CICS system datasets are not properly protected.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-224302	SRG-OS-000259	ZCIC0010	SV-224302r1141375_rule	2025-09-23	7

Description
CICS is a transaction-processing product that provides programmers with the facilities to develop interactive applications. Unauthorized access to CICS system datasets (i.e., product, security, and application libraries) could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

ℹ️ Check
Refer to the following report produced by the dataset and Resource Data Collection: - SENSITVE.RPT(CICSRPT). Since it is possible to have multiple CICS regions running on an LPAR, it is recommended to go in to the z/OS STIG Addendum and fill out all the information in the "CICS Systems Programmer Worksheet" for each CICS region running on the LPAR. It is recommended to save this information for any other CICS vulnerabilities that will require it. If the following guidance is true, this is not a finding. WRITE and/or greater access to CICS system datasets is restricted to systems programming personnel.

ℹ️ Check

Refer to the following report produced by the dataset and Resource Data Collection: - SENSITVE.RPT(CICSRPT). Since it is possible to have multiple CICS regions running on an LPAR, it is recommended to go in to the z/OS STIG Addendum and fill out all the information in the "CICS Systems Programmer Worksheet" for each CICS region running on the LPAR. It is recommended to save this information for any other CICS vulnerabilities that will require it. If the following guidance is true, this is not a finding. WRITE and/or greater access to CICS system datasets is restricted to systems programming personnel.

✔️ Fix
Review the access authorizations for CICS system datasets for each region. Ensure they conform to the specifications below: A CICS environment may include several dataset types required for operation. Typically they are CICS product libraries, which are usually included in the STEPLIB concatenation but may be found in DD DFHRPL. CICS system datasets can be identified with DFH DD statements, other product system datasets, and application program libraries. Restrict WRITE and/or greater access to CICS program libraries and all system datasets to systems programmers only. Other access must be documented and approved by the ISSO. The site may determine access to application datasets included in the DD DFHRPL and CICS region startup JCL according to need. Ensure that procedures are established, documented, and followed that prevent the introduction of unauthorized or untested application programs into production application systems.

✔️ Fix

Review the access authorizations for CICS system datasets for each region. Ensure they conform to the specifications below: A CICS environment may include several dataset types required for operation. Typically they are CICS product libraries, which are usually included in the STEPLIB concatenation but may be found in DD DFHRPL. CICS system datasets can be identified with DFH DD statements, other product system datasets, and application program libraries. Restrict WRITE and/or greater access to CICS program libraries and all system datasets to systems programmers only. Other access must be documented and approved by the ISSO. The site may determine access to application datasets included in the DD DFHRPL and CICS region startup JCL according to need. Ensure that procedures are established, documented, and followed that prevent the introduction of unauthorized or untested application programs into production application systems.