By Mike Feldman, president, North America Operations, Xerox
About six years ago, the National Information Assurance Partnership (NIAP) took the unusual step of ceasing to certify multifunction printer (MFP) compliance with the international “Common Criteria for Information Technology Security Evaluation” standard.
The move was surprising because U.S. government agencies are required to purchase equipment that is certified compliant with the standard—and NIAP oversees certification in the United States.
But with cyber security threats growing in both numbers and complexity, NIAP determined to tighten up its security standard for hardcopy devices—and ceased certifying MFPs until its more rigorous standard was in place. The requirement that U.S. agencies buy Common Criteria-certified products still stood, and manufacturers fulfilled it by going through certifying bodies in other regions.
NIAP needed about three years to develop its more stringent standard, which it did in collaboration with the International-Technology Promotion Agency (IPA) of Japan. In September 2015 they jointly released the new Hardcopy Device Protection Profile v1.0 (HCD-PP), which is now in effect in Japan and well as the United States.
And in November 2017, 10 Xerox AltaLink® MFPs became the first—and so far only—products to receive Common Criteria certification from NIAP for the new standard.
“In today’s world of 24/7 IT security threats, it’s absolutely critical to adhere to the highest standards of security, and that’s what NIAP is,” said Alan Sukert, product security specialist, who represents Xerox in NIAP and serves on a number of other standards boards. “That’s why we made NIAP certification a huge priority.”
More articles about cyber security
Insights on Data Protection on Xerox.com.
More articles about security on this blog.
The advantage of NIAP certification
The tough new security standard is important not only because most U.S. government agencies make compliance a priority when reviewing bids, but because many security-conscious, non-governmental organizations also take Common Criteria certification into account. Many find it highly credible because it requires that third-party labs test manufacturers’ claims.
Among government agencies that are required to have Common Criteria certification, having the certification is not a lock that Xerox AltaLink products will be the first choice. U.S. agencies can still buy devices that are Common Criteria certified in other nations, said Mark Browning, vice president, Public Sector. “However, NIAP is prioritized,” he said.
By law, every purchase by U.S. government agencies is made through competitive bidding, and most fall into one of two categories: lowest priced technically acceptable offerings and best value, according to Marie Nelson, senior vice president, Public Sector. “NIAP certification will especially help us in the best value awards,” she said.
Jumping on the opportunity
The Xerox team had the new standard on its radar from the beginning—as NIAP participants, they were involved in early discussions. That’s how work on bringing the Xerox ConnectKey® technology-enabled AltaLink devices into compliance could begin in 2014, even before the standard’s specifications were finalized.
It was a big undertaking. Over the roughly three-year period of the project, about 100 Xerox people contributed from product security, engineering, testing, and product planning and marketing, as well as several external agencies.
Common Criteria Certification Team Members: From left to right, Mark Sixbey, Mike Trent, Garland Nichols and Zia Masoom were among 100 contributors to the 18-month effort.
Two developmental areas were particularly challenging, Sukert said. One was cryptology, which has extensive requirements addressing not only encryption and key management but also processes for creating, caching, managing and destroying data. The other big challenge involved meeting numerous specific requirements on four secure protocols and ensuring each also meets NIST (National Institute of Standards and Technology) and ISO (International Standards Organization) standards.
NIAP certification was awarded Nov. 20, 2017 to the 10 AltaLink products: the AltaLink C8030 / C8035 / C8045 / C8055 / C8070 and the AltaLink B8045 / B8055 / B8065 / B8075 / B8090. Xerox plans to qualify VersaLink® MFPs for certification with a future software release.
“Xerox will always be the first to have received Common Criteria certification through NIAP,” Sukert said. “And that’s a great achievement.”