Why does Disk need ACF2 authorization for the SYS1.CSSLIB library?

The ACF2 authorization is needed for "Program Pathing" as Disk links to the modules IEANTRT, IEANTDL, and IEANTCR from SYS1.CSSLIB. 

The reason is that the customer is using 'Program Pathing', letting them control access to data by explicitly defining the Program Path that's permitted access to the data. 
This ensures that a Dataset can only be accessed by a certain Program residing in a certain Library. The Program and Library specify the controlled Program Path for access. 
Also in the mix is 'Active Library List', where ACF2 Validates access to a Program-Pathed Dataset and takes special measures to ensure that only the Defined Library and Program combination are used to gain access to the Dataset. 
To ensure this level of integrity, ACF2 maintains a list of Active Libraries, which name all the Libraries from which the executing Program can fetch another Program or Subroutine.