Top Secret

Has anyone run STIGs from the DOD for CA TOP SECRET?  If so, can you provide some helpful hints on how to do it, where to find the scripts, etc.?

I would recommend starting by downloading the DoD z/OS STIG for TSS at:  http://iasecontent.disa.mil/stigs/zip/U_zOS_TSS_V6R32_STIG.zip

I don't believe the scripts are available to the public, however there are a couple companies who are starting to provide Validation Scripts/software as a service of their company.

I am not associated with any of the following, however first two listed companies indicate they have z/OS Vulnerability tools/software based upon the DoD z/OS STIG for CA-TSS:

XlentSoftware.com https://xlentsoftware.com/vulnerability-scans/

IBM z/Secure Audit for TSS http://www-03.ibm.com/software/products/da/zsecure-audit-topsecret

CA - ??  unknown if CA is or is not working on solution.

You may want to inquire with each vendor for a list of STIG Checks that their products validate for your particular Security Software as part of your review of potential solutions.

And yes, I have many years (Over 15+) of hands on experience in implementing z/OS STIG controls for CA-Top Secret managed Mainframes, installing CA-Top Secret software, configuring CA-Top Secret and more.

Semper Fi

Steve Hosie, CISSP-ISSAP, CISM, CRISC, CISA, CGEIT, NSA-IAM, ITIL, CSM

CyberSecurity.Services

Scripts are protected by PKI certificates. I tried by installing DOD certs, but still couldn't download the scripts. I got this, messages coming from the load balancer (F5):

----------------------------------------------