z/OS STIGS – Security Technical Implementation Guides by DISA V8 – current releases as of 25 October 2023

Always review the Revision History document to see what was changed within the DoD STIG. Important to note:

The mainframe software vendor, Broadcom, has been creating their own updated STIG Articles for ACF2, Top Secret (TSS) and many other solutions such as IDMS, Sysview, CA1, Endevor and others.

Mainframe software vendors are the subject mater experts of their solutions, while DISA produces the DoD STIG, DISA’s knowledge is limited and may not be accurate within their STIG articles. Example: Within ACF2, NON-CNCL attribute allows a user to bypass all security controls, DISA’s STIG article (ACF2-ES-000640) rates the ability to bypass security and compromise the system via NON-CNCL as a “severity: CAT II” and the vendor Broadcom has NON-CNCL within ACF2 properly identified as a severity 1 – High.