STIG ID - BACF1001: Unsupported System Software Installed and Active on System

Severity
: 1 - Medium
When support for system software is discontinued, security vulnerability patches for the software are no longer maintained by the vendor. Without vulnerability patches, it is difficult to verify your system does not contain code that could violate the integrity of the operating system environment.
This STIG article shows how to ensure unsupported system software for products that meet the criteria in this STIG article are removed or upgraded prior to a vendor dropping support.
The organization will ensure all software as identified by #1 below will be current and supported by the vendor of that software.
Software with APF modules or libraries that is no longer supported by the vendor of the software is a Severity 1 vulnerability. Recommendation is to ensure review and actions are completed within 6 months to mitigate the risk, come up with a supported solution, or obtain a formal letter approving such risk.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Identify system software that meets the following criteria:
    • Software that uses authorized and restricted z/OS interfaces by using Authorized Program Facility (APF) authorized modules or libraries.
    • Software that requires access to system data sets or sensitive information or requires special or privileged authority to run.
  2. Verify the vendor's support life cycle information for the current supported versions and releases of the software identified in Step 1.
  3. Verify the current supported versions and releases of the software is included in your organization's documentation for supported system software.
  4. If the identified system software currently running is at a version greater than or equal to the software listed in the vendor's Support Lifecycle information,
    your organization does not have an audit finding.
  5. If the software currently running on a system is no longer supported,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
The Information System Security Officer (ISSO) working together with responsible system programming staff will ensure that unsupported system software is removed or upgraded prior to a vendor dropping support.
Follow these steps:
  1. Mitigate the risk, identify a supported solution, or obtain a formal letter approving such risk or software within 6 months of identifying software is not supported.
  2. Add the current supported versions and releases of the products to your organization's documentation.
Verifying the supported state of your system software and performing remediation steps is essential to keeping your organization’s system safe from vulnerabilities.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-001764, CCI-001765
CCI
:
CCI-001764
Published Date
:
2013-02-28
Definition
:
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (2)
CCI
:
CCI-001765
Published Date
:
2013-02-28
Definition
:
The organization defines the software programs not authorized to execute on the information system.
Type
:
policy
References
:
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (4) (a)