Based on John P. Baker's reply (many thanks!) to my question ( https://communities.ca.com/thread/241699748?sr=stream&ru=120883015 - ? Possibility to Enforce commenting for TSS Commands ?)
I suggest to extend the TOP SECRET TSS -Command by an operand, where a change identifier can be entered.
This change identifier should be applicable to any command where that updates the security file or that updates the configuration (TSS MODIFY).
This change identifier should not be applicable to a TSS LIST, TSS WHOHAS, or TSS WHOOWNS command.
An exit point should be provided in the TSS installation exit where the change identifier can be validated.
The change identifier should be recorded in the TSS recovery file and in the CA Compliance Manager z/OS logstream.
The TSS options or administrative attributes should provide a possibility to turn on/off an enforcement, that this operand must be specified in the commands