On February 12, 2025, Oracle published version 1.0 of its Critical Control Baseline (CCB), a binding set of supply-chain security requirements that Oracle customers operating in CISA-designated critical infrastructure sectors must meet as a condition of continued enterprise license support after January 1, 2026. The CCB was developed in response to TSA Security Directive 1580-21-01 extensions, the EU NIS2 Directive transposition that completed on October 17, 2024, and the ongoing fallout from the Oracle Cloud Classic authentication incident that Oracle confirmed on April 8, 2024 after security researcher Alon Gal published evidence of credential exposure. The CCB is unusual in scope: rather than apply only to Oracle's own software, it requires customers to attest to the integrity of third-party code deployed alongside Oracle products. For regulated industries already juggling FedRAMP, PCI-DSS 4.0, and NIS2, it is another layer — but it is also the clearest articulation yet of where enterprise software contracts are heading.
What sectors does the CCB cover?
All 16 CISA critical infrastructure sectors, with phased enforcement. Energy, financial services, healthcare, and water utilities face the January 1, 2026 deadline; communications, transportation, and defense industrial base follow on July 1, 2026; the remaining nine sectors by January 1, 2027. The trigger is not the customer's sector alone but whether an Oracle product processes data or supports operations designated "essential" under NIS2 Annex I or "covered" under CIRCIA. Customers are expected to self-attest via a new Oracle Support portal section and re-attest annually.
What does the baseline actually require?
Six control families. First, CycloneDX 1.6 or SPDX 2.3 SBOMs for every production deployment of Oracle-adjacent software (application servers, middleware integrations, custom PL/SQL packages). Second, SLSA Build Level 2 minimum for any custom code invoked by Oracle products, rising to Level 3 for financial services by 2027. Third, signed attestations (Sigstore or in-toto) for every container image or binary that interacts with Oracle database instances. Fourth, a documented incident response plan referencing Oracle's ORA-SIRT disclosure process. Fifth, quarterly vulnerability management evidence showing a 15-day SLA for Oracle-published CPU advisories. Sixth, an annual third-party supply chain risk assessment covering all software that sits in the Oracle deployment path.
How does the CCB interact with NIS2 and DORA?
It overlaps but does not replace. NIS2 Article 21 requires "essential" and "important" entities to manage ICT third-party risk with policies on software supply chain security, and the Digital Operational Resilience Act (DORA) — enforceable for EU financial entities since January 17, 2025 — adds ICT third-party register maintenance and concentration-risk assessments. Oracle's CCB explicitly cites both regulations as design inputs and provides a mapping table so that a single evidence set can satisfy Oracle, NIS2, and DORA simultaneously. For EU customers with multiple upstream vendors, the pragmatic play is to adopt the CCB evidence format as the internal standard.
What are the legal liability implications?
Meaningful. The CCB ships as a binding amendment to Oracle's OMA (Oracle Master Agreement), and non-attestation triggers a "non-compliant" flag visible to Oracle account executives. Oracle has not (as of March 2025) threatened support termination, but in the FAQ released February 19 confirmed that "continued non-compliance after the grace period may affect renewal terms." More importantly, a false attestation exposes the signing officer to fraud theories under U.S. state consumer-protection statutes and the EU NIS2 management-body accountability provisions — sanctions for willful NIS2 violations reach €10 million or 2% of global turnover.
How do we build the evidence pipeline?
Treat attestation as a build artifact, not a point-in-time report. A minimal pipeline:
# .github/workflows/ccb-attest.yml
on: [push]
jobs:
attest:
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
steps:
- uses: actions/checkout@v4
- run: syft . -o cyclonedx-json=sbom.json
- uses: actions/attest-build-provenance@v1
with:
subject-path: dist/app.jar
- uses: actions/attest-sbom@v1
with:
subject-path: dist/app.jar
sbom-path: sbom.json
The resulting attestations are SLSA v1.0 conformant and Sigstore-verifiable. Upload to an Oracle-designated S3 or object storage bucket on each release, and let Oracle's automated CCB checker pull them on the attestation cadence.
What should customers push back on?
Scope creep, mostly. The CCB 1.0 text includes a vague "reasonable review" clause (Section 4.3) allowing Oracle to request additional evidence. Negotiate a cap on such requests (e.g., four per year, 30 days' notice) and insist on mutual NDA terms before sharing proprietary build metadata. Also clarify the treatment of open source dependencies: the CCB requires attestation of "code invoked by Oracle products," which literally read would cover every transitive dependency — not operationally feasible. Oracle's own FAQ (Q14) clarifies that transitive dependencies should be covered by the SBOM rather than separate attestations, but the OMA text does not yet reflect this.
How Safeguard Helps
Safeguard generates CycloneDX 1.6 and SPDX 2.3 SBOMs that satisfy Oracle CCB Section 2.1, signs them with Sigstore for Section 2.3 attestation, and exports a consolidated evidence bundle mapped to Oracle's control IDs. Griffin AI performs reachability analysis to justify CCB Section 3.2 deviation requests — proving that a dependency is present but unreachable is the fastest path to a clean attestation. TPRM workflows continuously score upstream vendors against the CCB's third-party requirements and emit DORA-aligned concentration-risk reports. Policy gates block releases that miss the CCB's 15-day remediation SLA for KEV-listed CVEs, and the audit log exports directly to Oracle's CCB evidence schema, shrinking quarterly attestation prep from three weeks to three hours.