Ärendetyp: 6 Diarienummer: 18FMV5706-19:1 HEMLIG/ enligt Offentlighets- och sekretesslagen (2009:400) 2020-06-09 Country of origin: Sweden Försvarets materielverk Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 Issue: 1.0, 2020-Jun-09 Authorisation: Helén Svensson, Lead Cetifier , CSEC Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 2 (23) Table of Contents 1 Executive Summary 3 2 Identification 5 3 Security Policy 6 3.1 Auditing 6 3.2 Cryptography 6 3.3 Identification and authentication (I&A) 6 3.4 Data protection and access control 7 3.5 Protection of the TSF 8 3.6 TOE access protection 8 3.7 Trusted channel communication and certificate management 8 3.8 User and access management 8 4 Assumptions and Clarification of Scope 9 4.1 Usage Assumptions 9 4.2 Environmental Assumptions 9 4.3 Clarification of Scope 9 5 Architectural Information 11 6 Documentation 13 7 IT Product Testing 14 7.1 Developer Testing 14 7.2 Evaluator Testing 14 7.3 Penetration Testing 14 8 Evaluated Configuration 15 9 Results of the Evaluation 17 10 Evaluator Comments and Recommendations 19 11 Glossary 20 12 Bibliography 21 Appendix A Scheme Versions 23 A.1 Scheme/Quality Management System 23 A.2 Scheme Notes 23 Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 3 (23) 1 Executive Summary The TOE is the HP FutureSmart 4.6.3 firmware for the HP PageWide Enterprise Color MFP 780/785, HP PageWide Managed Color MFP E77650/E77660, HP PageWide Managed Color MFP E58650, HP LaserJet Managed MFP E52545, HP Color Laser Managed MFP E57540. The TOE is the contents of the firmware with the exception of the operating system, which is part of the Operational Environment. The firmware and guidance documentation are packaged in a single ZIP file and avail- able for download from the HP Inc. website. The firmware is packaged in this ZIP file as a single firmware bundle. This firmware bundle contains the HP FutureSmart firm- ware, which in turn contains the System firmware and the Jetdirect Inside firmware. In order to download the ZIP file, the customer needs to register with HP and sign into a secure website (HTTPS) to access the download page. The customer can receive sign-in credentials by sending an email to ccc-hp-enterprise-imaging-print- ing@hp.com. On the download site, a SHA-256 checksum is provided along with in- structions on how to use it for verification of the integrity of the downloaded package. The Security Target claims conformance to the following Protection Profiles and PP packages  [PP2600.1]: IEEE Std 2600.1-2009; "2600.1-PP, Protection Profile for Hardcopy Devices, Operational Environment A". Version 1.0 as of June 2009; demonstrable conformance.  [PP2600.1-CPY]: SFR Package for Hardcopy Device Copy Functions. Version 1.0 as of June 2009; demonstrable conformance.  [PP2600.1-DSR]: SFR Package for Hardcopy Device Document Storage and Re- trieval (DSR) Functions. Version 1.0 as of June 2009; demonstrable conformance.  [PP2600.1-FAX]: SFR Package for Hardcopy Device Fax Functions. Version 1.0 as of June 2009; demonstrable conformance.  [PP2600.1-PRT]: SFR Package for Hardcopy Device Print Functions. Version 1.0 as of June 2009; demonstrable conformance.  [PP2600.1-SCN]: SFR Package for Hardcopy Device Scan Functions. Version 1.0 as of June 2009; demonstrable conformance.  [PP2600.1-SMI]: SFR Package for Hardcopy Device Shared-medium Interface Functions. Version 1.0 as of June 2009; demonstrable conformance. The evaluation has been performed by atsec information security AB in Danderyd, Sweden. Site-visit and the testing was performed in Boise, Idaho, USA. The evalua- tion was completed on 2020-05-29. The evaluation was conducted in accordance with the requirements of Common Crite- ria (CC), version. 3.1 release 5. atsec information security AB is a licensed evaluation facility for Common Criteria under the Swedish Common Criteria Evaluation and Certification Scheme. atsec infor- mation security AB is also accredited by the Swedish accreditation body according to ISO/IEC 17025 for Common Criteria. The certifier monitored the activities of the evaluator by reviewing all successive ver- sions of the evaluation reports, and by observing site-visit and testing. The certifier determined that the evaluation results confirm the security claims in the Security Tar- get (ST) and the Common Methodology for evaluation assurance level EAL 3 aug- mented ALC_FLR.2. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 4 (23) The certification results only apply to the version of the product indicated in the certificate, and on the condition that all the stipulations in the Security Target are met. This certificate is not an endorsement of the IT product by CSEC or any other or- ganisation that recognises or gives effect to this certificate, and no warranty of the IT product by CSEC or any other organisation that recognises or gives effect to this certificate is either expressed or implied. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 5 (23) 2 Identification Certification Identification Certification ID CSEC2018003 Name and version of the cer- tified IT product  HP PageWide Enterprise Color MFP 780 / 785, System firmware version: 2406249_032750, Jetdirect Inside firmware version: JSI24060306  HP PageWide Managed Color MFP E77650 / E77660, System firmware version: 2406249_032750 Jetdirect Inside firmware version: JSI24060306  HP PageWide Managed Color MFP E58650, System firmware version: 2406249_032754 Jetdirect Inside firmware version: JSI24060306  HP LaserJet Managed MFP E52545, System firmware version: 2406249_032759 Jetdirect Inside firmware version: JSI24060306  HP Color LaserJet Managed MFP E57540, System firmware version: 2406249_032758 Jetdirect Inside firmware version: JSI24060306 Security Target Identification HP PageWide Enterprise Color MFP 780 / 785, HP PageWide Managed Color MFP E77650 / E77660, HP PageWide Managed Color MFP E58650, HP La- serJet Managed MFP E52545, HP Color LaserJet Managed MFP E57540 Security Target, Version 2.12, 2020-02-14 EAL EAL3 + ALC_FLR.2 Sponsor HP Inc. Developer HP Inc. ITSEF atsec information security AB Common Criteria version 3.1 release 5 CEM version 3.1 release 5 QMS version 1.23.2 Scheme Notes Release 15.0 Recognition Scope CCRA, SOGIS, EA/MLA Certification date 2020-06-09 Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 6 (23) 3 Security Policy The security features performed by the TOE are as follows:  Auditing  Cryptography  Identification and authentication (I&A)  Data protection and access control  Protection of the TSF  TOE access protection  Trusted channel communication and certificate management  User and access management 3.1 Auditing The TOE performs auditing of security-relevant functions. The TOE connects and sends audit records to a syslog server (part of the Operational Environment) for long- term storage and audit review. Each audit record includes the date and time of the event, type of event, subject identity (if applicable), and the outcome (success or fail- ure) of the event. Events resulting from actions of identified users are associated with the identity of the user that caused the event. 3.2 Cryptography The TOE uses IPsec to protect its communications channels. The QuickSec crypto- graphic library is used to supply the cryptographic algorithms for IPsec. The TOE supports the decrypting of an encrypted stored print job. To decrypt an en- crypted stored print job, the TOE derives a key from a Job Encryption Password and unlocks the decryption key using the derived key. The TOE then decrypts the en- crypted stored print job using the decryption key. The TOE’s on-demand Data Integrity Test and Code Integrity Test use the SHA-256 algorithm to verify the integrity of TSF Data and TOE executable code, respectively. The HP FutureSmart Windows Mobile Enhanced Cryptographic Provider (RSAENH) 6.00.1937 implementation, which is part of the operational environment, supplies the SHA-256 algorithm. 3.3 Identification and authentication (I&A) The TOE supports multiple Control Panel sign in methods, both local and remote methods:  Local sign in method:  Local Device Sign In (Local Administrator account only)  Remote sign in methods:  LDAP Sign In  Windows Sign In (via Kerberos) The Control Panel allows both non-administrative users (U.NORMAL) and adminis- trative users (U.ADMINISTRATOR) to sign in.The TOE also uses IPsec to identify and mutually authenticate the following user types:  Administrative Computer (U.ADMINISTRATOR)  Network Client Computers (U.NORMAL) Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 7 (23) 3.4 Data protection and access control 3.4.1 Permission Sets For Control Panel users, the TOE uses a user's User Role (as determined by each us- er's Permission Set) to determine a user's access to many TOE functions. Only U.AD- MINISTRATOR can query, create, modify, and delete Permission Sets. In addition, only U.ADMINISTRATOR can query, create, modify, and delete the Permission Set associations to users. 3.4.2 Job PINs Users can control access to each stored print and stored copy job that they place under the TOE's control by assigning a Job PIN to each job. A Job PIN limits access to a stored print or stored copy job while the job resides under the TOE's control and al- lows a user to control when the job is printed so that physical access to the hard copies can be controlled by the user. A Job PIN must be 4 digits. 3.4.3 Job Encryption Passwords The TOE can store and decrypt encrypted stored print jobs received from a client com- puter. To decrypt the encrypted stored print job at the Control Panel, a user must enter the correct Job Encryption Password that was used to derive the key to protect the job. 3.4.4 Common access control The TOE protects each non-fax job in Job Storage from non-administrative users through the use of a user identifier and a Job PIN or through the use of a Job Encryp- tion Password. The TOE protects each fax job in Job Storage through the Permission Set mechanism. A user must have a specific fax permission in their Permission Set to access received fax jobs stored in Job Storage. Scan jobs are ephemeral and not stored in Job Storage. Only the user performing the scan can access the job on the TOE. 3.4.5 TOE function access control The TOE controls TOE functions available at the Control Panel using permissions de- fined in Permission Sets. During the Control Panel sign-in process, the TOE author- izes the user after they are successfully identified and authenticated. As part of the user authorization process, the TOE associates Permission Sets to the user and then applies a Permission Set (which is the combination of the Permission Sets associated to the user). The applied Permission Set (a.k.a. session Permission Set) becomes the user's User Role. Control Panel applications (e.g., Copy, Fax, Print from Job Storage) use the user's session Permission Set to determine which of the application's functions should be allowed or disallowed for the user. For IPsec users, the TOE uses the IPsec/Firewall to control access to the supported network service protocols. The IPsec/Firewall contains the IP addresses of authorized client computers grouped into address templates and the network service protocols grouped into service templates. The administrator maps an address template to a ser- vice template using an IPsec/Firewall rule. Service templates, therefore, act as the User Roles for IPsec users. IP addresses of computers not contained in a rule are de- nied access to the TOE. 3.4.6 Residual information protection When the TOE deletes an object, the contents of the object are no longer available to TOE users. This prevents TOE users from attempting to recover deleted objects of other users via the TOE interfaces. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 8 (23) 3.5 Protection of the TSF 3.5.1 Restricted forwarding of data to external interfaces (including fax separation) The TOE does not allow forwarding of data to an External Interface. The TOE con- tains only one External Interface in the evaluated configuration and that interface is the Shared-medium Interface. The analog fax hardware and the firmware that controls the fax hardware do not have the ability to access the Shared-medium fax functions. No pathway is provided to the Shared-medium interface from the fax. 3.5.2 TSF self-testing The EWS interface allows an administrator (U.ADMINISTRATOR) to execute a set of TSF functional tests (including system clock verification, LDAP settings verifica- tion, and Windows settings verification), TSF data integrity tests, and TSF code integ- rity tests. 3.5.3 Reliable timestamps The TOE contains a system clock that is used to generate reliable timestamps. Only administrators can manage the system clock. The administrator can optionally config- ure the TOE to synchronize its system clock with a Network Time Protocol (NTP) server. 3.6 TOE access protection 3.6.1 Inactivity timeout The TOE supports an inactivity timeout for Control Panel sign-in sessions. If a signed- in user is inactive for longer than the specified period of inactivity, the user is auto- matically signed out of the Control Panel by the TOE. The inactivity period is man- aged by the administrator via EWS (HTTP) or the Control Panel. 3.7 Trusted channel communication and certificate manage- ment Shared-medium communications (i.e., Ethernet) between the TOE and other trusted IT products use a trusted channel mechanism to protect the communications from disclo- sure and modification. The TOE also ensures the cryptographic operations are vali- dated during policy processing such as validating digital signatures or encrypting and decrypting data. IPsec with X.509v3 certificates is used to provide the trusted commu- nication channels. The EWS (HTTP) allows administrators to manage X.509v3 certifi- cates used by IPsec. 3.8 User and access management The TOE supports the following roles:  Administrators (U.ADMINISTRATOR)  Users (U.NORMAL) Administrators maintain and configure the TOE and Operational Environment. Users perform the standard print, copy, fax, etc. functions on the system. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 9 (23) 4 Assumptions and Clarification of Scope 4.1 Usage Assumptions The Security Target [ST] makes three assumptions on the usage of the TOE. A.USER.TRAINING - TOE Users are aware of the security policies and procedures of their organization, and are trained and competent to follow those policies and proce- dures. A.ADMIN.TRAINING - Administrators are aware of the security policies and proce- dures of their organization, are trained and competent to follow the manufacturer's guidance and documentation, and correctly configure and operate the TOE in accord- ance with those policies and procedures. A.ADMIN.TRUST - Administrators do not use their privileged access rights for mali- cious purposes. 4.2 Environmental Assumptions The Security Target [ST] makes five assumptions on the operational environment of the TOE. A.ACCESS.MANAGED - The TOE is located in a restricted or monitored environ- ment that provides protection from unmanaged access to the physical components and data interfaces of the TOE. A.ADMIN.PC.SECURE - The administrative computer is in a physically secured and managed environment and only the authorized administrator has access to it. A.USER.PC.POLICY - User computers are configured and used in conformance with the organization's security policies. A.SERVICES.RELIABLE - When the TOE uses any of the network services DNS, Kerberos, LDAP, NTP, SMTP, syslog, SMB, SharePoint, and/or WINS, these services provide reliable information and responses to the TOE. A.EMAILS.PROTECTED - For emails received by the SMTP gateway from the TOE, the transmission of emails between the SMTP gateway and the email’s destination is protected. 4.3 Clarification of Scope The Security Target contains six threats, which have been considered during the eval- uation. T.DOC.DIS - User Document Data may be disclosed to unauthorized persons. T.DOC.ALT - User Document Data may be altered by unauthorized persons. T.FUNC.ALT - User Function Data may be altered by unauthorized persons. T.PROT.ALT - TSF Protected Data may be altered by unauthorized persons. T.CONF.DIS - TSF Confidential Data may be disclosed to unauthorized persons. T.CONF.ALT - TSF Confidential Data may be altered by unauthorized persons. The Security Target contains seven Organisational Security Policies (OSPs), which have been considered during the evaluation. P.USER.AUTHORIZATION - To preserve operational accountability and security, Users will be authorized to use the TOE only as permitted by the TOE Owner. P.SOFTWARE.VERIFICATION - To detect corruption of the executable code in the TSF, procedures will exist to self-verify executable code in the TSF. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 10 (23) P.AUDIT.LOGGING - To preserve operational accountability and security, records that provide an audit trail of TOE use and security-relevant events will be created, maintained, and protected from unauthorized disclosure or alteration, and will be re- viewed by authorized personnel. P.INTERFACE.MANAGEMENT - To prevent unauthorized use of the external inter- faces of the TOE, operation of those interfaces will be controlled by the TOE and its IT environment. P.ADMIN.PASSWORD - To restrict access to administrative tasks, the Device Ad- ministrator Password will be set in the evaluated configuration so that it is required to perform security-relevant actions through the EWS and at the Control Panel. P.USERNAME.CHARACTER_SET - To prevent ambiguous user names in the TOE's audit trail, the user names of the LDAP and Windows Sign In users must only contain ASCII printable characters except for the double quote (22 hex) and single quote (27 hex) characters (i.e., allowed ASCII characters in hexadecimal: 20, 21, 23 - 26, 28 - 7E). P.REMOTE_PANEL.DISALLOWED - To preserve operational accountability and security, administrators must not use the Remote Control-Panel feature. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 11 (23) 5 Architectural Information The TOE is the firmware of an MFP designed to be shared by many client computers and human users. It performs the functions of printing, copying, scanning, faxing, storing, and retrieving of documents. It can be connected to a wired local network through the embedded Jetdirect Inside print server's built-in Ethernet, to an analog tel- ephone line using its internal analog fax modem, or to a USB device using its USB port (but the use of which must be disabled in the evaluated configuration). The HTTP-based EWS administrative interface allows administrators to remotely manage the features of the TOE using a web browser. This interface is protected using IPsec. The SNMP network interface allows administrators to remotely manage the TOE us- ing external SNMP-based administrative applications. The evaluated configuration supports SNMPv1 read only, SNMPv2c read only and SNMPv3. This interface is pro- tected using IPsec. The Printer Job Language (PJL) interface is used by users via Network Client Com- puters to submit print jobs and receive job status over an IPsec connection. It is also used in a non-administrative capacity by the Administrative Computer to send print jobs to the TOE as well as to receive job status. In general, PJL supports password- protected administrative commands, but in the evaluated configuration these com- mands are disabled. The TOE protects all non-broadcast/non-multicast network communications with IP- sec. Though IPsec supports multiple authentication methods, in the evaluated configu- ration, both ends of the IPsec connection are authenticated using X.509v3 certificates. An identity certificate for the TOE must be created outside the TOE, signed by a Cer- tificate Authority (CA), and imported (added) into the TOE along with the CA certifi- cate. Because IPsec authenticates the computers (not the individual users of the computer), access to the Administrative Computer should be restricted to TOE administrators only. The TOE distinguishes between the Administrative Computer and Network Client Computers by using IP addresses, IPsec, and the embedded Jetdirect Inside's internal firewall. In the evaluated configuration, the number of Administrative Computers used to manage the TOE is limited to one and the Device Administrator Password must be set. The TOE supports an optional analog telephone line connection for sending and re- ceiving faxes. The Control Panel uses identification and authentication to control ac- cess for sending analog faxes. The TOE protects stored non-fax jobs with either a 4-digit Job PIN or by accepting (and storing) an encrypted print job from a client computer. Both protection mecha- nisms are optional by default and are mutually exclusive of each other if used. In the evaluated configuration, all stored non-fax jobs must either be assigned a 4-digit Job PIN or be an encrypted print job. The TOE also supports Microsoft SharePoint (flow MFP models only) and remote file systems for the storing of scanned documents. The TOE uses IPsec with X.509v3 cer- tificates to protect the communications and to mutually authenticate to SharePoint and the remote file systems. For remote file system connectivity, the TOE supports the FTP and SMB protocols. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 12 (23) The TOE can be used to email scanned documents. In addition, the TOE can send email alert messages to administrator-specified email addresses, or send automated emails regarding product configuration and MFP supplies to HP. The TOE supports protected communications between itself and SMTP gateways. It uses IPsec with X.509v3 certificates to protect the communications and to mutually authenticate with the SMTP gateway. The TOE can only protect unencrypted emails up to the SMTP gateway. It is the responsibility of the Operational Environment to protect emails from the SMTP gateway to the email’s destination. Also, the TOE can only send emails; it does not accept inbound emails. Also, the TOE can only send emails; it does not ac- cept inbound emails. Each HCD contains a user interface called the Control Panel. The Control Panel con- sists of a touchscreen LCD, and a physical home screen button that is attached to the HCD. In addition, flow MFP models include a pull-out keyboard as part of the Control Panel. The Control Panel is the physical interface that a user uses to communicate with the TOE when physically using the HCD. The LCD screen displays information such as menus and status to the user. It also provides virtual buttons to the user such as an alphanumeric keypad for entering usernames and passwords. Both administrative and non-administrative users can access the Control Panel. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 13 (23) 6 Documentation The following guidance documents are available:  Common Criteria Evaluated Configuration Guide for HP Multifunction Printers HP PageWide Enterprise Color MFP 780 / 785, HP PageWide Managed Color MFP E77650 / E77660, HP PageWide Managed Color MFP E58650, HP La- serJet Managed MFP E52545, HP Color LaserJet Managed MFP E57540 Edition 1, 7/2019 [CCECG]  HP PageWide Enterprise Color MFP 780, HP PageWide Enterprise Color Flow MFP 785, HP PageWide Color MFP 774, HP PageWide Color MFP 779, User Guide, Edition 4, 7/2018 [780_5-UG]  HP PageWide Enterprise Color MFP 780 Series, HP PageWide Color MFP 774 Series, HP PageWide Color MFP 779 Series, MFP 780dn, MFP M774dn, MFP M779dn, MFP 780dns Flow MFP 785f, MFP M774dns, MFP M779dns, Installa- tion Guide, 2018 [780_5_1-IG]  HP PageWide Enterprise Color MFP 785 Series, 785zs, Installation Guide, Edi- tion 1, 3/2018 [780_5_2-IG]  HP PageWide Enterprise Color MFP 785 Series, 785z+, Installation Guide, Edi- tion 1, 7/2018 [780_5_3-IG]  HP PageWide Managed Color MFP E77650, E77660, P77940, P77950, P77960, P77440, HP PageWide Managed Color Flow MFP, E77650, E77660, User Guide, Edition 3, 7/2018 [E77650_60-UG]  HP PageWide Managed Color MFP E77650/E77660 Series, HP PageWide Man- aged Color MFP P77440 Series, HP PageWide Managed Color MFP P77940/P77950/P77960 Series, MFP E77650dn, MFP E77660dn, MFP P77940dn, MFP P77950dn, MFP P77960dn, MFP E77650dns, MFP E77660dns, MFP P77940dns, MFP P77950dns, MFP P77960dns, MFP P77440dn, MFP E77650zs, MFP E77660zs, MFP E77650z, MFP E77660z, MFP E77660zts, In- stallation Guide, Edition 1, 3/2018 [E77650_60_1-IG]  HP PageWide Managed Color Flow MFP E77650z+, E77660z+, HP PageWide Managed Color MFP P77940dn+, P77950dn+, P77960dn+, E77650z+, E77660z+, P77940dn+, P77950dn+, P77960dn+, Installation Guide [E77650_60_2-IG] Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 14 (23) 7 IT Product Testing 7.1 Developer Testing Testing was performed by the developer at the HP site in Boise, Idaho, USA. The testing was performed both automatically and manually. The approach for testing was to provide at least one test case for each Security Func- tional Requirement mapped to the TOE security functionality documented in FSP. The developer also tested TSF subsystems. The developer reported that all tests were completed successfully, and the evaluator has examined the test evidence and verified that test results for the manual and auto- mated test result to be consistent and clearly identified the outcome of the test action. 7.2 Evaluator Testing The evaluators performed testing of the TOE:  automated and manual testing was performed on 11-21 of September, 2018 at the developer site in Boise, US.  additional automated and manual testing was performed on 1-9 of April, 2019 at the developer site in Boise, US. The evaluators have run all automated tests, re-run a sample of manual tests. Testing was performed on the following models of the TOE:  HP PageWide Color Flow E58650 Blackbird  HP LaserJet Flow MFP E52545 Bluefin  HP PageWide Color Flow E77650 Bugatti  HP Color LaserJet Flow E57540 Cardoba The evaluators decided to repeat all automated test cases and re-run a sample of the developer's manual test cases. All tests performed by the evaluator were completed successfully. 7.3 Penetration Testing Penetration testing was performed against the TOE interfaces that are accessible to a potential attacker. I.e., the IPv4 and IPv6 TCP and UDP ports of the TOE. Additional snmpget requests were made to one device to confirm the SNMP port was not open. The results of the port scan indicate that only UDP port 500 (ISAKMP) is open, and that all other ports are only accessible upon establishing an IPsec connection, which is in line with the expected outcome. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 15 (23) 8 Evaluated Configuration The following components are required as part of the Operational Environment:  The applicable MFP model for running the TOE firmware  Domain Name System (DNS) server  One administrative client computer connected to the TOE in the role of an Admin- istrative Computer. It must contain:  Web browser  One or both of the following:  Lightweight Directory Access Protocol (LDAP) server  Windows domain controller/Kerberos server  Syslog server  Windows Internet Name Service (WINS) server The following components are optional in the Operational Environment:  SNMP tool that supports SNMPv1/v2 for reading objects and that supports SNMPv3 for reading and writing objects installed on the administrative computer connected to the TOE in the role of an Administrative Computer  Client computers connected to the TOE in a non-administrative computer role  Network Time Protocol (NTP) server  HP Print Drivers, including the HP Universal Print Driver, for client computers (for submitting print job requests from client computers)  Simple Mail Transfer Protocol (SMTP) gateway  Microsoft SharePoint  Remote file systems:  File Transfer Protocol (FTP)  Server Message Block (SMB) In the evaluated configuration the following requirements must be met:  HP Digital Sending Software (DSS) must be disabled.  Device Administrator Password must be set as per P.ADMIN.PASSWORD.  Only one Administrative Computer is used to manage the TOE. Third-party solutions are not installed on the TOE.  All non-fax stored jobs must be assigned a Job PIN or Job Encryption Password.  All received faxes must be converted into stored faxes.  Fax Archive must be disabled.  Fax Forwarding must be disabled.  Internet Fax and LAN Fax must be disabled.  PC Fax Send must be disabled.  Device USB and Host USB plug and play must be disabled.  Firmware upgrades sent as print jobs through P9100 interface must be disabled.  Jetdirect Inside management via telnet and FTP must be disabled. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 16 (23)  Jetdirect XML Services must be disabled.  External file system access through PJL and PS must be disabled.  IPsec authentication using X.509v3 certificates must be enabled (IPsec authentica- tion using Kerberos or Pre-Shared Key is not supported).  IPsec Authentication Headers (AH) must be disabled.  Device Guest permission set's permissions must be configured to deny access (this disables the Guest role).  SNMP support is limited to:  SNMPv1 read-only  SNMPv2c read-only  SNMPv3  The Service PIN, used by a customer support engineer to access functions availa- ble to HP support personnel, must be disabled.  Near Field Communication (NFC) must be disabled.  Wireless Direct Print must be disabled.  PJL device access commands must be disabled.  User names for the LDAP and Windows Sign In users must only contain the char- acters defined in P.USERNAME.CHARACTER_SET.  Remote Control-Panel use is disallowed per P.REMOTE_PANEL.DISAL- LOWED.  Local Device Sign In accounts must not be created (i.e., only the Device Adminis- trator account is allowed as a Local Device Sign In account).  Access must be blocked to the following Web Services (WS):  Open Extensibility Platform device (OXPd) Web Services  WS* Web Services  Fax polling receive must be disabled.  An IPv4 address must be statically assigned as per the instructions in TOE’s con- figuration guidance [CCECG]. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 17 (23) 9 Results of the Evaluation The evaluators applied each work unit of the Common Methodology [CEM] within the scope of the evaluation, and concluded that the TOE meets the security objectives stated in the Security Target [ST] for an attack potential of Basic. The certifier reviewed the work of the evaluators and determined that the evaluation was conducted in accordance with the Common Criteria [CC]. The evaluators' overall verdict is PASS. The verdicts for the assurance classes and components are summarised in the follow- ing table: Assurance Class Name / Assurance Family Name Short name Verdict Development ADV PASS Security architecture description ADV_ARC.1 PASS Functional specification with complete summary ADV_FSP.3 PASS Architectural design ADV_TDS.2 PASS Guidance documents AGD: PASS Operational user guidance AGD_OPE.1 PASS Preparative procedures AGD_PRE.1 PASS Life-cycle support ALC: PASS Authorisation controls ALC_CMC.3 PASS Implementation representation CM coverage ALC_CMS.3 PASS Delivery procedures ALC_DEL.1 PASS Identification of security measures ALC_DVS.1 PASS Developer defined life-cycle model ALC_LCD.1 PASS Flaw reporting procedures ALC_FLR.2 PASS Security Target evaluation ASE: PASS Conformance claims ASE_CCL.1 PASS Extended components definition ASE_ECD.1 PASS ST introduction ASE_INT.1 PASS Security objectives ASE_OBJ.2 PASS Derived security requirements ASE_REQ.2 PASS Security problem definition ASE_SPD.1 PASS TOE summary specification ASE_TSS.1 PASS Tests ATE: PASS Analysis of coverage ATE_COV.2 PASS Testing: basic design ATE_DPT.1 PASS Functional testing ATE_FUN.1 PASS Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 18 (23) Independent testing - sample ATE_IND.2 PASS Vulnerability assessment AVA: PASS Vulnerability analysis AVA_VAN.2 PASS Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 19 (23) 10 Evaluator Comments and Recommendations None. Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 20 (23) 11 Glossary AH Authentication Header (IPsec) ASCII American Standard Code for Information Interchange CA Certificate Authority DNS Domain Name System EWS Embedded Web Server HCD Hardcopy Device HTML Hypertext Markup Language HTTP Hypertext Transfer Protocol IEEE Institute of Electrical and Electronics Engineers, Inc. IP Internet Protocol IPsec Internet Protocol Security ITSEF IT Security Evaluation Facility, test laboratory licensed to operate within a evaluation and certification scheme LCD Liquid Crystal Display LDAP Lightweight Directory Access Protocol OXP Open Extensibility Platform OXPd OXP device layer PIN Personal Identification Number PJL Printer Job Language SFR Security Functional Requirement SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol ST Security Target, document containing security requirements and specifications, used as the basis of a TOE evaluation TOE Target of Evaluation USB Universal Serial Bus XML Extensible Markup Language Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 21 (23) 12 Bibliography ST HP PageWide Enterprise Color MFP 780 / 785, HP PageWide Managed Color MFP E77650 / E77660, HP PageWide Man- aged Color MFP E58650, HP LaserJet Managed MFP E52545, HP Color LaserJet Managed MFP E57540 Security Target, Version 2.12, 2020-02-14 CCECG Common Criteria Evaluated Configuration Guide for HP Mul- tifunction Printers HP PageWide Enterprise Color MFP 780 / 785, HP PageWide Managed Color MFP E77650 / E77660, HP PageWide Managed Color MFP E58650, HP LaserJet Managed MFP E52545, HP Color LaserJet Managed MFP E57540 Edition 1, 7/2019 780_5-UG HP PageWide Enterprise Color MFP 780, HP PageWide En- terprise Color Flow MFP 785, HP PageWide Color MFP 774, HP PageWide Color MFP 779, User Guide, Edition 4, 7/2018 780_5_1-IG HP PageWide Enterprise Color MFP 780 Series, HP PageWide Color MFP 774 Series, HP PageWide Color MFP 779 Series, MFP 780dn, MFP M774dn, MFP M779dn, MFP 780dns Flow MFP 785f, MFP M774dns, MFP M779dns, Installation Guide, 2018 780_5_2-IG HP PageWide Enterprise Color MFP 785 Series, 785zs, Instal- lation Guide, Edition 1, 3/2018 780_5_3-IG HP PageWide Enterprise Color MFP 785 Series, 785z+, Instal- lation Guide, Edition 1, 7/2018 E77650_60-UG HP PageWide Managed Color MFP E77650, E77660, P77940, P77950, P77960, P77440, HP PageWide Managed Color Flow MFP, E77650, E77660, User Guide, Edition 3, 7/2018 E77650_60_1-IG HP PageWide Managed Color MFP E77650/E77660 Series, HP PageWide Managed Color MFP P77440 Series, HP Page- Wide Managed Color MFP P77940/P77950/P77960 Series, MFP E77650dn, MFP E77660dn, MFP P77940dn, MFP P77950dn, MFP P77960dn, MFP E77650dns, MFP E77660dns, MFP P77940dns, MFP P77950dns, MFP P77960dns, MFP P77440dn, MFP E77650zs, MFP E77660zs, MFP E77650z, MFP E77660z, MFP E77660zts, Installation Guide, Edition 1, 3/2018 E77650_60_2-IG HP PageWide Managed Color Flow MFP E77650z+, E77660z+, HP PageWide Managed Color MFP P77940dn+, P77950dn+, P77960dn+, E77650z+, E77660z+, P77940dn+, P77950dn+, P77960dn+, Installation Guide PP2600.1 IEEE Std 2600.1-2009; "2600.1-PP, Protection Profile for Hardcopy Devices, Operational Environment A". Version 1.0 as of June 2009 PP2600.1-CPY SFR Package for Hardcopy Device Copy Functions. Version 1.0 as of June 2009 Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 22 (23) PP2600.1-DSR SFR Package for Hardcopy Device Document Storage and Re- trieval (DSR) Functions. Version 1.0 as of June 2009 PP2600.1-FAX SFR Package for Hardcopy Device Fax Functions. Version 1.0 as of June 2009 PP2600.1-PRT SFR Package for Hardcopy Device Print Functions. Version 1.0 as of June 2009 PP2600.1-SCN SFR Package for Hardcopy Device Scan Functions. Version 1.0 as of June 2009 PP2600.1-SMI SFR Package for Hardcopy Device Shared-medium Interface Functions. Version 1.0 as of June 2009 CCpart1 Common Criteria for Information Technology Security Evalu- ation, Part 1, version 3.1 revision 5, CCMB-2017-04-001 CCpart2 Common Criteria for Information Technology Security Evalu- ation, Part 2, version 3.1 revision 5, CCMB-2017-04-002 CCpart3 Common Criteria for Information Technology Security Evalu- ation, Part 3, version 3.1 revision 5, CCMB-2017-04-003 CC CCpart1 + CCpart2 + CCpart3 CEM Common Methodology for Information Technology Security Evaluation, version 3.1 revision 5, CCMB-2017-04-004 SP-002 SP-002 Evaluation and Certification, CSEC, 2019-09-24, doc- ument version 31.0 Swedish Certification Body for IT Security Certification Report - HP BBBC 2600 18FMV5706-19:1 1.0 2020-06-09 23 (23) Appendix A Scheme Versions During the certification the following versions of the Swedish Common Criteria Eval- uation and Certification scheme have been used. A.1 Scheme/Quality Management System During the certification project, the following versions of the quality management sys- tem (QMS) have been applicable since the certification application was received: QMS 1.21.4 valid from 2018-09-13 QMS 1.21.5 valid from 2018-11-19 QMS 1.22 valid from 2019-02-01 QMS 1.22.1 valid from 2019-03-08 QMS 1.22.2 valid from 2019-05-02 QMS 1.22.3 valid from 2019-05-20 QMS 1.23 valid from 2019-10-14 QMS 1.23.1 valid from 2020-03-06 QMS 1.23.2 valid from 2020-05-11 In order to ensure consistency in the outcome of the certification, the certifier has ex- amined the changes introduced in each update of the quality management system. The changes between consecutive versions are outlined in “Ändringslista CSEC QMS 1.23.2”. The certifier concluded that, from QMS 1. 1.21.4 to the current QMS 1.23.2, there are no changes with impact on the result of the certification. A.2 Scheme Notes The following Scheme interpretations have been considered during the certification.  Scheme Note 15 - Demonstration of test coverage  Scheme Note 18 - Highlighted Requirements on the Security Target  Scheme Note 22 - Vulnerability assessment  Scheme Note 28 - Updated procedures for application, evaluation and certification