ACF2 licensing: mainframe security priced on capacity it cannot escape.

ACF2, known as CA ACF2 and now part of Broadcom, is an external security manager for z/OS, one of the three that dominate the mainframe alongside IBM RACF and Broadcom (CA) Top Secret. It controls authentication and authorization across the estate: who can sign on, what datasets, transactions, and resources they can reach, and how every decision is logged for audit, covering z/OS, CICS, IMS, Db2, and the subsystems around them. ACF2 works through the z/OS System Authorization Facility, the same interface RACF uses, so applications call security the same way regardless of which manager is installed. That common interface is exactly what makes ACF2 and Top Secret credible substitutes for RACF, and it is why the three are usually discussed together. ACF2 is core control plane software: nothing protected runs without it.

ACF2 is licensed on mainframe capacity, historically counted in MIPS and increasingly expressed in MSU, scaled to the machines or LPARs where it runs. Broadcom has moved its mainframe portfolio toward a consumption oriented model, commonly described as Mainframe Consumption Licensing, in which a contracted capacity baseline is fixed at signature and a True Forward mechanism trues up the charge if measured consumption climbs above that baseline during the term. The model rarely trues down. Because ACF2 is security software that has to run everywhere protected work runs, its capacity basis tends to follow the entire protected estate rather than a single application, which makes the baseline the most consequential number in the contract. Where the baseline sits decides what the next several years cost.

Directional and pattern level. Confirm the capacity metric, the consumption baseline, and the True Forward terms in your own Broadcom schedules before modeling a renewal.

The first driver is the contracted baseline, because the consumption model prices the term off it and trues forward when consumption exceeds it. The second is estate spread: security must run wherever protected workloads run, so ACF2 naturally tracks the full set of production, development, test, and disaster recovery LPARs, and every one adds to the capacity basis. The third is the MIPS to MSU translation, where restating a legacy MIPS contract into MSU can quietly shift the number if the conversion is not validated. The fourth is the option and component mix, such as the Db2 option, that can sit in the entitlement. Because ACF2 cannot be confined to one corner of the estate the way a niche tool can, its cost is driven by how the whole protected footprint is counted, which is precisely why the baseline deserves the most scrutiny.

ACF2 exposure is mostly capacity drift against the baseline and bundle scope. Common traps we see at pattern level:

Because ACF2 is sticky security software priced on a consumption baseline, the levers are about the baseline, the capacity, and the portfolio it sits in. The five that pay:

ACF2 has two direct alternatives, IBM RACF and Broadcom (CA) Top Secret, and because all three work through the System Authorization Facility a migration is technically possible. But switching an external security manager is among the heaviest mainframe migrations there is: every rule, profile, and access decision has to be translated and revalidated, audit and compliance evidence has to carry across, and the cutover touches every protected system at once, which is why most estates stay put for years. The credible posture is to keep the switch real enough to matter at the table, costed honestly, while pursuing the saving where it actually sits, in the baseline, the capacity count, and the portfolio negotiation. A migration to RACF or Top Secret is a strategic decision in its own right, not a renewal tactic to be bluffed.