The regulations are from NY state, NYDFS. https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf
500.7 Access privileges and management. 500.7(c) Each class A company shall monitor privileged access activity and shall implement: (1) a privileged access management solution; and (2) an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the class A company and wherever feasible for all other accounts. To automatically block commonly used passwords, a corpus is necessary. For example, Cybernews Investigation team was able to collect 15m passwords.* If they can do it, software vendors will see the opportunity here. It's one option to force all RACF password changes through a single point. However, there's a lot of ways to reach the password change process in MVS, and writing blocks for all of them isn't reasonable. The ZMFA holds promise, if I can find a software company that has bought/collected the same 15m passwords that Cybernews did. I can route all RACF password changes to the <currently unidentified> software company for validation. *https://cybernews.com/best-password-managers/most-common-passwords/ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN