Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6804 | MFD07.005 | SV-7029r1_rule | DCBP-1 | Medium |
Description |
---|
The SMTP engines found on the MFDs reviewed when writing the SPAN STIG did not have robust enough security features supporting scan to email. Because of the lack of robust security scan to email will be disabled on MFD devices. Failure to disable this feature could lead to an untraceable and possibly undetectable compromise of sensitive data. The SA will ensure devices do not allow scan to SMTP. |
STIG | Date |
---|---|
Multifunction Device and Network Printers STIG | 2015-04-02 |
Check Text ( C-3019r1_chk ) |
---|
The reviewer will, with the assistance of the SA, verify that devices do not allow scan to SMTP. Note: With DAA approval, strict usage policies, and user training, MFD scan to SMTP (email) is allowed if CAC/PKI authentication is implemented on the MFD. There must be a method implemented for non-repudiation and authenticated access. A USB/flash drive/thumb drive or any removable storage capability will not be installed. |
Fix Text (F-6478r1_fix) |
---|
Disable the scan to SMTP (email) feature on all MFDs. |