Broadcom continues to publish STIG articles for standard z/OS Mainframe Cybersecurity controls across their z/OS Mainframe solutions.

  1. Broadcom Top Secret (TSS) STIG articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-top-secret-for-z-os/16-0/using-stig-articles.html
  2. Broadcom ACF2 STIG Articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/using-stig-articles.html
  3. Broadcom Endevor STIG Articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/devops/ca-endevor-software-change-manager/18-1/using-stig-articles.html
  4. Broadcom OPS/MVS STIG Articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/automation/ca-ops-mvs-event-management-and-automation/14-0/using-stig-articles.html
  5.  Broadcom IDMS STIG Articles –  https://techdocs.broadcom.com/us/en/ca-mainframe-software/database-management/ca-idms/19-0/using-stigs.html    
  6. Broadcom Cleanup STIG Articles – https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-cleanup/12-1/using-stig-articles.htm
  7. Broadcom SYSVIEW STIG articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/performance-and-storage/ca-sysview-performance-management/17-0/using-stig-articles.html
  8. Broadcom Common Components and Services (CCS): https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-common-services-for-z-os/15-0/using-stig-articles.html
  9. Broadcom AAM STIG Articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-advanced-authentication-mainframe/2-0/using-stig-articles.html
  10. Broadcom Auditor STIG Articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-auditor-for-z-os/12-1/using-stig-articles.html
  11. Broadcom Cleanup STIG Articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-cleanup/12-1/using-stig-articles.html
  12. Broadcom SPOOL STIG Articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-spool/14-0/using-stig-articles.html
  13. Broadcom CA1 STIG Articles: https://techdocs.broadcom.com/us/en/ca-mainframe-software/performance-and-storage/ca-1-tape-management-system/15-0/using-stig-article-0.html

z/OS STIGS – Security Technical Implementation Guides by DISA V9R4 – current releases as of 7 April 2025

Always review the Revision History document to see what was changed within the DoD STIG. Important to note:

The mainframe software vendor, Broadcom, has been creating their own VENDOR STIG Articles for ACF2, Top Secret (TSS), and many other solutions such as IDMSSysviewCA1EndevorOPS/MVS, and others.

Mainframe software vendors are the subject matter experts of their solutions, while DISA produces the DoD STIG. DISA’s knowledge is limited and may not be accurate within its STIG articles. Example: Within ACF2, NON-CNCL attribute allows a user to bypass all security controls, DISA’s STIG article (ACF2-ES-000640) rates the ability to bypass security and compromise the system via NON-CNCL as a “severity: CAT II” and the vendor Broadcom has NON-CNCL within ACF2 properly identified as a severity 1 – High.

With z/OS comes also z/OS UNIX, also referred to as USS (Unix System Services). Within the modern z/OS Mainframe, where many complex Groups are controlling Role-Based Access Controls via Role-Based Groups, often organizations may use USS ACLs or HFSSEC to secure the files and directories within USS. DISA’s z/OS STIGs have checks for USS file-level permission on critical files. Still, the STIG completely lacks any guidance on how to review and validate ACLs concerning controlling access to those same critical USS resources. Why is that vital to be aware of? Because ACLs override Unix bit-level security, validating only at the bit level might make you feel secure. Still, until you validate ACLs, you may not be as safe as you believe.

Another GAP within DISA’s z/OS STIG is the lack of a requirement for XFACILITY STGADMIN.** resource protection. For more on XFACILITY and STGADMIN.IGG.DELAUDIT.catalog_name see: https://www.ibm.com/docs/en/zos/3.1.0?topic=ccfrpifcxc-storage-administration-stgadmin-profiles-in-facility-class-xfacilit-class

Download

Download

Download

Download

z/OS STIGS – Security Technical Implementation Guides by DISA V8 – current releases as of 25 October 2023

Always review the Revision History document to see what was changed within the DoD STIG. Important to note:

The mainframe software vendor, Broadcom, has been creating their own updated STIG Articles for ACF2, Top Secret (TSS) and many other solutions such as IDMS, Sysview, CA1, Endevor and others.

Mainframe software vendors are the subject matter experts of their solutions. While DISA produces the DoD STIG, DISA’s knowledge is limited and may not be accurate within its STIG articles. Example: Within ACF2, NON-CNCL attribute allows a user to bypass all security controls, DISA’s STIG article (ACF2-ES-000640) rates the ability to bypass security and compromise the system via NON-CNCL as a “severity: CAT II” and the vendor Broadcom has NON-CNCL within ACF2 properly identified as a severity 1 – High.

z/OS Vendor CA Endevor STIG for ACF2, RACF and Top Secret (TSS)

Broadcom has published their own Vendor Product STIG for CA Endevor for z/OS, how to properly secure Endevor using ACF2, RACF or TSS on the z/OS Mainframe. STIG Articles provide documented z/OS Mainframe Security Controls to help you move forward in securing your mainframes.

The Broadcom Vendor Endevor STIG using ACF2, RACF OR TSS on z/OS can be found at: https://techdocs.broadcom.com/us/en/ca-mainframe-software/devops/ca-endevor-software-change-manager/18-1/using-stig-articles.html

z/OS Vendor Common Components and Services or CCS STIG for ACF2, RACF and Top Secret (TSS)


Broadcom has published their own Vendor Product STIG for CA Common Components and Services or CCS for z/OS, how to properly secure CCS using ACF2, RACF or TSS on the z/OS Mainframe. STIG Articles provide documented z/OS Mainframe Security Controls to help you move forward in securing your mainframes.

The Broadcom Vendor CCS STIG using ACF2, RACF OR TSS on z/OS can be found at: https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-common-services-for-z-os/15-0/using-stig-articles.html

z/OS Vendor OPS/MVS STIG for ACF2, RACF and Top Secret (TSS)

Broadcom has published their own Vendor Product STIG for CA OPS/MVS for z/OS, how to properly secure OPS/MVS using ACF2, RACF or TSS on the z/OS Mainframe. STIG Articles provide documented z/OS Mainframe Security Controls to help you move forward in securing your mainframes.

The Broadcom Vendor OPS/MVS STIG using ACF2, RACF OR TSS on z/OS can be found at: https://techdocs.broadcom.com/us/en/ca-mainframe-software/automation/ca-ops-mvs-event-management-and-automation/14-0/using-stig-articles.html