SQL Server 2022 is EAL 2 Common Criteria certified!
Published Jun 10 2024 08:00 AM 1,011 Views

In a previous blog post in 2023 we mentioned that two Common Criteria (CC) certifications of SQL Server 2022 were in progress. We are excited to announce that CC EAL2 certifications for SQL Server 2022 on Windows and Linux (including enabled by Azure Arc) have been issued! The certifications are compliant to the newly developed and recently certified DBMS cPP.


After SQL’s first CC certification of version 2005 (Yukon), SQL Server 2022 is the 8th major release that has successfully completed this security attestation. To see an extract of the extensive CC history of SQL Server, please refer to the SQL Server security page  (Click on “View our Common Criteria certifications”). Additionally, this document provides important information to understand and use SQL Server 2022 as evaluated and certified.


What CC means

The SQL Server 2022 CC certification consisted of a comprehensive examination conducted by the evaluation facility, based on document reviews for various design representations, independent functional and penetration testing, code analysis, site audits for development sites, data centers and support sites, and a vulnerability assessment. Scope and rigor of this investigation were defined by the newly developed and recently certified DBMS cPP.  The results obtained by the evaluation facility were continuously monitored by the certification body to confirm their accuracy and to ensure comparability with other independent evaluations of the same product type.  (See SQL Server 2022 on Windows and SQL Server 2022 on Linux).

DianaPutnam_1-1717787065607.png DianaPutnam_3-1717787500965.png

Since SQL Server 2016, all CC certified versions were “cloud connected”, as their development life cycle (including tooling) has progressed step by step to the cloud through the years.  CC for SQL Server 2022 includes an Azure Arc-enabled server configuration (which is shown below and represents an IaaS offering). All these cloud-based tools and techniques are well understood by CC, however, not all hybrid or multi-cloud environment configurations are (yet) supported by CC.  Looking forward, Microsoft is contributing to and building on the work performed in the “CC in the Cloud Technical Working Group (TWG)” to support CC for cloud-based services.




About the CC

CC is an international program which is broadly used as a (cyber) security standard (ISO 15408) to test and improve the IT security measures of commercial products for use in National Security Systems (see e.g. EUCSANIAP). As such it serves as a world-wide compliance obligation across regulated industries and authorities and can be applied to almost any type of IT product implemented in hardware, firmware, or software.  IT security measures in the context of the CC are usually a means to protect information (or in other words ‘assets’) from unauthorized disclosure, modification, or loss of use, covering, for example, areas such as identification and authentication, access control, accountability, audit, object re-use, error recovery. Appropriate confidence in the correct and effective implementation of those measures (expressed in terms of assurance requirements and typically specified in an EAL) is needed to help determine whether IT products fulfill their security needs. A competence-tested and licensed evaluation facility therefore evaluates an IT product against a pre-defined security specification, called (collaborative) Protection Profile (PP). A (collaborative) PP represents the security functional and assurance requirements for technology classes and is developed and maintained by an international Technical Community (iTC), made up of CC and technology area experts such as vendors, certification bodies, evaluation facilities, and consultants (see e.g. DBMS-iTC). Under the international Common Criteria Recognition Arrangement (CCRA) and the European Senior Officials Group Information Systems Security (SOG-IS) agreement, all signatories agree to recognize the CC certificates produced by any certificate-authorizing participant. Each certificate-authorizing member of the CCRA or SOG-IS operates a certification body that oversees evaluations conducted by their licensed commercial evaluation facilities.


Learn more about the CC

Please visit the Common Criteria Portal.

Version history
Last update:
‎Jun 08 2024 06:00 AM
Updated by: