Security Evaluation


To further demonstrate Oracle’s leadership position and commitment to product security, external security evaluations and certifications are performed. These evaluations involve rigorous testing by independently accredited labs. External evaluations and validations provide additional assurance in the security of our IT products. Globally, these certifications are often mandatory for government procurement, and establish an acceptable level of confidence for IT purchasers; whether they be government, military or commercial.

There are two important components of global IT security evaluations; the criteria and methodology against which the evaluations are performed, and the government schemes which govern them. While the criteria is the same regardless of the country you are working in, different policies are enforced across the schemes. Presently, Oracle actively participates in two internationally recognized security evaluation criteria:

1. Common Criteria (CC) is the only international framework (ISO/IEC 15408) which defines a common approach for evaluating the security features and capabilities of IT products. Originating from three other national security standards, CC has evolved over the years to keep up with security trends and product technology. At this writing, 30 countries recognize the framework, while 18 of those countries, including the US, are authorized to issue certificates. A Common Criteria certified product is one that an authorized government scheme asserts as having passed an evaluation by a licensed and independent evaluation laboratory.

2. The Federal Information Processing Standard (FIPS) 140-2 is a cryptographic standard developed by the National Institute of Standards and Technology (NIST) in the US for the protection of sensitive but unclassified data. Modules validated as conforming to FIPS 140-2 are accepted for procurement by Federal Agencies in both US and Canada. This certification confirms that the cryptographic functionality has been tested by an independent laboratory and validated by the government scheme against the requirements of the standard. FIPS 140-2 requirements have been adopted by industries such as Financial, (Payment Card Industry (PCI)), Health (Health Insurance Portability and Accountability Act (HIPAA)), Government Cloud (FedRAMP) and US Military (Joint Interoperability Command (JITC) and Commercial Solutions for Classified (CSfC)).

For more information, see the Security Evaluations website. For a complete list of Oracle security evaluations currently in progress as well as those already completed, please go to the Oracle Security Evaluations Status page.

Oracle Security evaluation blogs focus mostly on government certifications, validations and accreditation programs:

  1. Common Criteria and the Future of Security Evaluations (Mary Ann Davidson)
  2. Improving the Speed of Product Evaluations (Joshua Brickman)
  3. FIPS: The Crypto "Catch 22" (Joshua Brickman)

Please email for all inquiries regarding Oracle security evaluations.

Security Benefits of Evaluations

Independent verification Evaluation of product security claims come from accredited evaluation facilities that are certified by government schemes
Standard measures of assurance Evaluation of product security claims come from accredited evaluation facilities that are certified by government schemes
Product enhancements Security evaluations can lead to improvements in overall design and implementation of security in the certified solutions
Identification of architectural vulnerabilities Security evaluations can lead to the identification of architectural vulnerabilities