Oracle FIPS and FIPS Flagging
Oracle Version 26ai, FIPS Version 140-2 and 140-3

General Information
Library Note Morgan's Library Page Header
The best Oracle News for FY2026

Oracle Database 26ai will be available on generic Linux platforms in January and soon on AIX and Windows
Purpose

FIPS 140-3 is the current U.S. and Canadian government standard for validating cryptographic modules. FIPS ensures that sensitive data is securely encrypted and and aligns with international ISO standards (ISO/IEC 19790).

FIPS sets rigorous requirements for security levels (1-4) and testing by the Cryptographic Module Validation Program (CMVP), making it the benchmark for both government and private sectors.

FIPS specifies encryption algorithms and mandates strict testing of firmware, hardware, and software to protect against vulnerabilities.

Key Aspects
Cryptographic Module: The core component that performs encryption, decryption, and key management.

Security Levels
Defines four levels, from basic (Level 1) to high-security physical tamper resistance (Level 4).

Testing
Requires independent lab testing against specific Derived Test Requirements (DTRs).

Scope
Covers hardware, software, and firmware, protecting sensitive data in federal, defense, financial, and cloud systems.

Proper configuration of FIPS requires compliance with US DOD DISA STIGs x and y. Use not complying with these STIGs is essentially meaningless and serves not useful purpose.
 
Initialization Parameter
   
SQL> show parameter fips

NAME                 TYPE       VALUE
-------------------- ---------- --------------------
DBFIPS_140           boolean    FALSE

ALTER SYSTEM SET dbfips_140=TRUE SID='*' SCOPE=SPFILE;

System altered.

SHUTDOWN IMMEDIATE;

STARTUP;

SQL> show parameter fips

NAME                 TYPE       VALUE
-------------------- ---------- --------------------
DBFIPS_140           boolean    TRUE
 
FIPS.ORA File
   
 
 
FIPS Flagging
The Federal Information Processing Standard for SQL (FIPS 127-2) required a way to identify SQL statements that use vendor-supplied extensions.

To the best of our ability to determine FIPS Flagging is deprecated but not desupported as it can still be used to flag SQL92 violations.		 ALTER SESSION SET FLAGGER=<ENTRY | FULL | INTERMEDIATE | OFF>;
conn / as sysdba

set flagger on
Usage: SET FLAGGER { OFF | ENTRY | INTERMEDIATE | FULL }

ALTER SESSION SET container=PDBDEV;

Session altered.
CREATE OR REPLACE FUNCTION test(x IN VARCHAR2) RETURN VARCHAR2
AUTHID DEFINER IS
BEGIN
  RETURN x;
END;
/
Function created.

ALTER SESSION SET flagger=FULL;

Session altered.

CREATE OR REPLACE FUNCTION test(x IN VARCHAR2) RETURN VARCHAR2
AUTHID DEFINER IS
BEGIN
  RETURN x;
END;
/
*
ORA-00097: use of Oracle SQL feature not in SQL92 Full Level

ALTER SESSION SET container=PDBDEV;

Session altered.

ALTER SESSION SET flagger=FULL;
ERROR:
ORA-00097: use of Oracle SQL feature not in SQL92 Full Level

Session altered.

ALTER SESSION SET flagger=OFF;
ERROR:
ORA-00097: use of Oracle SQL feature not in SQL92 Full Level

Session altered.

conn / as sysdba
Connected.

ALTER SESSION SET flagger=OFF;

Session altered.

Related Topics
Built-in Functions
Built-in Packages
Database Security
What's New In 21c
What's New In 26ai

Morgan's Library Page Footer
This site is maintained by Daniel Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2026 Daniel A. Morgan All Rights Reserved