 | SV-80137r2_rule | High |
| Description |
|---|
| Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested and validated. |
| STIG | Date |
|---|---|
| z/OS ACF2 STIG | 2017-06-26 |
Details
| Check Text ( C-67759r3_chk ) |
|---|
| Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) Automated Analysis Refer to the following report produced by the ACF2 Data Collection: - PDI(ACF0395) If the "GSO PSWD" record option "PSWDENCT" is set to "XDES" or null, this is a finding. For CA-ACF2 R16 and above: If the "GSO PSWD" record option "PSWDENCT" is set to "AES2" and option "NOONEPWALG" is specified, this is a finding. |
| Fix Text (F-73271r2_fix) |
|---|
| Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below: Configure the "GSO PSWD" record option "PSWDENCT" to "AES1". For CA-ACF2 Release16 and above: Configure "GSO PSWD" record option "PSWDENCT" to "AES1" or "AES2". Configure the "GSO PSWD" to "ONEPWALG" NOTE: Use caution when specifying "ONEPWALG". Consult the CA-ACF2 administration guide for converting to "AES1" or "AES2" and using "ONEPWALG". |