Compliant Product - Xerox® AltaLink™ EC8036 & EC8056
Certificate Date: 2022.06.14CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11270-2022
Product Type: Multi Function Device
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Hardcopy Devices Version 1.0
CC Testing Lab: Lightship Security USA, Inc.
Product is a multi-function device that copies and prints with scan and fax capabilities.
The TOE evaluated configuration includes the Xerox® AltaLink™ EC8036/EC8056 running system software version: 103.023.031.35105.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the product meets the security requirements contained in the Security Target. The criteria against which the Xerox Hardcopy Device (HCD) was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 5. Lightship Security USA determined that the product is conformant to requirements for Protection Profile for Hardcopy Devices, Version 1.0. The product satisfies all of the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review. The validators, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by Lightship Security USA. The evaluation was completed in June 2022 in Austin, Texas. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11270-2022) prepared by CCEVS.
The TOE logical boundary is comprised of the following security functions:
· Identification and Authentication. The TOE requires users and system administrators to authenticate before granting access to printer or system administration functions via EWS or the Control Panel. The TOE supports username/password and smartcard-based authentication.
· Security Audit. The TOE generates logs of security relevant events. The TOE stores logs locally and is capable of sending log events to a remote audit server.
· Access Control. The TOE enforces a system administrator defined rolebased access control policy.
· Security Management. System administrators mange the TOE’s security configuration via the Control Panel and/or EWS. The TOE allows filtering rules to be specified for IPv4 network connections based on IP address and port number.
· Trusted Operation. The TOE preforms a suite of self-tests to verify correct operation during start-up and verifies the authenticity and integrity of firmware updates.
· Cryptographic Operations. The TOE incorporates two cryptographic modules:
o Mocana. Provides cryptographic services for hard disk encryption/decryption and encryption/decryption services for the IPSec protocol and for asymmetric key generation
o OpenSSL. Provides cryptographic services for HTTPS/TLS and SSH encryption/decryption services.
· Storage Encryption. The TOE stores temporary files created during a copy, print, scan and fax job on a single shared hard disk drive (HDD). All partitions of the HDD used for spooling temporary files are encrypted.
· Trusted Communication. The TOE protects the integrity and confidentiality of communications as noted in section 2.2.3 of the ST.
· PSTN Fax-Network Separation. The TOE provides separation between the fax processing board and the network interface and therefore prevents an interconnection between the PSTN and the internal network. This separation is realized in software, as by design, these interfaces may only communicate via an intermediary.
· Data Clearing and Purging. The image overwrite feature overwrites temporary image files created during a copy, print, scan or fax job when those files are no longer needed. Overwrite is also invoked at the instruction of a job owner or administrator and at start-up. The purge feature allows an authorized administrator to permanently delete all customer-supplied data on the TOE. This addresses residual data concerns when the TOE is decommissioned from service or redeployed to a different environment.