Oracle submits certain products to external security evaluations. These evaluations involve rigorous testing by independently accredited organizations (“labs”) with further oversight and certification completed by government bodies. Independent verification helps provide additional assurance to Oracle customers with regards to the security posture of the validated products.
Oracle is committed to the Common Criteria (CC) and FIPS 140 standards as these standards reflect global market demand, as well as procurement and regulatory requirements.
Common Criteria (ISO/IEC 15408) is the international framework which defines a common approach for evaluating the security features and capabilities of IT products.
The Federal Information Processing Standard (FIPS) 140 is a cryptographic standard developed by the National Institute of Standards and Technology (NIST) in the US for the protection of sensitive but unclassified data. Cryptography that is validated as conforming to FIPS 140-2 is accepted for procurement by Federal Agencies in both US and Canada. A number of industry-specific regulations and standards make reference to the FIPS 140-2 requirements. These include Payment Card Industry Security Standards Council (PCI SSC) standards for credit card data processing, Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry, Joint Interoperability Command (JITC) in the U.S. Military, etc. US Federal Risk and Authorization Management Program (FedRAMP) requirements interpret “approved cryptographic techniques” as the set of cryptographic modules validated per FIPS 140-2.
FedRAMP-authorized cloud solutions require that any cryptographic mechanisms deployed in these solutions be FIPS 140-2 certified.
For both FedRAMP Moderate and High, the Security Controls Baseline (control ID: SA-4) guidance states “The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred.”
Security evaluations such as FIPS 140-2 and Common Criteria provide additional assurance to customers that Oracle products conform to stringent requirements for processing critical data. By leveraging Oracle products evaluated by accredited third-party testing facilities, customers can help meet the increasing number of regulatory requirements that apply to their complex computing environments.
For a complete list of Oracle product security evaluations which are completed and in progress, please see the Oracle Security Evaluations Status page.