An error occurred:

Check: ACF0395

zOS ACF2 STIG: ACF0395 (in versions v6 r43 through v6 r35)

Title

NIST FIPS-validated cryptography must be used to protect passwords in the security database. (Cat I impact)

Discussion

Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to protect data. Cryptographic modules must adhere to the higher standards approved by the federal government since this provides assurance they have been tested and validated.

Check Content

From an ACF command screen enter SET CONTROL(GSO) LIST PSWD SET MSYSID(-) LIST PSWD Alternately: Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ACFGSO) Automated Analysis: Refer to the following report produced by the ACF2 Data Collection: - PDI(ACF0395) If the "GSO PSWD" record option "PSWDENCT" is set to "XDES" or null, this is a finding. For CA-ACF2 R16 and above: If option "NOONEPWALG" is specified, and there is no transition plan with a definite completion date filed with the ISSM, this is a finding.

Fix Text

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified below: Configure the "GSO PSWD" record option "PSWDENCT" to "AES1". For CA-ACF2 Release16 and above: Configure "GSO PSWD" record option "PSWDENCT" to "AES1" or "AES2". Configure the "GSO PSWD" to "ONEPWALG" Note: If you are using VM Database Synchronization you cannot use “ONEPWALG”. VM does not support the AES algorithms. Develop a transition plan with a definite completion date for z/VM; file with the ISSM. If all systems that are sharing the logonid or infostorage databases are not running with the same “PSWDENCT” value you cannot use “ONEPWALG”. Develop a transition plan that contains a definite completion date to migrate all logonid and infostorage databases to one “PSWDENCT” value; file with the ISSM. Consult the CA-ACF2 administration guide for converting to "AES1" or "AES2" and using "ONEPWALG".

Additional Identifiers

Rule ID: SV-80137r3_rule

Vulnerability ID: V-65647

Group Title: ACF0395

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002450

The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-13

Cryptographic Protection