Oracle Linux 9 has recently achieved significant milestones in security certifications. First, it has obtained a Common Criteria (CC) certification against the National Information Assurance Partnership (NIAP) General Purpose Operating System Protection Profile (OSPP) 4.3. As a result, Oracle Linux 9 is now listed on the NIAP Product Compliant List, highlighting its compliance with stringent security standards. 

This certification is particularly important for government entities and contractors, as it facilitates their adherence to U.S. government procurement requirements. According to NIAP Policy Letter #32, published in February 2025, Cloud SaaS (software as a service) Evaluations mandate that any platform relied upon by the TOE (target of evaluation) must be on the NIAP Product Compliant List to help ensure the implementation of necessary security functionality. With Oracle Linux 9’s inclusion on the list, it can now serve as a trusted platform for government-related cloud computing and software solutions.

The CC-evaluated configuration for Oracle Linux 9 encompasses general purpose hardware platforms with 64-bit AMD and Intel processors (x86_64) and 64-bit Ampere Arm processors (aarch64) on Oracle Cloud Infrastructure (OCI), utilizing Oracle Linux KVM. The TOE was tested on both Oracle Linux kernels – the Unbreakable Enterprise Kernel (UEK) and Red Hat Compatible Kernel (RHCK) – on the AMD and Intel platforms. Oracle Linux featuring UEK was also tested on the Ampere Arm platform. Both the Common Criteria certification and Federal Information Processing Standard-140 (FIPS-140) validations were conducted by independent labs using OCI resources. The labs demonstrated that OCI provided an isolated test environment under their control that was suitable for validation and testing.

“Security is at the core of Oracle Linux, irrespective of where you choose to deploy it—on premises, in OCI, or on other public clouds – and Oracle Linux powers the entire Oracle Cloud Infrastructure and Oracle Distributed Cloud portfolio,” said Robert Shimp, senior vice president, infrastructure software product management, Oracle. “The recent security certification and validations are among the many rigorous steps we take to help ensure Oracle Linux is highly secure and offers a consistent and reliable experience in all customer deployments.”

Common Criteria Certification

The completed CC certification for Oracle Linux 9 was performed against the Protection Profile for General Purpose Operating Systems (OSPP) 4.3, the Functional Package for Secure Shell (SSH), Version 1.0, and the Functional Package for Transport Layer Security (TLS), Version 1.1.

The security functionality evaluated as part of the certification included security audit, cryptographic support, identification and authentication, user data protection, self-protection, and TLS and SSH protocols.

FIPS 140-3 Validations

In addition to the Common Criteria certification, Oracle Linux 9 also received multiple FIPS-140 validations of its cryptographic modules. FIPS-140 is a mandatory standard for all cryptographic modules used by the U.S. government and is required for any cryptography that is a part of a FedRAMP-certified cloud service. The current version of the cryptography standard is FIPS 140-3.

The recently completed FIPS 140-3 certifications include: 

These certifications add to the growing list of Oracle Linux’s evaluations and validations, showcasing its enhanced security features and ability to provide a platform for highly secure and optimized operations across on-premises and cloud environments. 

Next steps

Visit Oracle Security Evaluations to learn more details about the Oracle products that have completed CC and FIPS security certifications and those that are in progress, and explore Oracle Linux Security to learn how Oracle Linux can help keep your systems secure and improve the performance and stability of your operations.

Learn More