SQL Server 2022 Common Criteria EAL4 Certification

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Bildschirmfoto 2023-10-13 um 19.50.12.png


After SQL’s first Common Criteria (CC) certification of version 2005 (Yukon), SQL Server 2022 (SQL22) is the 8th major release that has successfully completed this security attestation. Continuous improvements to internal processes have enabled us to complete SQL22's Evaluation Assurance Level 4 (EAL4) certification process in about seven (7) months, making it the fastest ever performed by Microsoft.


To see an extract of the extensive CC history of SQL Server, please refer to the SQL Server security page (Click on “View our Common Criteria certifications”). Additionally, this document provides important information to understand and use SQL22 as evaluated and certified.


What CC means for us

The SQL22 CC certification consisted of a comprehensive examination conducted by the evaluation facility, based on document reviews for various design representations, independent functional and penetration testing, code analysis, site audits for development sites, data centers and support sites, and a vulnerability assessment. Scope and rigor of this investigation were defined by the security assurance requirements compiled in EAL4 and by the existing BSI DBMS PP, though no conformity to BSI DBMS PP has been claimed this time. The results obtained by the evaluation facility were continuously monitored by the certification body to confirm their accuracy and to ensure comparability with other independent evaluations of the same product type.


Since SQL Server 2016, all CC certified versions were sort of „cloud connected “, as their development life-cycle (including tooling) has been progressing step by step to the cloud for the last few years. All these cloud-based tools and techniques are well accepted by CC, however, customers are not (yet) supported by CC to deploy their products as tested and certified in their real-life scenario, which could be a hybrid or (multi-)cloud environment.


Therefore, on short term basis, CC for SQL22 did include an Azure Arc-enabled server configuration (which is shown below and represents an IaaS offering) as a first visible step towards “CC in the cloud." And in the long run, we contribute to and build on the work performed in the “CC in the Cloud Technical Working Group (TWG)”.




About the CC

CC is an international program which is broadly used as a (cyber) security standard (ISO 15408) to test and improve the IT security measures of commercial products for use in National Security Systems (see e.g. EUCSANIAP). As such it serves as a world-wide compliance obligation across regulated industries and authorities and can be applied to almost any type of IT product implemented in hardware, firmware, or software.

IT security measures in the context of the CC are usually a means to protect information (or in other words ‘assets’) from unauthorized disclosure, modification, or loss of use, covering, for example, areas such as identification and authentication, access control, accountability, audit, object re-use, error recovery. Appropriate confidence in the correct and effective implementation of those measures (expressed in terms of assurance requirements and typically specified in an EAL) is needed to help determine whether IT products fulfill their security needs. A competence-tested and authorized (i.e., accredited) evaluation facility therefore evaluates an IT product against a pre-defined security specification, called (collaborative) Protection Profile (PP). A (collaborative) PP represents the security functional and assurance requirements for technology classes and is recently developed and maintained by an international Technical Community (iTC), made up of CC and technology area experts such as vendors, certification bodies, evaluation facilities, and consultants (see e.g. DBMS-iTC). Under the international Common Criteria Recognition Arrangement (CCRA) and the European Senior Officials Group Information Systems Security (SOG-IS) agreement, all signatories agree to recognize the CC certificates produced by any certificate-authorizing participant. Each participating country in the CC operates a certification body that oversees evaluations conducted by accredited commercial evaluation facilities.


Learn more about the CC

Please visit the Common Criteria Portal.


Looking forward

Two further CC certifications of SQL22 are running, an EAL2 on Windows and an EAL2 on Linux. Both are evaluated in Azure-Arc enabled and disabled server configurations and targeting to be compliant to the newly developed and recently certified DBMS cPP.


Interested in little tidbits and first-hand information about this demanding exercise? Please refer to and join our session at https://iccconference.org/?speaker=wolfgang-peter.

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.