Checklist Summary:

This Sharing Peripherals Across the Network (SPAN) Security Technical Implementation Guide (STIG) provides the technical security policies, requirements, and implementation details for applying security concepts to Commercial-Off-The-Shelf (COTS) hardware peripheral devices. For this STIG, peripheral will mean, "any device that allows communication between a system and itself, but is not directly operated by the system". However, this document does not deal with devices found wholly contained within the main cabinet of the computer or, with the exception of A/B switches, those devices connected via legacy parallel and serial interfaces. The purpose of this section is to discuss and provide guidance for the secure implementation of network attached multi function devices (MFD)s and printers. MFDs are gaining popularity in the enterprise because they allow users to print, copy, fax and scan from a single device. The advantages of this are realized in the cost savings, space savings and maintenance compared to the individual devices they replace. Many MFDs offer the user the ability to fax directly from the desktop. Like network-attached printers, MFDs are subject to the same network and physical security concerns. Because these devices include an embedded operating system with network connectivity, considerable attention is being paid to their secure implementation. As with printers, MFDs may have file transfer protocol (FTP), telnet, Hyper Text Transport Protocol Secure (HTTPS), SMTP and SNMP services running. MFDs may also have a connection to a phone line for fax functionality. If an attacker gains network access to one of these devices, a wide range of exploits may be possible. If an attacker gains physical access to a device, the programming of the device can be compromised and the potentially sensitive data stored on the hard disk can be recovered.

Checklist Role:

• Multi-Functional Peripherals

Known Issues:

Not provided.

Target Audience:

This document is a requirement for all DoD-administered systems and all systems connected to DoD networks. These requirements are designed to assist SMs, Information Assurance Managers (IAMs), IAOs, and SAs with configuring and maintaining security controls. This guidance supports DoD system design, development, implementation, certification, and accreditation efforts.

Target Operational Environment:

• Managed
• Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

DoDD 8500.1 and DoDI 8500.2

Comments/Warnings/Miscellaneous:

Not provided.

Disclaimer:

Not provided.

Product Support:

Not provided.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

Changed status from "under review" to "final" - 09 September 2015
Version 2, Release 6 - 31 July, 2015
Changed status from "Under Review" to "Final" - 03 June 2015
Version 2, Release 3 - 25 October 2013
Version 2, Release 1 - 29 April 2011
Version 2, Release 4 - 30 October 2014
Updated status to "Final" - 07 January 2015
Updated "Point of Contact" - 15 January 2015
Version 2, Release 6 - 31 July, 2015
Changed status from "under review" to "final" - 09 September 2015
Version 2, Release 7 - 29 October 2015
Changed status from "Under Review" to "Final" - 29 December 2015
Version 2, Release 8 - 2 February 2016
3/10/2016 - Promote to Final
Updated to v2, r9 - 01/27/2017
Updated to FINAL - 03/08/2017
null
Updated URL to reflect change to the DISA website - http --> https
updated to v1,r11 - 02/16/2018
Updated to FINAL - 3/18/2018
Updated to v2,r12 - 1/16/19
updated to Version 2, Release 13- 1/23/19
Updated to FINAL - 2/19/19
Updated URLs - 6/12/19

Dependency/Requirements:

URL	Description

References:

Reference URL	Description

NIST checklist record last modified on 06/13/2019