TickYouOff
Sign in
Back
🔒

z/OS ACF2 STIG Compliance Checklist

Hard 15 items · 4 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist captures essential steps to perform a Security Readiness Review (SRR) and implement the DISA z/OS ACF2 STIG. It’s intended for IT and security staff—system administrators, IA officers, and security managers—who manage IBM z/OS environments.

Source: https://ncp.nist.gov/checklist/287

Progress
0 / 15
  1. Download latest z/OS ACF2 STIG and XCCDF from DISA — Grab the Standalone XCCDF and STIG resources from DISA.
  2. Verify STIG version matches organizational baseline — Confirm version (e.g., Y26M01) and record it in inventory.
  3. Identify target systems running IBM z/OS — List hostnames, LPARs, and system IDs to scope the review.
  4. Gather system inventory and configuration files — Collect SMF, ACF2 configs, SYS1 datasets and change logs.
  5. Ensure ACF2 product is installed and versioned — Confirm ACF2 presence and supported release on each target.
  6. Confirm ACF2 integration with z/OS security services — Verify interfaces with LDAP, logging, and system auth services.
  7. Run automated STIG scan using provided XCCDF tools — Use SCAP/XCCDF tools to perform baseline assessment.
  8. Configure scanner with target CPE and credentials — Set the correct CPE name and use service accounts with read access.
  9. Execute scan and save results — Run the scan and export reports (XML/CSV) for review.
  10. Review scan findings and prioritize vulnerabilities — Flag critical/high findings for immediate remediation.
  11. Remediate high-risk findings per STIG guidance — Apply configuration changes following the STIG ruleset.
  12. Document configuration changes and approvals — Record change tickets, approvals, and rollback procedures.
  13. Validate remediations with follow-up scan — Re-scan affected systems to confirm fixes and capture evidence.
  14. Update system baseline and change control records — Incorporate approved configurations into the official baseline.
  15. Schedule regular STIG compliance scans and reviews — Define cadence and owners for ongoing compliance checks.
Sign in to save
📝 My Notes