Common Criteria (EAL4) support

The National Institute of Standards and Technology (NIST) has developed Common Criteria to ensure we have a safe option for downloading software to use on the systems. Information held by IT products or systems is a critical resource that enables organizations to succeed in their mission. Additionally, individuals have a reasonable expectation that their personal information contained in IT products or systems remain private, be available to them as needed, and not be subject to unauthorized modification. IT products or systems should perform their functions while exercising proper control of the information to ensure it is protected against hazards such as unwanted or unwarranted dissemination, alteration, or loss. The term IT security is used to cover prevention and mitigation of these and similar hazards.

WebSphere Application Server v7.0.0.19 was certified at the Common Criteria EAL4 level, the highest level of any commercially available application server. WAS v8 and 8.5 was designed to meet or exceed the security capabilities of WAS v7.0.0.19, including the EAL4 requirements. The US CCEVS is no longer certifying software products as Common Criteria EAL compliant because they are moving to a new security standard referred to as Protection Profiles. A Protection Profile for Java EE is not available at this time.

Common Criteria Validation and Evaluation Scheme website (by the National Information Assurance Partnership)