We announced earlier today that AlmaLinux OS 9.2 is now certified under Common Criteria, the international standard (ISO/IEC 15408) for independently evaluating the security of IT products.
I keep coming back to how big this is for a community project. AlmaLinux is a community-owned non-profit foundation, with no corporate owner. For an operating system that is built in the open and given away for free to now also carry a formal, independent security certification is the best of both worlds. And it is a milestone that belongs to everyone who uses and contributes to AlmaLinux, not just the regulated organizations for whom this kind of certification is a requirement.
How we got here
We did this alongside Cybertrust Co., Ltd., a longtime platinum sponsor of the AlmaLinux OS Foundation. The work was led and carried by Cybertrust engineers who are themselves members of the Foundation. That is exactly the kind of collaboration that makes AlmaLinux what it is: sponsors and contributors investing in the project together.
What Common Criteria is
Common Criteria (ISO/IEC 15408) is an international standard for evaluating the security of IT products. Under it, an independent, accredited third party verifies that a product’s security features are correctly designed, built, and actually do what they claim to do. The certificate is recognized across borders, so the assurance travels with AlmaLinux wherever the community runs it.
Verify it
AlmaLinux OS 9.2 was evaluated at EAL1 and is listed on Japan’s JISEC registry, run by the Information-technology Promotion Agency (IPA). You can see the official record here: the JISEC certificate listing.
We have also put together a page that walks through what the certification is, why it matters, and how to verify it: almalinux.org/security/cc-certification.
Thank you
To the Cybertrust team, and to everyone in the AlmaLinux community who builds and sustains this OS: thank you.
If you have questions about what this means, come find us on chat.almalinux.org. The security room and the Japan user group are good places to start.
