//CICSA JOB ... ,USER=CICSR,PASSWORD=password
PASSWORD=(oldpassword,newpassword)
If you want to avoid specifying the password on the JOB statement, you can allow a surrogate user to submit the CICS job. A surrogate user is a RACF-defined user who is authorized to submit jobs on behalf of another user (the original user), without having to specify the original user's password. Jobs submitted by a surrogate user execute with the identity of the original user. See Surrogate job submission in a CICS environment for more information. The region userid must also have surrogate authority to use the default user; see Surrogate user security.