Overview

The United States Federal Information Processing Standard (FIPS) 140, is a series of government security standards that specify requirements for computer-based encryption algorithms You can enable FIPS 140 mode, and to check the printer for compliance. Note: The FIPS 140-2 Security setting on the Xerox device applies only to the security of the Xerox device itself External cryptographic sources, such as servers, clients, smart cards, and other peripheral devices, are outside of the scope of the FIPS boundary for the Xerox device The Xerox device does not assure the FIPS validation of any external cryptographic source. For interoperability purposes, if a Xerox Device is FIPS 140-2 enabled, ensure that external entities are minimally FIPS compatible That is, ensure that the external entities support cryptographic hashes and algorithms that align with those hashes and algorithms required by FIPS, regardless of the FIPS validation of the external source. If FIPS 140-2 encryption is required, all computers, servers, browser software, security certificates, and applications must comply with the standard or operate in FIPS-compliant mode Transmitted and stored data must be encrypted as specified in United States Federal Information Processing Standard (FIPS) 140-2, Level 1 You can enable the printer to check that the current configuration ensures the specified encryption. Enabling FIPS 140 Mode can prevent the printer from communicating with network devices that communicate using protocols that do not use FIPS-compliant encryption algorithms To allow nonFIPS-compliant protocols or features when FIPS 140 mode is enabled, acknowledge the notification of non-compliance during the validation process. When you enable non-FIPS-compliant protocols after FIPS mode is enabled, a message appears that indicates that the protocols use non-FIPS-compliant encryption algorithms Examples of non-FIPScompliant protocols include SMB, Digest HTTP authentication for AirPrint scanning and Mopria™ scanning, and wireless networking. The Common Criteria for Information Technology Security Evaluation, abbreviated as Common Criteria or CC, is an international standard for computer security certification: ISO/IEC 15408. For Common Criteria compliance, where applicable, enhanced security requirements are applied to a FIPS 140-2 enabled printer to satisfy the Common Criteria security evaluation FIPS with Common Criteria (CC) compliance mode is a more restrictive configuration The CC mode can limit interoperability with other network devices that do not communicate with the more stringent CCdefined algorithms. When you enable FIPS only mode or FIPS with Common Criteria (CC) compliance mode, the printer performs a series of checks to validate the current printer configuration The FIPS Configuration Check page displays a pass or fail message as a result of the FIPS configuration check. To complete the FIPS configuration check: For each reason, a link is provided in the table at the bottom of the page To disable the protocol, replace the certificate, or allow the printer to use the noncompliant protocol, click the appropriate link For details, refer to Enabling FIPS 140 Mode and Checking for Compliance, and FIPS Configuration Check sections below. When you enable FIPS only or FIPS with Common Criteria compliance mode, the printer performs a series of checks to validate the current printer configuration For enablement to complete, the printer configuration is required to pass all the validation checks, then you receive notification to restart the printer. Validation involves a series of iterative checks on the device configuration The device performs the following checks to validate the current configuration: Validation involves a series of iterative checks on the device configuration After each check, information and links appear in a table at the bottom of the page. When FIPS is enabled, the FIPS 140–2 (Level 1) page provides an enablement status for the feature The status indicates that FIPS is enabled, with or without exceptions, or that the feature requires attention. If the configuration check passes, to save and restart the printer, click Reboot Machine . If the configuration check fails, conditions that caused the failed test appear in the section labeled Feature Needing Attention . In the Embedded Web Server, click Properties→Security→Encryption . Click FIPS 140-2 . Click Enable FIPS only , or Enable FIPS with Common Criteria (CC) compliance For information, click the i icon. Click Run Configuration Check and Apply . Complete the iterative FIPS configuration checks For details, refer to FIPS Configuration Check below Note: When FIPS 140 Mode is enabled, only FIPS-compliant certificates can be installed on the device. Some FIPS compliance actions require you to move from the FIPS Configuration Check page to other feature or protocol Embedded Web Server pages After you complete the action, to continue the validation, return to the FIPS 140–2 (Level 1) page, re-enable FIPS, then rerun the configuration check. When the validation completes, you receive notification that the configuration check passed After you restart the device, the FIPS status details update. When FIPS 140 Mode is enabled, only FIPS-compliant certificates can be installed on the device. Some FIPS compliance actions require you to move from the FIPS Configuration Check page to other feature or protocol Embedded Web Server pages After you complete the action, to continue the validation, return to the FIPS 140–2 (Level 1) page, re-enable FIPS, then rerun the configuration check. When the validation completes, you receive notification that the configuration check passed After you restart the device, the FIPS status details update. To enable FIPS when the FIPS configuration checks are complete, restart the device. The device validates all pre-installed and user-installed certificates on the device for FIPS compliance Certificates include the default Xerox Device Certificate, CA-signed Device Certificates, Root/Intermediate Certificates, and Peer Device/Domain Controller Certificates The digital certificates that are installed on the device enable various workflows, including:  Establishing a secure connection between the device that is acting as a server, and a peer device that is acting as a client Establishing a secure connection between the device that is acting as a client, and a peer device that is acting as a server Verifying the identity of a peer device Validating that a peer device is trusted Establishing a secure connection between the device that is acting as a server, and a peer device that is acting as a client Establishing a secure connection between the device that is acting as a client, and a peer device that is acting as a server Verifying the identity of a peer device Validating that a peer device is trusted The device checks features and protocols for non-compliant encryption algorithms For example, HTTP Digest authentication for AirPrint scanning and Mopria™ scanning use encryption algorithms that are not FIPS-compliant. To disable a non-compliant feature or protocol, click the appropriate link. To replace any non-compliant certificates, click the appropriate link. To acknowledge that you allow the printer to use non-compliant features and protocols, click the appropriate link Note: FIPS is not enabled until you receive notification that all configuration checks are complete and the device is restarted. Some configuration actions require you to move from the FIPS page to other Embedded Web Server pages After completing these actions, to continue the FIPS validation checks and enablement, restart the FIPS checks. FIPS is not enabled until you receive notification that all configuration checks are complete and the device is restarted. Some configuration actions require you to move from the FIPS page to other Embedded Web Server pages After completing these actions, to continue the FIPS validation checks and enablement, restart the FIPS checks. For FIPS only mode, statuses include: FIPS On : The device is compliant with no exceptions acknowledged. FIPS On With Exceptions : The device is compliant with exceptions acknowledged A summary table lists the exceptions. Feature Needs Attention : Changes may have occurred that impact FIPS compliance: To ensure compliance, disable, then re-enable FIPS only mode. FIPS On : The device is compliant with no exceptions acknowledged. FIPS On With Exceptions : The device is compliant with exceptions acknowledged A summary table lists the exceptions. Feature Needs Attention : Changes may have occurred that impact FIPS compliance: To ensure compliance, disable, then re-enable FIPS only mode. For FIPS with Common Criteria (CC) compliance mode, statuses include: FIPS + Common Criteria On : The device is compliant with no exceptions acknowledged. FIPS + Common Criteria On With Exceptions : The device is compliant with exceptions acknowledged A summary table lists the exceptions. Feature Needs Attention : Changes may have occurred that impact FIPS / Common Criteria compliance: To ensure compliance, disable, then re-enable FIPS with Common Criteria compliance mode. FIPS + Common Criteria On : The device is compliant with no exceptions acknowledged. FIPS + Common Criteria On With Exceptions : The device is compliant with exceptions acknowledged A summary table lists the exceptions. Feature Needs Attention : Changes may have occurred that impact FIPS / Common Criteria compliance: To ensure compliance, disable, then re-enable FIPS with Common Criteria compliance mode.