IBM Support

IBM zSecure 3.2 Compliance Standards (September 2025)

News


Abstract

This document provides an overview of the compliance standards available in zSecure 3.2 on September 30, 2025.
Automation is added for new DISA controls in z/OS STIG 9.05, previously unsupported z/OS DISA STIG controls, IBM zSecure for ACF2 STIG control, CIS IBM z/OS RACF Benchmark controls, and CIS IBM Db2 for z/OS Benchmark controls. DB2 control automated in ACF2 and CARLa member that stores the control is renamed from CKAHD213 to C2RHD213.

Content

Summary of changes since zSecure 3.1 (July 2025)

  • The following versions were updated:

    Standard name Version
    RACF    		 Version
    ACF2    		 Version
    Top Secret
    IBM z/OS RACF STIG 9.05
    IBM z/OS ACF2 STIG 9.05
    IBM z/OS TSS STIG 9.05
    z/OS IBM Communications Server Simple Mail Transfer
    Protocol (CSSMTP) STIG    		 7.01 7.01 7.01
    z/OS IBM Health Checker STIG 7.01 7.01 7.01
    z/OS IBM MQ STIG 7.02

  • Automation for the following DISA controls introduced in z/OS STIG 9.05 is added:

    RACF-IC-000060 ICSF resource class(es) must be active in accordance with security requirements.
    ACF2-IC-000050 ICSF resource class(es) must be defined to the ACF2 GSO CLASMAP record in accordance with security requirements.
    RACF-ZO-000010
    ACF2-ZO-000010    		 z/OSMF resource class(es) must be active in accordance with security requirements.

 Automation for the following existing but previously not supported z/OS DISA STIG controls is added:

  • RACF-SH-000060
    ACF2-OS-000330
    TSS0-ES-000100
    		 IBM z/OS for PKI-based authentication must use the ICSF or ESM for key management.
    RACF-OS-000240
    ACF2-OS-000240
    TSS0-OS-000100    		 The IBM z/OS Policy Agent must be configured to deny-all, allow-by-exception firewall policy for allowing connections to other systems.
    RACF-OS-000370
    ACF2-OS-000370
    TSS0-OS-000150
    		 The IBM z/OS Policy Agent must contain a policy that manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of Denial of Service (DoS) attacks.
    RACF-OS-000140
    ACF2-OS-000110
    TSS0-OS-000240
    		 IBM z/OS SMF collection files (system MANx data sets or LOGSTREAM DASD) must have storage capacity to store at least one week of audit data.
    RACF-OS-000360
    ACF2-OS-000360
    TSS0-OS-000300
    		 The IBM z/OS Policy Agent must contain a policy that protects against or limits the effects of Denial of Service (DoS) attacks by ensuring IBM z/OS is implementing rate-limiting measures on impacted network interfaces.
    RACF-OS-000320
    ACF2-OS-000340
    TSS0-OS-000320
    		 The IBM z/OS systems requiring data-at-rest protection must properly employ IBM DS8880 or equivalent hardware solutions for full disk encryption.
    RACF-SM-000040 IBM z/OS DFSMS resources must be protected in accordance with the proper security requirements.
    ACF2-US-000040
    		 IBM z/OS UNIX resources must be protected in accordance with security requirements.
    RACF-US-000070
    		 IBM z/OS UNIX resources must be protected in accordance with security requirements.

  • Automation for the following IBM zSecure for ACF2 STIG control is added:

    ZSEC-00-000100 Started tasks for IBM zSecure products must be properly defined.

  • Automation for the following CIS IBM z/OS RACF Benchmark controls is added:

    CIS-OS-6.2.3 Ensure FTP.DATA configuration statements enforce secure configuration.
    CIS-OS-6.4.2 Ensure Syslog daemon is secured.
    CIS-OS-6.5.4 Ensure PROFILE.TCPIP configuration statements for the TCP/IP stack are defined.
    CIS-OS-6.5.8 Ensure started tasks for the base TCP/IP component are defined securely in RACF.
    CIS-OS-6.6.1 Ensure configuration statements for the TN3270E Telnet server are configured.
    CIS-OS-9.1 Ensure that z/OS UNIX SURROGAT resources are protected.

  • Automation for the following CIS IBM Db2 for z/OS Benchmark controls is added: 

    CIS-DB2-2.1.6 Secure connections by using trusted contexts.
    CIS-DB2-2.1.7 Secure object ownership by using Db2 roles.
    CIS-DB2-3.1.5 Enable auditing of system administrator access.
    CIS-DB2-3.1.6 Enable auditing of database administrator access.

  • Automation for the following DB2 control is added in ACF2 and the CARLa member that stores the control is renamed from CKAHD213 to C2RHD213:  

    CIS-DB2-2.1.3 Secure access by using IBM Z Multi-Factor Authentication (MFA).
The updates are indicated by revision bars in the left margin of the PDF file for this version: zSecure 320 Compliance Standards (September 2025).

[{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSHFX9","label":"IBM zSecure Audit"},"ARM Category":[{"code":"a8m0z000000GoYsAAK","label":"zSecure Audit-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.2.0"},{"Type":"MASTER","Line of Business":{"code":"LOB70","label":"Z TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSO5Y9T","label":"IBM Z Security and Compliance Center"},"ARM Category":[{"code":"a8m3p000000hC73AAE","label":"ZSCC-\u003EDocumentation"}],"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"1.3.0"}]

Document Information

Modified date:
30 September 2025

UID

ibm17243403

Page Feedback