FedBizOpps banner

Login to begin searching the FBO/CBD
Home Page
CBD/FBO Online
CBD/FBO Email
About Us
Contact Us
Privacy
Categories
No. Notes
Archives
Search
Help
Login
Register

Popular Searches

Popular Categories

Printing Lease Boise VA VA260-17-Q-0608 - Attachment

General Information

Document Type:FILE
Posted Date:Aug 21, 2017
Category: Lease or Rental of Equipment
Set Aside:N/A

Contracting Office Address

Department of Veterans Affairs;Network Contracting Office 20;8524 N Wall St;Spokane WA 99208

Description

This is a SOURCE SOUGHT NOTICE in support of the Boise VA Healthcare System in Boise, ID, for market research purposes only to determine the availability of potential businesses with capabilities to provide the services described below. Potential offerors are invited to provide feedback via e-mail to Joshua Anderson at JOSHUA.ANDERSON2@VA.GOV. Responses will be used to determine the appropriate acquisition strategy for a potential future acquisition. All responses due by August 23, 2017, at 1600. Potential contractors shall provide, at a minimum, the following information: 1) Company name, address, and point of contact, phone number, e-mail address, and DUNS. 2) Is your firm eligible for participation in one of the following small business programs? If so, please indicate the program. Anticipated North American Industry Classification System (NAICS) code is 532420 Office machinery and equipment rental or leasing. The largest a firm can be and still qualify as a small business for Federal Government programs is no larger than $27.5 Million. [ ] yes [ ] no Small Business (SB) [ ] yes [ ] no HUBZone [ ] yes [ ] no Small Business 8(a) [ ] yes [ ] no Small Disadvantaged Business (SDB) [ ] yes [ ] no Women-Owned (WO) Small Business [ ] yes [ ] no Service Disabled Veteran Owned Small Business (SDVOSB) [ ] yes [ ] no Veteran Owned Small Business (VOSB) [ ] yes [ ] no Other (please specify) 3) What types of information is needed to submit accurate offers? 4) Provide a brief capability statement (Max 2 pages) with enough information to determine if your company can meet the requirement. The Capabilities Statement for this sources sought is not expected to be a Request for Quotations, Request for Proposals or Invitation for Bids, nor does it restrict the Government to an ultimate acquisition approach, but rather the Government is requesting a short statement regarding the company s ability to provide the services outlined in the draft SOW below. Any commercial brochures or currently existing marketing material may also be submitted with the capabilities statement. Submission of capabilities statement will assist our office in tailoring the requirement to be consistent with industry standards. The capabilities will be evaluated solely for the purpose of determining to Set-Aside for the Small Business (SB) Community or to conduct as an Unrestricted Procurement. Other than small businesses may respond to this notice in the event the market does not indicate SB interest. This synopsis is for information and planning purposes only and is not to be construed as a commitment by the Government. The Government will not pay for information solicited. Respondents will not be notified of the results of the evaluation. Note: Do not include Proprietary, classified, confidential, or sensitive information in responses. Not responding to this Sources Sought does not preclude participation in any future or potential solicitation, or Request for Quotation. It is the intent of the Mann-Grandstaff VA Medical Center to use the information gathered for market research purposes only. If a formal solicitation is released, it will be posted via the Federal Business Opportunity (http://www.fbo.gov). DESCRIPTION OF THE REQUIREMENT: 1. Contract Title. Boise VAMC, Printing Facility Equipment lease w/service & supplies. 2. Background. The government has copier, imaging and document management needs throughout the Boise VAMC HCS and shall institute an improved document management system that shall further maximize current productivity levels and streamline operational costs through the lease and use of commercially available state-of-the-art digital technology color / black and white multifunction (copy/scan/fax/print/email) machines. Current leased fleet equipment has reached its full lease commitment, is now out dated due to technology improvements and has reached the end of useful life: contactor/vendor is scheduled to remove these units at the end of the fiscal year. 3. Scope. The contractor shall supply all labor, tools, parts, materials, equipment, supervision, supplies, transportation and moves as necessary to provide an operating lease and maintenance services for the Boise VAMC HCS identified in this solicitation under Place of performance. Pricing shall be per machine (flat rate), not per page printed. Equipment Capabilities: a. One (1), 95 PPM (minimum) digital black and white, printer/copier, production print path, multi print queue, variable data printing, simplex/duplex printing/copying up to 203 gsm, multi. Substrates, to include, but not limited to, precut tabs, coated and uncoated stock transparencies, bond. Print to and copy at capabilities. Machine requires a professional finisher that includes c/z folder, booklet maker, multi position stapler, multi position hole puncher, insertion tray, auto document feeder (for standalone use). Four drawers w two set at letter size, two adjustable trays up to 11x17, 2 high-cap letter size trays. Machine to be located in the printing facility. The average monthly impressions for this machine are approximately 80,000. b. One (1), 50/65 (minimum) PPM, digital color printer/copier, w/ simplex/duplex printing/copying, printing/copying up to 203 gsm, multi. Substrates, to include, but not limited to, precut tabs, coated and uncoated stock transparencies, bond. Machine requires a professional finisher that includes c/z folder, insertion tray, booklet maker, multi position hole puncher, multi position stapler, four (4) adjustable paper trays up to including 11x17 paper, one (1) hi-cap letter size paper tray. Paper substrate types to include bond, transparencies, coated, precut tabs, heavy weight stock up to 203 gsm. Direct print, auto doc feeder for standalone use. Machine to be in the printing facility. The average impressions per month are approximately 10,000. c. One (1), electronic desk top pre/post press software package that shall include a desk top scanner for document setup to include at a minimum, full job ticketing, streamlined document composition and image/page editing, cut and paste, assemble documents from both electronic and hard copy sources. The ability to assemble documents using both black and white and color documents in a what you see is what you get finished document. It shall allow for digitizing, editing, archiving, and reprinting of paper documents throughout the document process. The use of PDF s, TIFF s, Jpeg, Post Script drivers/ licenses that allow the user to control and manage the system. Provide program ahead functions. To allow user to create and edit complex tab programming. To include, job setup, page layout, proofing, including, single and multi-page layout, insertion of tab s, graphics from specialty pages, the use multi weight and or color paper stocks, insertion of covers into the finished document. Software must be backward compatible with existing RDO documents and/or new programming must allow for current editing, page programming capabilities to be retained and include conversion services if necessary. Must be Window s 7 enterprise and/or upgradable to future Window s operating systems. Must be compatible with PIV only network log on equipment. d. Ninety (90), 35/45 PPM Black and White, two drawer (minimum) multifunction copiers w/stands to include, print, copy, scan, email, fax, w/two sided copy/print capabilities, adjustable paper trays up to 11 x 17 page size, internal finisher for collating and stapling. Size requirement 2 x 2 foot, footprint. Paper tray capacity of 100 sheet minimum. The average impressions per machine for fleet are approx. 7000. Machines will be located throughout Boise VAMC HCS. e. Three (3), 35/45 PPM color, two drawer (minimum) multifunction copiers w/stands to include, print, copy, scan, email, fax, w/two-sided copy/print capabilities, adjustable paper trays up to 11 x 17 page size, internal finisher for collating and stapling. Paper tray capacity of 100 sheet minimum. Machines will be located throughout Boise VAMC HCS. f. Two (2), up to 65 PPM Black and White, two drawer (minimum) multifunction copiers w/stands to include, print, copy, scan, email, fax, w/two sided copy/print capabilities, adjustable paper trays up to 11 x 17 page size, internal finisher for collating and stapling. Capable of handling heavy workloads. g. 4. Specific Tasks: Contractor shall provide a methodology for determining overall costs per machine that shall assist VA in future printer consolidation efforts. These efforts should ideally include decision-based software which would effectively manage the costs in a more effective manner. For all machines listed on contract/lease. The Contractor shall submit equipment proposals with consideration of Federal Sustainability and Green Mandates whenever possible. The Contractor shall guarantee that all leased equipment covered by this contract shall be free from defects in workmanship and materials under normal use and maintenance conditions, for the term of the contract from date of installation. In the event the Contracting Officer s Representative (COR), determines that the installed equipment is defective failing to maintain the volume and quality specified for that piece of equipment, the Contractor shall repair or replace the equipment (with the same specifications) at no additional cost to the government. This maintenance service does not include any items that have been subject to Government misuse, neglect or accident, nor does it extend to any items that have been repaired, altered or replaced by other than an authorized technician identified by the manufacturer The Contractor supply a service/maintenance number and shall respond to service/maintenance calls within 1 hour and be on site within a maximum of 4 hours. The Contractor shall insure that significant quantities of replenishment supplies (not to include paper) are on hand to cover all equipment. The Contractor shall provide a software solution to COR to allow for reports of usage by machine and /or service and/or individuals, to allow tracking of individual machines, and use equipment meter readings for billing of usage for service/maintenance and supplies of each machine. The Contractor shall provide a monthly maintenance warranty agreement to the COR, which is mandatory for the monthly lease payment. Maintenance agreements commence upon installation of the equipment. The Contractor shall repair or replace defective parts and/or equipment at the Contractor s expense for the duration of the lease agreement. The contractor shall provide PIV card readers for each machine that must be able to read both SHA1 and SHA2 certificates from the card and use those certs to send an encrypted e-mail to the user from the machine. Installation and Removal: Upon acceptance by the government of the contractor s proposal for upgrading existing print shop equipment, Contractor shall install new equipment in non-patient areas on October 1st (Monday). The government reserves the right to add or delete equipment/software from the lease agreement. Additional equipment/software may be added for the duration of the contract/lease. All delivery costs, labor, equipment, materials, and supervision required for installation of the new equipment in the areas requested shall be the responsibility of the contractor. The contractor shall coordinate the installation of new equipment with the COR. Upon expiration of the lease or removal of copier/printer equipment during the lease period, the hard drives shall be removed and remain at the Boise VAMC for destruction and for equipment located offsite, they will return hard drives to COR at the BOISE VAMC. During the contract period the government shall not incur additional costs for the removal of the hard drives if a machine is replaced or removed from any facility controlled by Boise VAMC HCS due to equipment failure. It is the responsibility of the contractor to identify all necessary electrical modifications required to upgrade existing electrical outlets to accommodate replacement equipment. The government shall furnish the proper electrical current and required electrical receptacles as well as network and phone line connections for the equipment to be placed in the printing facility. In addition, the contractor shall coordinate with the COR and the Office of Information & Technology (OI&T) to install network/telecommunications ports, configure the network to support, install, and maintain print drivers on the OI&T print server. All machines shall require network connection, and configuration plus, the respective sites print server(s) shall require attention to install new drivers or update the sites equipment configuration. Only in the event that the government cannot provide an active network drop/port for a specific unit in a timely manner shall the COR consider the installation complete and certify its installation. The contractor shall complete installation of all equipment within the Boise VAMC HCS (catchment area). Once installation for all facility equipment is complete, the COR shall certify that the contractor satisfactorily completed the equipment installation and the equipment is operational by signing a government installation report. The contractor shall provide a copy of the government installation report to the contracting officer (CO). Equipment shall be accepted upon installation by the contractor technician, after the equipment runs all required diagnostic routines, and the equipment is inspected by the COR. The actual date of acceptance shall be the date when the contractor completes the installation of the final piece of equipment at a facility location. When the COR accepts the installation of the final piece of equipment at all the Boise VAMC HCS locations, the contractor shall take an initial meter reading of all installed equipment. Maintenance service cost per copy charges shall be calculated from that meter-reading forward (i.e., if the meter reads 100 copies, maintenance cost per copy charges shall commence upon copy 101). Although both the government and the contractor made reasonable efforts to ensure proper equipment placement; the government/COR may require a change in location to a different area/location when deemed in the best interest of the government. The contractor shall perform relocation services throughout the contract period, at no additional cost to the government. Relocation of all equipment shall be performed within (15) business days of notification. The contractor shall, conduct training sessions within 10 days after completion of installation, of all machines, to familiarize personnel utilizing the installed equipment with their basic operational functions at no additional cost to the government. A qualified factory trained representative knowledgeable in all operational functions of the installed equipment shall conduct all training sessions. Training sessions during the first year shall be held once every quarter if required by COR, at no additional cost to the government. At a minimum, training shall cover the basic operational functions of equipment, mailbox access, and replenishment of toner, paper, staples and clearing paper miss-feeds. Specialized training required to acclimate federal employees with disabilities to new equipment shall be at no additional cost to the government. The contractor shall provide a contact person and telephone number in the event additional instruction is necessary. All training shall also be offered every renewal year at no additional cost to the government. Additionally, the contractor shall provide training to maximize and expand desktop capabilities, such as, but not limited to scan to file and scan to desktop or email. The contractor shall provide ongoing training as necessary for the printing facility equipment as needed. The contractor shall furnish preventative maintenance that includes monitoring software residing on VA equipment, and upgrading all firmware as changes are made at no additional cost to the government. Contractor shall be required to be in full compliance with the VA Handbook 6500.6 Contract Security. The contractor shall furnish all labor, material, travel, replacement parts and consumable supplies (excluding paper) required to keep the equipment in operation at all times. Maintenance service shall include all work and parts, inclusive of replacement drums, circuit boards, screws, nuts, bolts clasps, light bulbs, consumable supplies (excluding) paper and any other parts required to retain peak operational function of copier/mfp equipment and printing facility equipment. Manufacturer s technicians shall perform an annual preventative maintenance service call on each piece of equipment as determined by specific needs of the individual machine. Preventive maintenance shall include lubrication, cleaning and necessary adjustments to keep the equipment in maximum operating condition. Standard maintenance practice shall require a technician to maintain all equipment in peak operating condition. 5. Performance Monitoring (if applicable). The contractor shall meet with the COR quarterly to discuss any issues with the contract, which will include but not be limited to, billing, service, supplies, training. A copy of the meeting minutes will be shared with all parties. 6. Security Requirements. Equipment must meet and or exceed the Region 1 security standards for equipment on the VA Network. The printer and multifunction device baseline configuration implementation plan can be found in Appendix A. The contractor employees shall not have access to VA sensitive or computer information and will not require routine access to VA Facilities. The contractor employees shall require intermittent access only and will be escorted by VA employees while at VA Facilities. No background investigation is required 7. Government-Furnished Equipment (GFE)/Government-Furnished Information (GFI). There shall be no government furnished property in the performance of this contract. However, the government shall provide adequate workspace around the machine areas. The government shall furnish existing utility services located the work area. 8. Other Pertinent Information or Special Considerations. Health Insurance Portability and Accountability Act; Contractor shall take reasonable measures to ensure patient privacy and confidentiality. The contract service providers herein agree to take all reasonable precautions to safeguard patient information from unauthorized access or modification, in both electronic and hard-copy formats. Contractor shall insure that no patient information of any type shall be given to outside partied, agencies or organizations of any type. Patient list and names of patients are considered privileged information and shall not be disclosed or revealed in any way for use outside the VA. The contractor understands that all parties are bound by the conditions of the Health Insurance Portability and Accountability Act of 1996 which provides guidance on the protection of patient privacy and confidentiality. This act mandates that all government agencies and those bodies with whom they contract must be in compliance with the directive of the Act. Details of the Act are still development by the Congress of the United States. Shall additional requirements be set by Congress a duly executed modification will be executed by the contracting officer. a. Identification of Possible Follow-on Work: See Item 4 Specific Tasks b. Identification of Potential Conflicts of Interest (COI). Any situation that may influence which contractor should be awarded the contract. An organizational COI is a situation where because of other relationships or activities a person (company) is unable or potentially unable to render impartial assistance or advice to the Government or cannot objectively perform contract work or has an unfair competitive advantage. FAR 9.502 states that an organization COI may result when factors create an actual or potential conflict of interest on an instant contract, or when the nature of the work to be performed on the instant contract creates an actual or potential COI on a future acquisition. An organizational COI exists when the nature of the work to be performed may, without some restriction on future activities, (1) result in an unfair competitive advantage to the contractor or (2) impair the contractor s objectivity in performing the contract work. In services contracts, it is the latter which may most often occur because of a contractor s access to proprietary information, the evaluation and analysis of products which it may produce, and/or its role as an advocate in contract performance or other situations. The primary burden is on the contractor to identify any organizational COI, however, the Government has the responsibility to identify and evaluate such conflicts. The Contracting Officer is charged with avoiding, neutralizing or mitigating such potential conflicts. It is the customer s responsibility to determine that no organizational COI exists. This is because the customer is more familiar with its requirements and the history of the requirements than the Contracting Officer could ever be. Therefore, the customer must make a determination that no COIs exist, or identify any potential COI that may exist prior to the execution of this contract. e. Inspection and Acceptance Criteria. The COR is responsible for certifying that the work done under the contract is performed to time and standard. They are also responsible to assure the inspection and acceptance of products provided incidental to services. A demo period or trial is not inspection of a product. 9. Risk Control: N/A 10. Place of Performance. The place of performance for delivery, installation, and maintenance of all equipment shall be the main Boise VAMC hospital grounds, at 500 West Fort St, Boise. 12. Delivery Schedule. The contractor shall install the machines in the main VA hospital printing facility on Monday the 2st of October 2017. The contractor shall install the machines in the main VA hospital patient care areas on the 30 of September 2017 (and Oct. 1st if required) and the offsite and non-patient care areas on Monday the 2st of October 2017. This will allow for minimal impact on patient care during the transition to the new equipment being installed. Appendix A Printer and Multifunction Devices Baseline Configuration Implementation Plan Baseline can be found here: This baseline can be implemented by: Personnel: 1. OI&T 2. Field Operations Method: 1. The web interface of the printer 2. Some cases: management software, ssh, or a.profile upload Step 1: Obtain a copy of printer settings (vital settings) Step 2: Implement printer settings as necessary for individual printer models as followed: (Ensure settings stay after reboot) 6110/6100 Port: Enable Utilized by Lexmark Markvision to push security templates and firmware upgrades. 802.1x Authentication: Disable (Enable if utilized, ensure specific authentication protocols) IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. The process involves three parties: requester, authenticator, and authentication server. 9100 Printing: Enable Port 9100 Also known as RAW printing. A type of TCP port in which data is passed unmodified to the receiving node. Setting allows any individual to print directly to the server by putting in the printer s port number and bypass security. Required for VistA. Airprint: Disable Port 80 & 5353 Mobile printing solution included with the Apple iOS v4.2 and later mobile operating systems. IPad, iPhone, and iPod touch users can print wirelessly to any ePrint-enabled HP printer that is connected to the same local wireless network. APIPA (Automatic Private IP Addressing): Disable Port unknown DHCP failover mechanism for local networks that generally is only useful on home or other small intranet LANs. APIPA allocates IP addresses in the private range 169.254.0.1 to 169.254.255.254. Clients verify their address is unique on the network using ARP. When the DHCP server is again able to service requests, clients update their addresses automatically. All devices use the default network mask 255.255.0.0 and reside on the same subnet. APIPA is enabled on all DHCP clients in windows unless the computer s registry is modified to disable it. APPLETALK: Disable TCP/UDP Ports 201-208 Proprietary suite of networking protocols developed by Apple Inc. for their Macintosh computers. Includes a number of features that allowed local area networks to be connected with no prior setup or the need for a centralized router or server of any sort. Systems automatically assign addresses, update the distributed namespace, and configure any required inter-networking routing. AutoIP: Disable Protocol (on HP laserjet printers usually) that automatically pull a DHCP address for the network. This protocol can sometime be erroneous depending on the setup of the network. Utilize DHCP protocol instead if pulling DHCP address for printers (suggest static IP addresses). AVALANCHE: Disable Allows remote display and modification to printer settings Bluetooth: Disable Unsecure wireless communications system intended to replace the cables connecting many types of devices. BOOTP (Bootstrap Protocol): Disable Server UDP Port 67 / Client UDP Port 68 Protocol that lets a network client configure automatically. It can automatically configure any of the following information: IP address, gateway, subnet, system name, name server, and more. It automatically assigns the necessary settings from a pool of pre-determined addresses for a certain duration of time. BOOTP is the basis for a more advanced network manager protocol, the DHCP (Dynamic Host Configuration Protocol). Bonjour: Disable UDP Port 5353 Apples implementation of Zero-configuration networking (Zeroconf), a group of technologies that includes service discovery, address assignment, and hostname resolution. Bonjour locates devices such as printers, other computers, and the services that those devices offer on a local network using multicast Domain Name System (mDNS) service records. Broadcast SAPs: Disable HP OfficeJet Printers supporting PCL3 and PDL Language can use SAPWIN device type, which is a generic device type for printers linked (or also fax devices) to PCs running under MS Windows 3.1, Windows 95, Windows NT,Windows XP,Windows Vista,Windows 7 Operating System by means of the SAP System program SAPLPD. This protocol broadcasts the availability of utilizing SAP. CIFS (Common Internet File System): Enable TCP / UDP Port 445 & TCP 139 Protocol that lets programs make requests for files and services on remote computers on the Internet. CIFS uses the client/server programming model and is a public or open variation of the Server Message Block Protocol (SMB) developed and used by Microsoft. DHCP (Dynamic Host Configuration Protocol): Disable (Enable if utilized) Client TCP Port 67 / Server TCP Port 68 Alternative to another network IP management protocol, Bootstrap Protocol (BOOTP). Like BOOTP, DHCP can configure an IP address, gateway, subnet, system name, and name server. BOOTP and DHCP configure the same options. DHCPv4 FQDN compliance with RFC 4702: Disable By default, HP Jetdirect uses the Host Name and Domain Name settings to derive the FQDN. Selecting this option forces HP Jetdirect to ignore the Host Name and Domain Name settings and instead use the host name and domain name returned by FQDN. DIPRINT (Direct Printing Port): Enable Port 9100 Enables direct printing from a network-connected computer. This is similar to port 9100 & RAW printing. Required for VistA. Discovery: Disable UDP Port 9200 DLC/LLC (Data Link Control / Logical Link Control): Disable Older protocol used to print on Hewlett-Packard printers connected directly through networks. The frames released are easily disassembled and DLC functionality can be easily coded into read-only memory (ROM). DLC doesn t directly interface with Transport Driver Interface layer. Only the print server communicating with the printer needs the DLC protocol installed. DNS (Domain Name Server): Enable Client to Server Lookup TCP/UDP Port 53 DNS Administration TCP 139 Protocol that maintains a directory of domain names and translate them to Internet Protocol (IP) addresses DDNS (Dynamic DNS): Enable Method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DNS configuration of its configured hostnames, addresses or other information. Encryption Strength: Enable Strong, Disable weak Only set the most secure settings for the printer. Ex. AES 256, SHA 512 EPrint: Disable TCP/UDP Port 5222 Uses cloud resources to provide mobile printing capabilities for specific HP ePrint-enabled printers and MFPs and for other printers using applications that provide network printing. Ethertalk: Disable Port unknown A suite of protocols developed by Apple for computer networking. It was included in the original Macintosh (1984) and is now deprecated by Apple in favor of TCP/IP networking. Enables AppleTalk to communicate over Ethernet cabling. Finger: Disable TCP Port 79 Older (Windows 2000/NT) TCP/IP tool that matches an e-mail address with the person who owns it and provides information about that person. FTP (File Transfer Protocol): Disable (Enable if the printer is Intermec / Zebra) Transfer TCP Port 20 / Control TCP Port 21 TCP/IP protocol and software that permits the transferring of files between computer systems. FTPS (File Transfer Protocol Secure): Disable (Enable if the printer is Intermec / Zebra) TCP/UDP Port 989-990 Extension to File Transfer Protocol (FTP) that adds support for the Transport LayerSecurity (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols. Gleaning: Disable Port Unknown Older protocol that is a temporary, local configuration option. Gleaning lets you add the address of the device you want to configure to your local workstation s ARP table. This configuration is not permanent and is valid only from the workstation from which you entered the ARP information. After the information is entered into the workstation s ARP table, the user follows up with a Telnet session to enter the information permanently. This configuration option is used mostly by non-Windows workstations that cannot run the ZebraNet View configuration utility. HP XML Services: Enable Enables or disables access by HP Web service applications to XML-based data on the HP Jetdirect print server. Utilized for print management security settings. HTTP (Hypertext Transfer Protocol): Disable after HTTPS is interface for printer s embedded web server TCP Port 80 Application protocol for distributed, collaborative, hypermedia information systems. HTTP is used for communication between a web server and a web browser. HTTPS (Hypertext Transfer Protocol over SSL/TLS): Enable (Utilize TLS 1.0+ and disable SSL if capable) TCP Port 443 / Dell OpenManage Port HTTPS TCP 1311 Protocol that uses SSL (Secure Sockets Layer) or TLS (Transport Layer Security) to encrypt communications on HTTP. IMAGE BUFFER: Disable Intermec printers use this setting to save the last printed label in the web interface. If unable to disable IMAP (Internet Message Access Protocol): Disable TCP Port 143 IMAP SSL TCP Port 993 Protocol that interacts with a server to read, organize, reply to, search and further interact with email. Standard IMAP procedure is to leave messages on the server instead of retrieving copies, so email is only accessible when "on-line." IPDS (Intelligent Printer Data Stream): Disable TCP Port 9600 Bidirectional communication protocol and object-oriented print stream between computer systems directly connecting with the print device. IPP (Internet Printing Protocol): Enable (Utilize with TLS if possible) TCP/UDP Port 631 Internet protocol for communication between a print server and its clients. It allows clients to send print jobs to the server and perform administration such as querying the status of the printer and its print jobs and cancelling print jobs. IPPS (Internet Printing Protocol Secure): Enable TCP/UDP Port 443 Secure internet protocol for communication between a print server and its clients over SSL/TLS. It allows clients to send print jobs to the server and perform administration such as querying the status of the printer and its print jobs and cancelling print jobs. IPSEC: Disable (Enable if utilized) Protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. Requires certifying authority and keys. IPX/SPX (Internetwork Packet Exchange/Sequenced Packet Exchange): Disable Network connectionless routable network protocol based on the Xerox XNS architecture. IPX operates primarily at the Network layer of the OSI model and is responsible for addressing and routing packets to workstations or server on other networks. SPX operates at the Transport layer only. IPV6: Enable Addresses are represented as eight groups of four hexadecimal digits with the groups being separated by colons, for example 2001:0db8:0000:0042:0000:8a2e:0370:7334. It permits hierarchical address allocation methods that facilitate route aggregation across the Internet, and thus limit the expansion of routing tables. VA currently does not use IPV6 but may possibly in the future. IR (Intervention Required) Alerts: Disable TCP Port 9200 Error data that is from the printer is received on port 9200. (Unidirectional) LDAP (Lightweight Directory Access Protocol): Disable (Enable if utilizing LDAP SSL) TCP Port 389 LDAP SSL TCP Port 636 Open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. LPD Banner Page Printing: Disable (IPv4 or IPv6) Print an LPD banner page for print jobs. For currently supported print servers, only Port 1 is available. LLMNR (Link-Local Multicast Name Resolution): Disable UDP Port 5355 Protocol based on the Domain Name System (DNS) packet format that allows both IPv4 and IPv6 hosts to perform name resolution for hosts on the same local link. LLTD (Link Layer Topology Discovery): Disable Port unknown Proprietary Link Layer protocol for network topology discovery and quality of service diagnostics. Microsoft developed it as part of the Windows Rally set of technologies. LPR/LPD (Line Printer Remote / Line Printer Daemon): Enable TCP Port 515 Network protocol for submitting print jobs to a remote printer or TCP/IP printer (PC fax send) MAPI (Messaging Application Programming Interface): Disable TCP Port 135 Messaging architecture and a Component Object Model based API for Microsoft Windows. Allows client programs to become (e-mail) messaging-enabled, -aware, or -based by calling MAPI subsystem routines that interface with certain messaging servers. mDNS (Multicast Domain Name System): Disable TCP/UDP Port 5353 Resolves host names to IP addresses within small networks that do not include a local name server. It is a zero configuration service, using essentially the same programming interfaces, packet formats and operating semantics as the unicast Domain Name System (DNS). While it is designed to be stand-alone capable, it can work with unicast DNS servers. Multicast IPV4: Disable IPV4 multicasting is the sending of network traffic to IPV4 endpoints. Only those members in the group of endpoints that are listening for the multicast traffic (the multicast group) process the multicast traffic. All other nodes ignore the multicast traffic. NetBEUI/NETBIOS/IP (NetBIOS Extended User Interface / Network Basic Input /Output System / Internet Protocol): Enable NetBIOS is the network Basic Input/Output System. In its most generic form, it is the application programming interface (API) that Microsoft originally used to allow Windows to utilize networking. The NetBIOS Extended User Interface (NetBEUI) expanded on this, and is used to transport NetBIOS across a local area network (LAN). NetBEUI advantages are that it is easily configured, has low overhead, and is configured for LANs. Disadvantages are that it is not routable and doesn t handle large networks well. Netware: Disable Protocol that allows connection to shared printers on the dedicated server, and print as if the printer were connected locally. Network Scan: Enable Allows scanning a document from the printer to your local computer. NFS (Network File Sharing): Disable Distributed file system protocol originally developed by Sun Microsystems in 1984 that allows a user on a client computer to access files over a network much like local storage is accessed. NFS builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. NTP (Network Time Protocol): Enable (ntp.va.gov, ntp1.va.gov Don t use Domain Controllers) UDP Port 123 Networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. If it is to be enabled, set the time server to a DOD approved NTP server (time.nist.gov). NNTP (Network News Transfer Protocol): Disable TCP Port 119 NNTP SSL TCP Port 563 Application protocol used for transporting Usenet news articles (netnews) between news servers and for reading and posting articles by end user client applications. NPA (Network Printing Alliance): Disable 9300-9302 / Enable 9500-9501 UDP Port 9300-9302 / TCP Port 9500-9501 Protocol for returning printer configuration and status via parallel, serial, network and later USB. In 1997, NPAP was approved as IEEE 1284.1 TIPSI. However, SNMP became the standard for network printer management and thus NPAP was never widely accepted. Lexmark Markvision utilizes NPAP ports 9500-9501 for security template changes. PCL SmartSwitch (Print Command Language Smartswitch): Enable (needed for Vista) Sets the printer to automatically switch to PCL emulation when a print job requires it, regardless of the default printer language. When the Off setting is used, the printer does not examine incoming data. When the off setting is used, the printer uses PostScript emulation if PS SmartSwitch is set to on. It uses the default printer language specified in the Setup menu if PS SmartSwitch is set to off. PJL (Printer Job Language): Disable (can configure password as well) Method developed by Hewlett-Packard for switching printer languages at the job level, and for status read back between the printer and the host computer. PJL adds job level controls, such as printer language switching, job separation, environment, status read back, device attendance and file system commands. While PJL was conceived as an extension to Printer Command Language, it is now supported by most PostScript printers. PML (HP Printer Management Language): Disable Protocol that allows many applications to exchange device management information with many printers. PML is an object oriented request-reply protocol which supports asynchronous printer query, control, and monitor capabilities. Can be used to query SNMP values from a printer device. Plug-n-Print: Disable Allows the device to be capable of printing from USB and other removable devices. POP3 (Post Office Protocol): Disable TCP Port 110 POP3 SSL TCP Port 995 Protocol used to retrieve email from the mail server and stored on the local computer. There is a setting to leave all messages there or delete them after mail is received and stored locally. POSTSCRIPT: Enable Computer language for creating vector graphics. It is a dynamically typed, concatenative programming language Print from RAM: Enable Utilizes the printer s ram instead of hard disk to perform printing, scanning, and faxing. Printer Port Monitor MIB: Disable Provides information from a printer to a host system to facilitate the automatic installation of device drivers and other printing applications. The information provided for each print service includes connectivity parameters (such as raw TCP printing sockets and LPR/LPD queue names), status monitoring capability, and printer model and manufacturer data. PS SmartSwitch: Enable Sets the printer to automatically switch to PS emulation when a print job requires it, regardless of the default printer language. When the off setting is used, the printer does not examine incoming data. RARP (Reverse Address Resolution Protocol): Disable Obsolete computer networking protocol used by a client computer to request its Internet Protocol (IPv4) address from a computer network, when all it has available is its Link Layer or hardware address, such as a MAC address. RAW Port: Enable TCP Port 9100 Also known as 9100 printing. A type of TCP port in which data is passed unmodified to the receiving node. Setting allows any individual to print directly to the server by putting in the printer s port number and bypass security. Required for VistA. RCFG (remote configuration protocol): Disable Port 8001 Protocol developed by HP for remote configuration and management of devices on an IPX/SPX network, typically a Novell NetWare network. Mostly used for remote IP video cameras. Reprint: Disable / Turn off Option allows the reprinting of the last document. RHPP (Reliable / Ricoh Host Printing Protocol): Disable Port 59100 Older printing protocol created for Ricoh printers. No information on this protocol. RSH (Remote Shell) / RCP (remote copy): Disable TCP Port 514 RSH allows you to execute non-interactive programs on another system. On some systems, this command is sometimes called remsh or rcmd. It executes the command on the other system and returns the program s standard output and standard error output. RCP allows you to transfer files to and from another system over the network. It works like a copy command, where you specify a source and a destination, except that the source or destination of the copy can be the hostname or IP address of another system. Show IP address: Disable Setting shows the printer s IP address on the printer s control panel along with toner levels without logging into settings. SSH (Secure Shell): Disable Port 22 Encrypted network protocol that allows a user to run commands on a machines command prompt without them being physically present near the machine. It also allows a user to establish a secure channel over an insecure network in a client-server architecture, connecting an SSH client application with an SSH server. SLP (Service Location Protocol): Disable UDP Port 427 Service discovery protocol that allows computers and other devices to find services in a local area network without prior configuration. SLP has been designed to scale from small, unmanaged networks to large enterprise networks. SMARTSYSTEMS: Disable SMB (Server Message Block): Disable (Enable if utilized) Update firmware if SMB vulnerabilities found / Contact vendor if specific firmware needed TCP Port 445 Network file sharing protocol implemented by Microsoft. The set of message packets that defines a particular version of the protocol is called the dialect. SMTP (Simple Mail Transfer Protocol): Disable TCP Port 25 A protocol used to send email messages over the Internet that can then be retrieved with an e-mail client using either POP or IMAP protocols. SMTPS (Simple Mail Transfer Protocol Secure): Enable TCP Port 465 Method for securing SMTP with transport layer security. It is intended to provide authentication of the communication partners, as well as data integrity and confidentiality. SMTPS is not a proprietary protocol and not an extension of SMTP. It is just a way to secure SMTP at the transport layer by SSL or TLS. SNMP V1&V2 (Simple Network Management Protocol): Enable UDP Port 161 A protocol for monitoring and controlling devices on a network. SNMP v1 and v2 only utilize a community string that is passed over clear text. Ensure this is not set to public or private. SNMP V3 (Simple Network Management Protocol): Disable (Enable if utilizing) TCP Port 161 Protocol utilized for monitoring and controlling devices on a network. SNMPv3 utilizes a username, password, and certificate for communication to the printer. SNMP Traps: Disable (Enable only in cases needed for reporting leased / rented printers) UDP Port 162 Enables an agent to notify the management station of significant events by way of an unsolicited SNMP message for error analysis. Includes current sysUpTime value, an OID identifying the type of trap and optional variable bindings. Destination addressing for traps is determined in an application-specific manner typically through trap configuration variables in the MIB. Ensure this is not set to public or private. SNTP (Simple Network Time Protocol): Disable UDP Port 123 A less complex implementation of Network Time Protocol (NTP), using the same protocol but without requiring the storage of state over extended periods of time. SSDP (Simple Service Discovery Protocol): Disable UDP Port 1900 A network protocol based on the Internet Protocol Suite for advertisement and discovery of network services and presence information that doesn t utilize DHCP or DNS. Telnet: Disable TCP Port 23 Protocol that functions at the application layer of the OSI model, providing terminal emulation capabilities. Telnet uses the connection-oriented services of the TCP/IP protocol for communications. With Telnet, the command to initiate the session is TELNET itself, or TELNET followed by an IP address or hostname to connect to a specific remote host. The remote host system must be running a telnet daemon or service, and after a connection is established, you must log on to the server by using a valid username and password (plain text) as if you were sitting at the server. TFTP (Trivial File Transfer Protocol): Disable UDP Port 69 Simple, lock-step, file transfer protocol which allows a client to get from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting in a Local Area Network (LAN). ThinPrint: Disable Protocol that allows print data to be compressed at the server and decompressed at the client before being printed out on a printer. Increased data transfer speeds resulting from the implementation of this protocol save time and money. XML (Extensible Markup Language): Enable TCP 5000 Allows the printer to be capable of importing / exporting security template information into an.xml format. Utilized for HP web Jetadmin and Markvision. Web Services Print: Disable Printer Service Ability of printer to print while having protocol WSD enabled WINS (Windows Internet Name Service): Disable TCP Port 42 Protocol that centrally maps host names to network addresses. Like DNS, it is implemented in two parts, a server service (that manages the embedded Jet Database, server to server replication, service requests, and conflicts) and a TCP/IP client component which manages the clients registration and renewal of names, and takes care of queries. Wireless: Disable Setting that allows the printer to act as an access point for computers to connect to it and print. This is vulnerable to spoofing. A rogue system or drone is capable of spoofing this access point, intercept the data, and retransmit to another destination. WS-Discovery (Web Services Dynamic Discovery): Disable TCP/UDP Port 3702 Technical specification that defines a multicast discovery protocol to locate services on a local network. It uses IP multicast address 239.255.255.250. WSD (Web Services on Devices): Disable Port monitor Allows network-connected IP-based devices to advertise their functionality and offer these services to clients by using the Web Services protocol. WSD-based devices and clients communicate over the network using a series of SOAP (Simple Object Access Protocol) messages over UDP and HTTP(S). WSD for Devices provides a network plug-and-play experience that is similar to installing a USB device. Step 3: Assign the region specific SNMP v1/2 string to printers for your region. Step 4: Assign the Embedded Web Server (EWS) admin / password to stop altering of printer settings for your location. Step 5: Ensure that latest firmware that does not introduce errors is on the printer or upload newest version provided by vendor s website. Step 6: Ensure printers are not located on classified network. Step 7 Use a physical mechanism to lock or physical access controls to prevent unauthorized access to the hard disk Step 8: Ensure hard drive is encrypted if possible Step 9: Implement secure printing with PIV cards if possible Step 10: Change hostname of printer to be in accordance with http://vaww.va.gov/namingconventions/BuildWorkstationName.asp http://vaww.va.gov/namingconventions/approveddevicecodes.asp (Ex. Example: BOS-WSB2R328W1) *Location Code = BOS- *Device Type = WS *Device ID = B2R328W Step 11: Ensure if scan to hard disk function is utilized on the printer, that the hard drive is set to clear the hard disk between jobs. Not required if PIV secure print or a discretionary access list (DACL) is utilized. Step 12: Ensure if scan to file share function is utilized on the printer, that the file shares have the appropriate discretionary access control list in place restricting IP addresses to the file share. Step 13: Ensure if fax from the network function is utilized on the printer, that auditing of user access and fax log is enabled Step 14: Ensure printers are found by print server and stream servers if implemented. Auditing to be conducted through each of these and point to the log server if implemented. Auditing is to be fully enabled. Step 15: Ensure if the printer has a timeout option for functions that the functions do not occur after the desired time. Step 16: Ensure that if a printer is being decommissioned that their hard drive is handled in accordance with VA handbook 6500.1. (Located here: http://www1.va.gov/vapubs/viewPublication.asp?Pub_ID=416&FTy) Step 17: Ensure all functionality of printer is still present. Step 18: Ensure that the printer has the appropriate static / DHCP IP address as created by Infrastructure

Original Point of Contact

POC Joshua G Anderson

Place of Performance

Link: FBO.gov Permalink
Link: FBO.gov Permalink
Bookmark This Notice
Print View