Many thanks to the hard work of the Oracle SecEval team and our external evaluators for making this one of the smoothest evaluations we have done. Particularly in light of the current global pandemic, some things had to be done differently but they found a way to make it work.
This is the latest security validation in a long history for Oracle Solaris, going back to the days of ITSEC and Trusted Solaris 1.2 in 1995. It was using Trusted Solaris 1.2 as a customer that really sparked my strong interest in operating system security. Many of the security features introduced in those early versions of Trusted Solaris 1.2 (SunOS 4.1.3) are still at the core of the product today: Audit, RBAC - with separation of duty, privileges.
One of the important changes in recent CC profiles and in particular the NIAP OSPP, that we were evaluated against, is more emphasis on strong authentication and cryptography - including an entropy assessment. To gain this CC certification Oracle Solaris Cryptographic Framework and the included OpenSSL libraries also need to complete the CAVP part of a FIPS 140-2 validation. Our full CMVP FIPS 140-2 validation for the user space and kernel crypto libraries is pending in the NIST queue.
A pdf copy of the certificate can be found here.
Darren J Moffat - Oracle Solaris Engineering