STIG ID - BTSS0108 documents how to protect Sensitive CICS Transactions but why are some of the transactions in the Top Secret Transaction Bypass List?

Release : 16.0

Component : Top Secret for z/OS

The Bypass list started with CICS 3.1 30 years ago. Currently, the Bypass list supports multiple releases of CICS and some of the transactions might have been cat1 at one release and moved to cat 2 in another or the other way around. 

Basically, we maintain the bypass list for compatibility and we gave the option to remove it using the BYPLIST(NO) suboption in the CICS facility.

Throughout the years, IBM keeps changing what transactions should be bypassed and protected. Since Top Secret supports multiple CICS releases, we tried to construct a bypass list for all of the releases. In a perfect world, everyone would be running on the latest z/OS release and CICS, but in reality, we have to support multiple releases of z/OS and CICS. Fortunately, the bypass list can be modified to meet security requirements.

Our recommendation is that you should follow the IBM recommendations for the CICS transactions. If the recommendation is that all the users may have access to the transaction then you can maintain it in the BYPASS list. If the recommendation is to protect the transaction then you should remove it from the bypass list and permit the transaction only to the users that should have access. This is valid for transactions in any category.

You should adapt the bypass list to the CICS recommendation for the transactions.

You may find an interesting discussion about these transactions and the bypass list at the following link of the Broadcom security community:

Why are there cat-1 and -2 transactions in our CICS BYPLIST?

Additional information about STIG articles can be found at the following link: