On Monday, 05/15/2006 at 06:09 EST, Karl Severson <[EMAIL PROTECTED]> wrote: > I think the next logical question I need to address is who do I have to > contact in order to find out if our current operating system is approved or > approvable for PL2 operation? Or maybe that's a question for our corporate > security people to take to the Defense Security Service.
Yes, take it to DSS. Only they can rule on whether your system is permitted to operate in PL2. As was said before, no release VM/ESA never received a formal evaluation by DoD for an ITSEC C2 or B1 certification, though it was designed to meet those criteria. The same designs were carried into z/VM 5.1 which has Common Criteria EAL3+ against the LSPP (Labeled Security Protection Profile, similar to B1). Chapter 8 of NISPOM sets its own standards and does not indicate whether a B1/LSPP system meets the requirements of PL2 operation. VM/ESA 2.3 with RACF does have mandatory access controls (seclabels) to enforce the need-to-know (information compartmentalization) and security clearances required by B1/LSPP. You should obtain all current service for RACF as it now includes pre-defined seclabel of SYSNONE for users like TCPIP that act as an extension of CP. And even though your VM/ESA system is no longer in service, RACF 1.10 still is. Naturally IBM currently recommends the Common Criteria feature of z/VM 5.2 (which ships the certified z/VM 5.1 to you). The z/VM 5.1 Secure Configuration Guide can be found at http://www.ibm.com/support/docview.wss?uid=pub1sc24613801. This book tells you how to configure VM and RACF for LSPP (B1) and CAPP (C2) operation. If your own people or anyone at DSS has a question on this, please have them e-mail or call me directly. Alan Altmark z/VM Security Guy IBM Endicott 607.429.3323
