Common Criteria


The Common Criteria (CC) is an international standard (ISO/IEC 15408) for the security evaluation of IT products. The Common Criteria originated from three previous standards with the intent of creating an internationally recognized security assurance framework. It has since been embraced by many countries around the world as the de facto security evaluation standard. To date, 31 countries have signed the Common Criteria Recognition Arrangement (CCRA) (PDF)allowing vendors to evaluate a product under Common Criteria in one country and have the resulting CC certificate recognized as valid by all member countries. CC certificates are issued by a subset of member countries via independent accredited laboratories performing product security evaluations.

Prior to 2014, evaluations were primarily conducted using Evaluation Assurance Levels (EALs), with a hierarchal range of 1-7. EAL 7 incorporated the most stringent requirements for testing and documentation. In 2014, the CCRA changed the focus from EALs to collaborative Protection Profiles (cPPs) created by international Technical Communities (iTCs). A cPP is tailored to a specific technology, such as database, operating system, network device, etc., and is intended to enable buyers to make more accurate comparisons between evaluated products. If a cPP exists for a vendor’s technology, that vendor will likely need to use as some countries won’t allow an EAL evaluation to proceed if a cPP exists. EAL evaluations with a custom Security Target (ST) may still be allowed without using a cPP, but are now limited to EAL2 for mutual recognition purposes.

To view the latest Common Criteria version please visit the Common Criteria website.

Oracle’s Common Criteria Certificates

Oracle has a long history with Common Criteria and was the first vendor to develop and evaluate a Database Protection Profile (PP). The Oracle Database (Oracle7, Release 7.2) was the first database server product to be awarded a Common Criteria Certificate. The latest version of the Database Protection Profile, now a cPP and associated status can be found here. The status of all the Oracle Database PPs can be found here and archived PPs are here. Filter on the Databases category. In addition to Database PPs, Oracle has created Protection Profiles for Java Card implementations found here. Filter on the Smart Card category. These PPs help Java Card technology vendors meet the demand by banks, governments, and other card issuers for security evaluations. Today Oracle is involved in many international Technical Communities (iTCs) and Technical Working Groups helping to write the next versions of Protection Profiles and contributing our deep technical expertise towards development of mature multi-national standards.

Products submitted for Common Criteria certification may be in two evaluation states: In Evaluation and Evaluated. Products ‘In Evaluation’ have been registered according to government scheme policy and are being tested by a certified laboratory. After passing the security evaluation and being awarded a certificate by the authorized scheme, the product status is ‘Evaluated’.

For our customers’ convenience, Oracle publishes our evaluated products and “in evaluation” product certifications here.

For additional information on Oracle’s Common Criteria status and participation, please email