NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
Questions?  We're here to help
  NIAP  »»  Protection Profiles  »»  Archived PPs  »»  Details  
Archived U.S. Government Approved Protection Profile - U.S. Government Protection Profile for Hardcopy Devices Version 1.0 (IEEE Std. 2600.2™-2009)

Short Name: pp_hcd_eal2_v1.0

Technology Type: Multi Function Device

CC Version: 3.1

Date: 2010.02.26

Succeeded By: none

Sunset Date: 2013.11.01 [Sunset Icon]

Conformance Claim: EAL2 Augmented

Protection Profile [PDF]

Validation Report [PDF]



PP International Recognition

The Hardcopy Device, IEEE Std. 2600.2™-2009, was Validated/Certified by BSI (Bundesamt für Sicherheit in der Informationstechnik ) in Germany.  NIAP has reviewed this PP and has determined that it is acceptable, with additional functional requirements defined in NIAP CCEVS Policy #20, as an Approved U.S. Government PP.

The Hardcopy Devices (HCDs) considered in this Protection Profile are used for the purpose of converting hardcopy documents into digital form (scanning), converting digital documents into hardcopy form (printing), transmitting hardcopy documents over telephone lines (faxing), or duplicating hardcopy documents (copying). Hardcopy documents are commonly in paper form, but they can also take other forms such as positive or negative transparencies or film.

HCDs can be implemented in many different configurations, depending on their intended purpose or purposes. Simple devices have a single purpose implemented by a single function, such as a printer, scanner, copier, or fax machine. Other devices augment a single primary purpose with additional secondary functions, such as a fax machine that can also be used to make copies, or a copier that can also be used as a printer. Complex multifunction devices fulfill multiple purposes by using multiple functions in different combinations to perform the operations of several single-function devices.

Some HCDs have additional functions that enhance their capabilities, such as hard disk drives or other nonvolatile storage systems, document server functions, or mechanisms for manually or automatically updating the HCD’s operating software. All HCDs considered in this Protection Profile are assumed to provide the capability for appropriately authorized users to manage the security features of the HCD.


The major security features of the TOE are:

  1. All Users are identified and authenticated, and are authorized before being granted permission to perform TOE functions.
  2. Administrators authorize Users to use the functions of the TOE.
  3. User Document Data are protected from unauthorized disclosure or alteration.
  4. User Function Data are protected from unauthorized alteration.
  5. TSF Data, of which unauthorized disclosure threatens operational security, are protected from unauthorized disclosure.
  6. TSF Data, of which unauthorized alteration threatens operational security, are protected from unauthorized alteration.
  7. Document processing and security-relevant system events are recorded, and such records are protected from disclosure or alteration by anyone except for authorized personnel.


This Protection Profile has been developed for Hardcopy Devices to be used in commercial information processing environments that require a moderate level of document security, network security, and security assurance. The TOE will be exposed to only a low level of risk because it is assumed that the TOE will be located in a restricted or monitored environment that provides almost constant protection from unauthorized and unmanaged access to the TOE and its data interfaces. Agents cannot physically access any nonvolatile storage without disassembling the TOE except for removable nonvolatile storage devices, where protection of User and TSF Data are provided when such devices are removed from the TOE environment. Agents have limited or no means of infiltrating the TOE with code to effect a change, and the TOE self-verifies its executable code to detect unintentional malfunctions. As such, the Evaluation Assurance Level 2 is appropriate.

EAL 2 is augmented with ALC_FLR.2, Flaw reporting procedures. ALC_FLR.2 ensures that instructions and procedures for the reporting and remediation of identified security flaws are in place, and their inclusion is expected by the consumers of this TOE. 

This U.S. Government Approved Protection Profile is not assigned to any Validated Products

This U.S. Government Approved Protection Profile does not have any related Technical Decisions

Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).

Please forward any general questions to our Q&A tool.

Site Map              Contact Us              Home