TickYouOff
Sign in
Back
🔒

z/OS TSS STIG (Y26M01) SRR Compliance Checklist

Hard 19 items · 2 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides Information Assurance Managers, system administrators, and systems programmers through a Security Readiness Review (SRR) for IBM z/OS Top Secret using the DISA STIG Y26M01. Use it to verify installation, configuration, auditing, and documentation required for STIG compliance and evidence collection.

Source: https://ncp.nist.gov/checklist/288

Progress
0 / 19
  1. Download STIG XCCDF and SRR script resources — Get standalone XCCDFs for z/OS STIG, TSS products, and SRR scripts from DISA.
  2. Verify STIG version equals Y26M01 and record release info — Confirm checklist ID/version matches site policy before testing.
  3. Validate SHA256 checksums for downloaded files — Confirm file integrity before using XCCDF or scripts.
  4. Inventory IBM z/OS systems that run Top Secret — List hostnames, LPARs, system versions, and owners.
  5. Confirm Top Secret product is installed on each target — Verify product IDs, levels, and installation status per system.
  6. Verify Top Secret configuration matches STIG requirements — Compare system settings to STIG controls; document deviations.
  7. Enforce password and session policies per STIG — Check password complexity, expiration, lockout, and idle time.
  8. Disable or remove default and unused accounts — Identify and secure or remove service/default accounts.
  9. Restrict and audit privileged roles and access — Validate separation of duties and approval for privileged IDs.
  10. Disable unnecessary services and network interfaces — Shut down services not required for operation or management.
  11. Implement and verify access control lists and profiles — Ensure authorized profiles and ACLs follow least privilege.
  12. Enable detailed logging and forward logs to SIEM — Configure audit logging and secure forwarding to central SIEM.
  13. Ensure audit trails are retained per DOD policy — Verify retention periods, storage, and tamper protection.
  14. Review recent audit logs for suspicious activity — Search for privilege escalations, failed auths, and anomalies.
  15. Apply latest security patches to z/OS and Top Secret — Confirm system is at approved patch level and vendor fixes applied.
  16. Verify backup and recovery procedures include security configs — Test restore of Top Secret configs and STIG-related data.
  17. Securely store and rotate cryptographic keys and credentials — Use HSMs/secure vaults and document rotation schedules.
  18. Collect and save SRR evidence and supporting documentation — Capture screenshots, config files, XCCDF results, and notes.
  19. Contact DISA point of contact for STIG support or issues — Use the provided DISA POC for questions or to report noncompliance.
Sign in to save
📝 My Notes