The certified configuration for the Common Criteria for z/OS V2R2

A Common Criteria (CC) certified system is a system that has been evaluated according to the Common Criteria, an internationally recognized ISO standard (ISO 15408) for the assurance evaluation of IT products, and found to meet a specific set of requirements. Beginning with z/OS Version 1 Release 6, each release of z/OS has been evaluated and certified. For a summary of the certifications awarded for each release, see History.

z/OS® V2R1 has been certified to meet the requirements of the Common Criteria assurance level EAL4, augmented by ALC_FLR.3 for the following protection profiles:
  • Operating System Protection Profile (OSPP), Version 2.0 (dated 6/1/2010)
  • OSPP Extended Package - Labeled Security (OSPP-LS), Version 2.0 (dated 5/28/2010)
  • OSPP Extended Package - Extended Identification and Authentication (OSPP-EIA), version 2.0 (dated 5/28/2010)
The system configuration and environment that the evaluation finds meet these requirements is referred to as the certified system or certified configuration in this topic. The certification report is published on the BSI web page at https://www.bsi.bund.de/cln_156/EN/Topics/Certification/CertificationReports/certificationreports_node.html.

The following sections are intended to state requirements that must be fulfilled by the installation in order to run in a certified configuration. Whereas the previous chapters of this document describe an optional configuration for the system in order to provide multilevel security, this chapter documents requirements for the certified configuration.

In its certified configuration, z/OS allows two modes of operation: a standard mode meeting all requirements of the Operating System Protection Profile base (OSPP) and its extended package for Extended Identification and Authentication (OSPP-EIA), and a more restrictive mode called Labeled Security Mode, which additionally meets all requirements of the OSPP extended package for Labeled Security (OSPP-LS).

The evaluation of z/OS did not cover all z/OS security functions, or all methods of achieving the required level of security. An installation can choose to use security functions that were not evaluated, or to use methods of achieving the required level of security that were not evaluated. If an installation makes this choice, it is no longer running the certified configuration, and must take responsibility for the security characteristics of the system.

The evaluation of z/OS did not cover all resources in the FACILITY class. In general, you can choose to use them without compromising the security of your system. However, you need to use them with care and be aware of the security implications. For example, some of the STGADMIN resources can allow reading of all data, and the BLSACTV.SYSTEM resource can allow viewing other users' data in storage. Define profiles protecting these resources with UACC(NONE) and, in Labeled Security Mode configurations, SECLABEL(SYSHIGH), and give access only to highly trusted users.

If you are setting up a z/OS system to meet the requirements of the Common Criteria Operating System Protection Profile (OSPP), information about the certified configuration documented in this topic supersedes information in other documents in the z/OS library.