UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The review of AC=1 modules in APF authorized libraries must be reviewed annually and documentation verifying the modules integrity must be available.


Overview

Finding ID Version Rule ID IA Controls Severity
V-86 AAMV0060 SV-86r4_rule Medium
Description
The review of AC=1 modules that reside in APF authorized libraries must be reviewed annually. The IAO will maintain documentation identifying the integrity and justification of Vendor APF authorized libraries. For non-vendor APF authorized libraries, the source and documentation identifying the integrity and justification that describes the AC=1 module process will be maintained by the IAO. Sites have undocumented and/or unauthorized AC=1 modules have a possible risk to the confidentiality, integrity, and availability of the system and present a clear risk to the operating system, ACP, and customer data.
STIG Date
z/OS ACF2 STIG 2018-10-04

Details

Check Text ( C-3898r4_chk )
Refer to the following reports produced by the z/OS Data Collection:

- EXAM.RPT(APFXRPT)

Automated Analysis requires Additional Analysis.
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(AAMV0060)

Verify that AC=1 modules identified in the APF Authorized data sets specified in EXAM.RPT(APFXRPT) have documentation and/or source code. If the following guidance is true, this is not a finding.

___ Documentation for Vendor APF Authorized libraries identifying the integrity and justification are maintained by the IAO.

___ Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification are maintained by the IAO.

___ Review of all Vendor and non-vendor AC=1 modules in APF Authorized libraries will be reviewed on an annual basis.

Fix Text (F-6653r2_fix)
The IAO working with the systems programmer will ensure that documentation and/or source code are available for AC=1 modules that reside in the APF Authorized libraries.

Documentation for Vendor APF Authorized libraries identifying the integrity and justification will be available. Examples of this type of documentation can be in the form of product installation guides or product system programming guides.

Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification will be available.

A review of the above documentation and/or source will be performed on an annual basis.