Common Technology Services (CTS)

DRAFT

Printing in shared government buildings

When government organisations share buildings they need to share services like networks and printing. Design print services for shared environments to future-proof your service.

Read this guidance from Common Technology Services to find out how your organisation can:

• minimise costs
• avoid reliance on single-organisation print networks
• know who is printing
• comply with print and information management policies

Pre-built internet-based print services are becoming more widely-available. They:

• reduce the need for on-site servers
• are quick to deploy
• have suitable security and service management
• enable hardware neutrality - more than one printer vendor can be used at a time

Use cloud-based services

Multi-tenant platforms provide an easy way to install and manage a secure print service. The infrastructure is already set up, so you can consume what you need and scale it easily for each new site. Where organisations procure a service from scratch, they should opt for solutions that can be shared to allow all building users to print. This model provides a way of printing where:

• laptops, desktops and tablets, driverless devices (phones, tablets, or devices on which people cannot install a driver) and guests send jobs to the print provider
• the print jobs are sent with network and data encryption
• the cloud print solution controls the print queues, print management and job release
• the client sits locally with the printer, but does not retain any data

The following diagram shows how a print job is created, securely sent to the print server and released for printing.

1. The user creates a print job.
2. The user sends the job from their device to the cloud, via web-to-print, email-to-print or using drivers. The cloud print solution manages queue and release.
3. The user receives a release code.
4. The user releases the job at the printer with the release code.
5. The cloud solution sends the job to the printer once the user inputs their release code.

Consider your transition and legacy equipment

Currently, organisations work hard to deliver print services to their corporate users. New technology means this can now be opened up to other users, and provides a way for those without drivers to print as part of a transition. Consider this if your organisation already shares a building and you want to increase access across teams.

You can transition to a shared platform without disrupting your current service. Running a shared platform in parallel to your existing network mitigates the risk of service disruption during a move, and allows you to integrate the old and new systems. Users also quickly gain familiarity with the new service. You can integrate better user journeys and open up your service, where:

• corporate users send print jobs using the existing drivered print service
• laptops, desktops and tablets, driverless devices (phones, tablets, or devices on which people cannot install a driver) and guests send jobs to the cloud print provider
• the print jobs are sent with network and data encryption
• the cloud print solution controls the cloud print queues, print management and job release
• the client sits locally with the printer, but does not retain any data

Choose your print solution

New technology provides ways to reach a wider audience, to include, for example:

• visiting civil servants
• other guests
• contractors
• interim staff

Consider all the people that need to print in your building when you design your print solution.

Consider how users print

Choose one or more of these solutions, based on what user needs you’ve identified.

Print using drivers

In this solution:

• install and configure print drivers on each device - users with administrative rights to their device can do this themselves; IT teams install drivers on managed devices
• set up devices to ‘point’ to the right print queue
• create each print job on the device

Web-to-print

In this solution users print via a web portal. It uses an email address to validate users when they submit a print job. Administrators create rules so the service accepts or rejects users with certain email addresses. The print server converts documents into print jobs.

To print via a web portal, a user:

• goes to a website
• uploads a document
• enters an approved email address to submit the job and receive a PIN  
• releases their job using their PIN at the printer

Email-to-print

This solution uses email addresses to validate users when they submit a print job. Administrators create rules so the service accepts or rejects users with certain email addresses. The print server converts documents into print jobs. To use this solution, users:

• attach a document to an email
• send it to the specified email address, from an approved email address
• receive a PIN email in reply
• release their job using their PIN at the printer

Other features to consider

In addition to printing, think about what other functionality your users need.

Scanning

Multi-function devices (MFDs) can help organisations use digital processes and reduce printing. MFDs should include scanning functionality like scan-to-email and scan-to-a shared drive functionality. When you deploy this function consider auditing and controlling who has access to the scanning functions.

Faxing

Where organisations still use fax, they should consider implementing online fax services that integrate faxing with your email service - sometimes called a fax-to-email gateway. This reduces the cost and administrative overhead of installing and managing telephone lines and fax machines, and means that users can send and receive faxes directly from their computer.

Accessibility

Your service should work for all your users. Look for features that make this possible such as voice control and adjustable touch screen keypads.

Use the digital accessibility standards and the ETSI standards to make sure the services you buy are accessible to all users and compliant with public procurement.

Decide how users enrol with the print server

Consider how much cost and effort is required by your users and your local IT team when choosing how users will enrol with the print server.

Option 1: use existing credentials

Use email addresses to create per job release codes. Organisations can set rules to limit trusted addresses, for example @*.gov.uk, to control user access.

Alternatively, authenticate users to your print server using common tools like:

• Active Directory
• Security Assertion Markup Language version 2 (SAML 2)
• Open ID Connect

Option 2: use permanent identifiers

Before linking user accounts to a release token, like a radio-frequency identification (RFID) card, you should consider:

• how users will associate the token to their account
• which standards to use for release
• your existing tokens, like building passes or near field communication (NFC) phones, and how you can use them
• the relevant International Organisation for Standardisation (ISO) standards (14443, 15693) for card tokens
• what happens when you lose a token (business process and technical process)
• having multiple identifier options

As long as the identifier ties the print job to the user, organisations should permit a range of possible identifiers. Users could provide their own token if it meets the criteria above.

Make sure your print data is secure

To make printing secure, protect print job data on its way to the printer and release print jobs only to the person that printed them. Make sure your supplier is able to do this. Your secure print platform must meet the following security requirements.

Data in transit

To protect your network and your data in transit, you and your solution provider should:

• encrypt data between endpoints (client to print server and print server to printer)

• use virtual private networks (VPNs) between buildings and print servers using IPsec or Transport Layer Security (TLS) if you aren’t confident with the security of your internal network

Print job security

To protect your print job data you should:

• encrypt job data with appropriate ciphers
• set up data deletion processes, like deleting stored print jobs after 8 hours
• consider configuring print spooling so that data stays on a user’s device until they release it at the printer

To protect your print release process you should:

• ensure documents are handled correctly, by the correct person
• release print jobs on collection
• use release tokens like smartcards or unique job specific PIN numbers
• restrict print job release based on the content of documents, for example detect patterns like credit card or national insurance numbers; align this to your email content policy
• mark print jobs, for example using watermarks, to track who has printed a document

Print server security

To protect data at rest, ensure your solution provider has proper management processes in place, like an updating and patching schedule. Your solution provider should:

• host your print server in a secure environment
• consider encrypting data held on print servers
• encrypt print job data
• follow data management processes (ISO 270001)
• understand key management processes

Printer security

To protect your hardware, you should:

• apply the latest updates to printers and peripheral devices, and automate this process where possible
• assess identified vulnerabilities and reconfigure hardware to protect your service
• locate printers in areas protected by building security
• restrict network access to printers, for example using firewalls, to limit port and IP access range
• regularly scan printers for network vulnerabilities
• regularly change printer admin passwords
• use network dongles for encryption on older printers
• lock USB ports on printers
• consider storing data in the cloud rather than on the device

Your solution provider should:

• update software and firmware and have processes to keep software up to date
• encrypt data stored by devices where possible
• limit data caching on printers
• consider how to remove data stored on the printer (for example by turning off printer to flush the cache or overwriting data on hard drives after job release)
• decommission hardware in line with CESG guidance

Report on service management

Organisations should capture:

• data for audit
• performance data to manage their suppliers

Maintain your print service

This should be automated and easy. Users might not know IT help desk contact details so you should automatically and proactively manage error reports, faults and paper and ink shortages. You need:

• alerting systems and associated networking to manage print devices
• processes for fixing printers - users need a consistent way of getting help
• processes for automatically restocking consumables (toner and paper)
• training for local staff

Consider how to integrate monitoring of systems and printers into your organisation’s system monitoring tools.

Comply with environmental policy

Often, new technology allows staff to work more efficiently without printing. To reduce printing and comply with greening government ICT strategy consider:

• capturing information on high volume print users and high volume photocopy users
• ensuring documents are only printed when necessary and in the appropriate format - for example, make monochrome the default rather than colour printing
• capturing data to show who and how much is being printed by internal and external users, for example:

• total guest user printing by department or business unit
• total photocopy pages
• total printed pages (black and white and colour)
• location of high print use

• using managed MFDs rather than unmanaged locally connected printers by default to:

• increase the ratio of people to printers
• replace manual processes by scan and web fax so users don’t need to print

If you capture this data you can provide information to your organisation’s environmental group to help reduce printing. They need to identify individuals and groups that print a lot so that they can develop digital processes to reduce printing.

Buy the solution

Organisations can structure their commercial model to fit their needs. They could contract a cloud service and printers from one provider. Alternatively, they could chose different suppliers, and integrate them. When you procure print services, consider:

• software for both print and fax services from the Digital Marketplace
• printer hardware, consumables, management and audit from framework agreement RM1599 (RM3781 from November 2016)
• if a different contract model, like leasing or per-page, will be better value

Multi-function devices

Buyers should:

• check the hardware models and the software version (including software on the device) of their managed print service to make sure it’s compatible with their shared service solution
• maintain patching and software updates (including for out of contract devices) as a security feature
• ensure devices support encryption
• ensure devices are accessible to all users
• ensure devices support current business processes, like the ability to scan and fax 
• check file scanning uses open data formats such as .odf (where text recognition is used) or PDF
• establish clear service level agreements (SLAs) and reporting to hold vendors to account
• choose devices that support switching to digital processes (scan and SaaS fax) rather than manual ones
• use token readers that conform to standards ISO 14443 and ISO 15693
• use card readers that conform to ISO 7816

Software

Buyers should:

• follow the Technology Code of Practice
• require vendors to set up a proof of concept (PoC) that demonstrates the solution on site, prior to signing a contract to test the usability of the service and retain the right to opt out during the PoC should it not meet requirements
• check that services are compatible with security standards like IPsec or TLS
• understand what your users need and shape the service accordingly

• consider reducing vendor lock-in by buying a disaggregated solution that can be easily installed, adapted or removed
• investigate software and hardware hybrid contracts to make savings
• consider using Software as a Service (SaaS) fax services to avoid the need to purchase fax hardware as part of your print service
• ensure that your printer and software is compatible with the cloud service software, so your printer can handle the latest security and software updates, or so your printer can embed an application
• establish clear SLAs and reporting to hold vendors to account
• define the network architecture and plan to integrate your service into it

Commercial model

Whether you chose to buy printers and a shared platform in several parts, or as one block, you must understand how you will use your service to decide which commercial model to use. Read more information on commercial models for printing infrastructure in the Lot 2 and Lot 3 specification documents for CCS framework RM1599. Consider:

1. Leasing printers - organisations can:

• lease printers for fixed periods
• easily get rid of printers that are no longer needed
• use operational expenditure (opex) budget for leasing printers

2. Cost per page: this will be fixed for the contract length, so organisations will benefit from reducing the volume of printing over the life of the contract.

3. Buy-back arrangements: organisations can use capital expenditure (capex) budget with a contracted buy-back price to reduce monthly fees.

4. Managed service - organisations should consider:

• choosing a full managed service that includes device lease and cost per page
• all managed services include device maintenance
• how the service will manage repairs and firmware and software updates

5. Licenses - SaaS providers often charge per license, so organisations need to manage how they consume the service to pay the correct amount.

6. Consumables - organisations should:

• set minimum standards for the delivery of consumables like toner, paper, and staples
• reordering consumables automatically to reduce work for local staff
• provide recycling bins to remove and dispose of used consumables

E​mail contact.cts@digital.cabinet-office.gov.uk to​:

• join the CTS review group
• provide feedback on CTS guidance
• submit ideas for solutions
• discuss ​how this guidance will help you use technology more efficiently and effectively​​

Return to the Common Technology Services page.