STIG ID - BACF1014: Approve Requirements of System Programs

Severity
: 2 - Medium
Many vendor products and applications require or provide operating system exits, SVCs, I/O appendages, special program properties table (PPT) privileges, and APF-authorization. Without proper review and approval of these system programs, the integrity and availability of the operating system, extended security manager (ESM), and customer data are subject to compromise.
Your organization must ensure any new system software or major upgrade of software that performs actions identified in this STIG article has been reviewed and approved by your organization based upon the organizational documented acceptance. Some organizations have more stringent requirements such as ensuring software is approved by the Common Criteria and National Information Assurance Partnership (NIAP) and meets validation requirements specified in the CNSSP No. 11. If your organization requires NIAP certification prior to organizational approval, ensure you follow those requirements in addition to the requirements provided in this STIG article.
This STIG article shows how to ensure any new system software or major upgrade of software has been reviewed and approved by your organization based upon the organizational documented acceptance.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. If your organization requires NIAP Certification and CNSSP No. 11 requirements for any new system software or major software upgrade that performs the items listed in step 2, ensure your approval and documentation for software installations and upgrades include documentation concerning NIAP and CNSSP No. 11.
  2. Ensure any new system software or major software upgrade that performs the following actions has been reviewed and received approval from your organization:
    • Runs authorized or with special privileges so it can use z/OS facilities restricted to authorized programs.
    • Requires the use of a new Supervisor Call routine (SVC), Program Call routine (PC), installation exit routine, or I/O appendage routine.
    • Modifies MVS.
    • Requires the use of the Authorized Program Facility (APF).
    • Requires that the name of the program be placed in the MVS Program Properties Table (PPT).
    • Runs in Supervisor State.
    • Runs with a program status word (PSW) protection key between 0 through 7.
    • Runs with a userid that has special security privileges within the ACP.
  3. If the acquisition of any new IA and IA-enabled Commercial-Off-the-Shelf (COTS) products or any major upgrade meets requirements listed in step 2
    and
    your organization has reviewed to ensure all requirements have been met and approved,
    your organization does not have an audit finding
    .
  4. If all locally developed extensions to the operating system environment have been reviewed by the site's system programmer to assure that all organizational requirements have been met, reviewed, and formal approval is on file,
    your organization does not have an audit finding
    .
  5. If any requirements listed in items 3 and 4 are not in place,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
Any new IA and IA-enabled COTS products or major upgrades not meeting the requirements set forth in the Identify Audit Finding section
must not be installed or upgraded
.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000271, CCI-000633, CCI-000634, CCI-001806
CCI
:
CCI-000271
Published Date
:
2009-09-15
Definition
:
The organization ensures the authorizing official authorizes the information system for processing before commencing operations.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CP-6 b
NIST: NIST SP 800-53 Revision 4 (v4): CP-6 b
NIST: NIST SP 800-53A (v1): CP-6.1 (ii)
CCI
:
CCI-000633
Published Date
:
2009-09-21
Definition
:
The organization ensures that government off-the-shelf (GOTS) or commercial-off-the-shelf(COTS) information assurance (IA) and IA-enabled information technology products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): SA-4 (6) (b)
NIST: NIST SP 800-53 Revision 4 (v4): SA-4 (6) (b)
NIST: NIST SP 800-53A (v1): SA-4 (6).1 (ii)
CCI
:
CCI-000634
Published Date
:
2009-09-21
Definition
:
The organization limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists.
Type
:
policy
Reference
:
NIST: NIST SP 800-53 (v3): SA-4 (7) (a)
NIST: NIST SP 800-53 Revision 4 (v4): SA-4 (7) (a)
NIST: NIST SP 800-53A (v1): SA-4 (7).1 (i)
CCI
:
CCI-001806
Published Date
:
2013-03-01
Definition
:
The organization defines methods to be employed to enforce the software installation policies.
Type
:
policy
References
NIST: NIST SP 800-53 Revision 4 (v4): CM-11 b