Sensitive CICS transactions are not protected in accordance with the proper security requirements.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-224312	SRG-OS-000480	ZCICA024	SV-224312r1141402_rule	2025-09-23	7

Description
Sensitive CICS transactions offer the ability to circumvent transaction-level controls for accessing resources under CICS. These transactions must be protected so that only authorized users can access them. Unauthorized use can result in the compromise of the confidentiality, integrity, and availability of the operating system or customer data.

ℹ️ Check
Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. If the following items are in effect for entries specified in the SAFELIST parameter, this is not a finding. Transactions are uniquely identified. Transactions are not masked. Sensitive transactions are not included. Note: For information on transactions that are eligible for exemption from security checking, refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum. If the above items are true for all entries specified in the SAFELIST parameter for each CICS region, this is not a finding.

ℹ️ Check

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(CICSPROC). Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. If the following items are in effect for entries specified in the SAFELIST parameter, this is not a finding. Transactions are uniquely identified. Transactions are not masked. Sensitive transactions are not included. Note: For information on transactions that are eligible for exemption from security checking, refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum. If the above items are true for all entries specified in the SAFELIST parameter for each CICS region, this is not a finding.

✔️ Fix
The systems programmer and ISSO will ensure the ACF2/CICS parameter SAFELIST are coded with the values specified below. Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. Ensure the following items are in effect for entries specified in the SAFELIST parameter: Transactions are uniquely identified. Transactions are not masked. Sensitive transactions are not included. Note: For information on transactions that are eligible for exemption from security checking, refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum.

✔️ Fix

The systems programmer and ISSO will ensure the ACF2/CICS parameter SAFELIST are coded with the values specified below. Browse the ACF2/CICS dataset allocated by the ACF2PARM DD statement in the JCL of each CICS procedure. Ensure the following items are in effect for entries specified in the SAFELIST parameter: Transactions are uniquely identified. Transactions are not masked. Sensitive transactions are not included. Note: For information on transactions that are eligible for exemption from security checking, refer to Category 3 Transactions for CICS TS 3.1 - 5.1 in the z/OS STIG addendum.