ACF2/CICS PASSPHRASE SIGNON using CESL, but want to remove the ability to change the pass phrase at logon time.
SIGNON NEWPASS=NO was specified but the passphrase was still allowed to be changed at logon time.

Release : 16.0

Component : ACF2 for z/OS

The ACF2 parameter SIGNON NEWPASS=NO is only checked
when ACFAEUSC (or other Broadcom supplied program) is the program processing the CESL request.
DFHSNP does not process this option.
This is documented in the ACF2 documentation  under "SIGNON-Sign-on Control Options"

Note: SIGNON NEWPASS=NO is valid for both password and passphrase