z/OS IBM CICS Transaction Server for ACF2 STIG Version Comparison

There are 11 differences between versions v6 r8 (April 27, 2023) (the "left" version) and v7 r2 (Oct. 1, 2025) (the "right" version).

Check ZCIC0010 was changed between these two versions. Green, underlined text was added, red, struck-out text was removed.

The regular view of the left check and right check may be easier to read.

Title

CICS system datasets data sets are not properly protected.

Check Content

a) Refer Refer to the following report produced by the dataset Data Set and Resource Data Collection: - Collection: - SENSITVE.RPT(CICSRPT) Since SENSITVE.RPT(CICSRPT). Since it is possible to have multiple CICS regions running on an LPAR, it is recommended to that you go into in to the z/OS STIG Addendum and fill out all the information in the "CICS System Systems Programmers Programmer Worksheet" for each CICS region running on your the LPAR. It is recommended to that you save this information for any other CICS vulnerabilities that will require it. b) WRITE it. If the following guidance is true, this is not a finding. WRITE and/or ALLOCATE greater access to CICS system datasets data sets is restricted to systems programming personnel. personnel. c) If (b) is true, there is NO FINDING. d) If (b) is untrue, this is a FINDING.

Discussion

CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to CICS system datasets data sets (i.e., product, security, and application libraries) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Fix

Review the access authorizations for CICS system datasets data sets for each region. Ensure they conform to the specifications below: A CICS environment may include several dataset data set types required for operation. Typically they are CICS product libraries, which are usually included in the STEPLIB concatenation but may be found in DD DFHRPL. CICS system datasets data sets that can be identified with DFH DD statements, other product system datasets, data sets, and application program libraries. Restrict alter and update WRITE and/or greater access to CICS program libraries and all system datasets data sets to systems programmers only. Other access must be documented and approved by the ISSO. IAO. The site may determine access to application datasets data sets included in the DD DFHRPL and CICS region startup JCL according to need. Ensure that procedures are established; established, documented, and followed that prevents prevent the introduction of unauthorized or untested application programs into production application systems.