Removable Storage and External Connections Security Technical Implementation Guide


Version / Release: V1R7

Published: 2017-09-25

Updated At: 2018-10-12 01:24:29

Compare/View Releases

Select any two versions of this STIG to compare the individual requirements

Select any old version/release of this STIG to view the previous requirements




Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-25612r1_rule STO-ALL-010 HIGH Require approval prior to allowing use of portable storage devices. Use of unapproved devices to process non-publicly releasable data increases the risk to the network. Devices attached to or inserted into the end point's plug-and-play ports and slots can be a vector for the insertion of malware when used to access the n
    SV-25614r3_rule STO-DRV-010 HIGH Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase. If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a user-chosen PIN prior to unencrypting the drive. Users mus
    SV-25617r2_rule STO-DRV-030 MEDIUM For all removable flash media and external hard disk drives, use an organization-approved method to wipe the device before using for the first-time. Removable media often arrives from the vendor with many files already stored on the drive. These files may contain malware or spyware which present a risk to DoD resources.
    SV-25620r3_rule STO-DRV-020 MEDIUM Sensitive but unclassified data must be encrypted using FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive. If information deemed sensitive (non-publicly releasable) by the data-owner is not encrypted when stored on removable storage media, this can lead to the compromise of unclassified sensitive data. These devices are portable and are often lost or stolen, w
    SV-25621r1_rule STO-ALL-050 LOW Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program. Written user guidance gives the users a place to learn about updated guidance on user responsibilities for safeguarding DoD information assets. Most security breaches occur when users violate security policy because they lack training. Information Assura
    SV-25623r1_rule STO-ALL-040 HIGH Set boot order of computers approved for use with removable storage such that the Basic Input Output System (BIOS) does not allow default booting from devices attached to a USB, firewire, or eSATA port. If the BIOS is left set to allow the end point to boot from a device attached to the USB, firewire, or eSATA port, an attacker could use a USB device to force a reboot by either performing a hardware reset or cycling the power. This can lead to a denial o
    SV-25806r1_rule USB-WUSB-010 MEDIUM For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy. The use of unauthorized wireless devices can compromise DoD computers, networks, and data. The receiver for a wireless end point provides a wireless port on the computer that could be attacked by a hacker. Wireless transmissions can be intercepted by a ha
    SV-25810r1_rule STO-ALL-030 LOW Maintain a list of approved removable storage media or devices. Many persistent memory media or devices are portable, easily stolen, and contain sensitive data. If these devices are lost or stolen, it may take a while to discover that sensitive information has been lost. Inventory and bar-coding of authorized devices
    SV-25811r1_rule STO-ALL-020 HIGH Permit only government-procured and -owned devices. Persistent memory devices (e.g., thumb drives, memory cards, external hard drives, or other removable storage devices) may contain malware installed on the drive or within the firmware. Personally- or contractor-owned devices may not be compliant with rig
    SV-25812r1_rule STO-DRV-040 LOW Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures. Several security incidents have occurred when the firmware on devices contained malware. For devices used to store or transfer sensitive information, if the firmware is signed, then this provides added assurance that the firmware has not been compromised.
    SV-25813r1_rule STO-FLSH-010 MEDIUM Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented. USB flash media may have malware installed on the drive which may adversely impact the DoD network. Even the use of approved devices does not eliminate this risk. Use of sound security practices and procedures will further mitigate this risk when using f
    SV-25814r2_rule STO-FLSH-040 MEDIUM Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use removable storage devices. Because of the innate security risks involved with using removable storage devices (flash drives, thumb drives, disk drives, etc.), an access control and authorization method is needed. DCM software provides granular end point access control and manageme
    SV-25815r3_rule STO-FLSH-050 MEDIUM For end points using Windows operating systems, removable storage devices will be restricted by a unique device identifier (e.g. serial number, device instance ID) or to specific host end points or users. Because of the innate security risks involved with using removable storage devices (e.g., flash drives, thumb drives, external solid state disk drives, etc.), users must follow required access procedures. Restricting specific devices to each user allows f
    SV-28850r1_rule STO-FLSH-020 LOW Maintain a list of all personnel that have been authorized to use flash media. Many USB flash media devices are portable, easily stolen, and may be used to temporarily store sensitive information. If these devices are lost or stolen, it will assist the investigation if personnel who use these devices are readily identified with con
    SV-28851r1_rule STO-FLSH-030 LOW Maintain a list of all end point systems that have been authorized for use with flash media. Many USB persistent memory devices are portable and easily overlooked. They may be used as a vector for exfiltrating data. To help mitigate this risk, end points must be designated as properly authorized and configured for use with USB flash drives withi
    SV-28875r1_rule STO-ALL-070 MEDIUM The host system will perform on-access anti-virus and malware checking, regardless of whether the external storage or flash drive has software or hardware malware features. Like the traditional hard drive, removable storage devices and media may contain malware which may threaten DoD systems to which they eventually directly or indirectly attach. To mitigate this risk, DoD policy requires anti-virus and malware detection sol
    SV-28876r2_rule STO-FLSH-070 MEDIUM For higher risk data transfers using flash media, use an organization approved security scanning software and disk wipe software to protect against malware and data compromise. Use of an organization approved security scanning software and disk wipe software with the procedures listed in the Check section is the only authorized method for using flash media for higher risk data transfers.
    SV-28877r2_rule STO-DRV-060 MEDIUM Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation. Failure to maintain proper control of storage devices used in sensitive systems may mean the firmware or other files could have been compromised. Action is needed to scan for malicious code. Although, the data on the device is most likely protected by enc
    SV-28906r2_rule STO-FLSH-060 MEDIUM Organizations that do not have a properly configured HBSS with DCM configuration will not use removable storage devices. Because of the innate security risks involved with using removable storage devices (flash drives, thumb drives, disk drives, etc.), an access control and authorization method is needed. DCM software provides granular end point access control and manageme
    SV-29816r1_rule STO-DRV-025 LOW Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest. The DoD DAR policy requires encryption for portable and mobile storage. However, even when a FIPS140-2 validated cryptographic module is used, the implementation must be configured to use a NIST-approved algorithm. Advanced Encryption Standard (AES) is th
    SV-29818r1_rule STO-DRV-021 HIGH Use a National Security Agency (NSA)-approved, Type 1 certified data encryption and hardware solution when storing classified information on USB flash media and other removable storage devices. The exploitation of this vulnerability will directly and immediately result in loss of, unauthorized disclosure of, or access to classified data or materials. An NSA-approved, Type 1 solution includes the hardware, software, and proof of coordination/appr