Security Evaluation

Overview

Oracle submits certain products for external security evaluations. These evaluations involve rigorous testing by independently accredited organizations (“labs”) with further oversight and certification completed by government bodies. Independent verification helps provide additional assurance to Oracle customers with regards to the security posture of the validated products. Additionally, customers in many industries have business and compliance requirements that imply the use of validated products.

Common Criteria (ISO/IEC 15408)

Oracle is committed to the Common Criteria (CC) standards as these standards reflect global market demand, as well as procurement and regulatory requirements.

Common Criteria (ISO/IEC 15408) is the international framework which defines a common approach for evaluating the security features and capabilities of IT products.

For both FedRAMP Moderate and High, the Security Controls Baseline (control ID: SA-4) guidance states “The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.”

FIPS 140

Oracle is committed to the FIPS 140 standards as these standards reflect global market demand, as well as procurement and regulatory requirements.

The Federal Information Processing Standard (FIPS) 140 is a cryptographic standard developed by the National Institute of Standards and Technology (NIST) in the US for the protection of sensitive but unclassified data. Cryptography that is validated as conforming to FIPS 140 and is on the FIPS active module list is accepted for procurement by Federal Agencies in both US and Canada. Several industry-specific regulations and standards make reference to the FIPS 140 requirements. These include Payment Card Industry Security Standards Council (PCI SSC) standards for credit card data processing, Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry, Joint Interoperability Command (JITC) in the U.S. Military, etc. US Federal Risk and Authorization Management Program (FedRAMP) requirements interpret “approved cryptographic techniques” as the set of cryptographic modules validated per FIPS 140.

FedRAMP-authorized cloud solutions mandate that any cryptographic mechanisms deployed in these solutions be FIPS 140 certified.

A new FIPS standard – FIPS 140-3 - became available for testing as of September 22, 2020. Customers can continue to make use of FIPS 140-2 modules until replacement FIPS 140-3 modules become available.

Benefits of Security Evaluations

Security evaluations such as FIPS 140 and Common Criteria provide additional assurance to customers that Oracle products conform to stringent requirements for processing critical data. By leveraging Oracle products evaluated by accredited third-party testing facilities, customers can help meet the increasing number of regulatory requirements that apply to their complex computing environments.