Rule ID
SV-7029r2_rule
Version
V2R15
CCIs
The SMTP engines found on the MFDs reviewed when writing the MFD STIG did not have robust enough security features supporting scan to email. Because of the lack of robust security, scan to email will be disabled on MFD devices. Failure to disable this feature could lead to an untraceable and possibly undetectable compromise of sensitive data.<br /><br />The SA will ensure MFDs do not allow scan to SMTP.
The reviewer will, with the assistance from the SA, verify devices do not allow scan to SMTP. If scan to SMTP is enabled on the MFD, this is a finding.<br /><br />Note: With AO approval, strict usage policies, and user training, MFD scan to SMTP (email) is allowed if CAC/PKI authentication is implemented on the MFD. There must be a method implemented for non-repudiation and authenticated access. A USB/flash drive/thumb drive or any removable storage capability will not be installed.
Disable the scan to SMTP (email) feature on all MFDs.