Title

MFDs must not allow scan to SMTP (email). (Cat II impact)

Discussion

The SMTP engines found on the MFDs reviewed when writing the MFD STIG did not have robust enough security features supporting scan to email. Because of the lack of robust security, scan to email will be disabled on MFD devices. Failure to disable this feature could lead to an untraceable and possibly undetectable compromise of sensitive data. The SA will ensure MFDs do not allow scan to SMTP.

Check Content

The reviewer will, with the assistance from the SA, verify devices do not allow scan to SMTP. If scan to SMTP is enabled on the MFD, this is a finding. Note: With AO approval, strict usage policies, and user training, MFD scan to SMTP (email) is allowed if CAC/PKI authentication is implemented on the MFD. There must be a method implemented for non-repudiation and authenticated access. A USB/flash drive/thumb drive or any removable storage capability will not be installed.

Fix Text

Disable the scan to SMTP (email) feature on all MFDs.

Additional Identifiers

Rule ID: SV-7029r2_rule

Vulnerability ID: V-6804

Group Title: MFD scan to SMTP (email)

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.