Ricoh's Common Criteria Certification Activities

CC

Our customers' documents are their information assets. To increase document security, Ricoh has been addressing security countermeasures to prevent electronic and hardcopy documents from alterations and leaks. We have been developing security functions to cover all risks throughout the entire lifecycle of documents (generation, processing, storage, archiving, and disposal).

In February 2010, Ricoh obtained the world's first CC authentication, conforming to the IEEE 2600.1 Protection Profile, with its imagio MP 5000 SP/4000 SP (released in February 2008). IEEE 2600.1 is an international standard for security functions of hardcopy devices, including multifunction and ordinary printers.

To assure our customers of the security of our products, we offer a broad line of CC-authenticated products that comply with IEEE 2600.1. For more information, see the Ricoh Products Authenticated with CC (ISO/IEC 15408).

Common Criteria (ISO/IEC 15408 *1) certification

Common Criteria(CC)refers to international criteria for evaluation of information technology security. It is used for evaluating whether security functions are appropriately developed for IT products. Customers can use CC certification conforming to the IEEE 2600.1 security standard to clearly communicate the product requirements to suppliers so that the security functions from different suppliers can be compared and examined.

Today, the CC is a standard recognized by more than 25 nations of the world. Domestic and overseas multifunction copier vendors are eager to obtain the authentication for digital multifunction copiers. The system is also used by companies of other industries to maintain their competitiveness in the international market.

In the CC, seven levels of assurance requirements are defined. They are called Evaluation Assurance Levels (EAL). The larger the EAL value, the stricter the evaluation will be. Office-use products are generally evaluated for EAL 2 or 3. For more information, see the List of assurance levels below.

  • *1The CC and ISO/IEC 15408 are the same standards, although they are updated in different timings.

List of assurance levels

EAL levels Assumed security assurance levels
EAL 1 Applied if a closed environment is secured for operation, and secure usage or operation is guaranteed.
EAL 2 Applied if users and developers are specified and no serious threats against safe operation exist.
EAL 3 Applied if an environment where unspecified users can access the MFP is assumed or countermeasures against misusage are required.
EAL 4 Applied if products are developed or manufactured by introduction of security-enhanced development and production lines so that high-levels of security can be achieved for commercial products or systems.
EAL 5 Applied if products are developed or manufactured by receiving support from security specialists so that maximum levels of security can be achieved for commercial products or systems in specific fields.
EAL 6 Applied to specially manufactured products by application of security engineering technologies to the development environment so that highly valuable information asset can be protected against serious risks.
EAL 7 The highest level of EAL. EAL 7 is applied if products are developed so that a significantly risky environment or information assets that can compensate high development costs can be protected.

IEEE 2600

IEEE 2600 is a family of international standards that was created by an IEEE working group in 2008. Before IEEE 2600, different vendors had different definitions for the functions subject to CC authentication. The working group, primarily consisting of representatives from the major vendors of digital multifunction copiers, re-defined the functions from the viewpoint of end users. Ricoh has been an active member in the IEEE working group, and contributed to the development of protection profiles (PPs).

PPs are part of the IEEE 2600 series, addressing the security requirements of different environments – military forces and governments, major companies, public environments, and SOHOs. PPs are used to clarify the security functions and conditions to be evaluated for CC certification. Conformance to a PP is represented in the security target (ST)*2 document for products submitted for CC evaluation. Through this process, PP conformance is confirmed by CC certification. Thus, products conforming to the same PP of the IEEE 2600 series have the same levels of security functions.

The PPs of the IEEE 2600 series are as follows, each of which specifies the security requirements of a different operational environment.

IEEE 2600.1 [Operational Environment A]: Specifies functional requirements for military forces, governments, or other high level security environments.
IEEE 2600.2 [Operational Environment B]: Specifies functional requirements for major companies, or other high level security environments that are equivalent to those specified in [Operational Environment A].
IEEE 2600.3 [Operational Environment C]: Specifies functional requirements for the public level security environment.
IEEE 2600.4 [Operational Environment D]: Specifies functional requirements for SOHO level security environment.

IEEE 2600

  • *2Security targets (STs) refer to the security design documentation describing the requirements and specifications of the security functions that IT products and systems should have. The form and required content of STs are defined under the ISO/IEC 15408 international standard.

Page Top