Removable Storage and External Connections V1R3

c

Require approval prior to allowing use of portable storage devices.

High - V-22110 - SV-25612r1_rule

RMF Control

Severity

H

CCI

Version

STO-ALL-010

Vuln IDs

V-22110

Rule IDs

SV-25612r1_rule

Use of unapproved devices to process non-publicly releasable data increases the risk to the network. Devices attached to or inserted into the end point's plug-and-play ports and slots can be a vector for the insertion of malware when used to access the network. Storage devices are portable and can be easily concealed. Devices with volatile memory (erased when not connected) may contain internal batteries that also pose a threat to attached systems. Requiring approval prior to use of these devices heightens awareness of the threat, limits the potential use of contaminated devices, and allows for proper tracking and control. Designated Approval Authority (DAA) approval of flash memory devices is required by the United States Cyber Command (USCYBERCOM) Communications Task Order (CTO) 10-084 Removable Flash Media Device Implementation within and between Department of Defense (DoD) Networks (U/FOUO) (or latest version of this CTO). Information Assurance OfficerDesignated Approving AuthorityECSC-1

Checks: C-27469r1_chk

Further policy details: This policy applies to devices attached using external Universal Serial Bus (USB), Firewire, or External Serial Advanced Technology Attachment (eSATA) ports. It also applied to devices containing either volatile or persistent (non-volatile) memory (e.g., thumb drives, memory sticks, camera memory cards, external USB hard drives, MP3 players, camcorders, cameras, printers, and network equipment). Blanket approvals by type are acceptable. DAA approval is required prior to using thumb drives, memory sticks, and memory cards. DAAs may designate alternate flash media approving officials who are O-6 or equivalent. Approvers will restrict flash media approvals to mission essential requirements. Information Assurance Officer (IAO) approval is sufficient and necessary for use of externally connected hard disk drives and other persistent memory devices. This requirement also applies to devices that attach to external USB, firewire, or eSATA ports on end points attached to government systems containing non-public releasable data or attached to DoD networks. Approvers will not authorize use or purchase of removable storage devices that are disguised to look like common items such as pens or bracelets. Disguised storage devices may be easily overlooked in a spot security search. Check: 1. Verify an approval document signed by the IAO exists for the use of each type of USB device by device ID. 2. Verify an approval document signed by the DAA (or alternative approving official) exists for the use of flash drives, flash media readers, and memory cards. 3. Compare the approval documents to the device types listed on the required USB devices equipment list. NOTE: The approval document may be a blanket approval by type of device (e.g., approved use of USB keyboard and mouse throughout the organization).

Fix: F-23556r1_fix

Require approval prior to allowing use of portable storage devices.

c

Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.

High - V-22111 - SV-25614r1_rule

RMF Control

Severity

H

CCI

Version

STO-DRV-010

Vuln IDs

V-22111

Rule IDs

SV-25614r1_rule

If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a user-chosen PIN prior to unencrypting the drive. Users must choose a strong PIN. Implementation of access control on persistent memory devices helps to ensure that sensitive information is accessed only by authorized and authenticated individuals.Information Assurance OfficerECCD-1, ECCD-2

Checks: C-27094r1_chk

Further policy details: In accordance with the DoD data-at-rest (DAR) policy, access control is required to protect data not approved for public release. The DoD Enterprise Software Initiative (ESI) blanket purchase agreements program requires all products support encryption and a FIPS 140-2 password, PIN, or passphrase. Access control can be implemented using either software or hardware. The recommended best practice is to purchase devices that include built-in security features, including on-board or hardware encryption, password management, key management, and malware protection. Several manufacturers offer drives with these features. A USB thumb drive security vulnerability was discovered by a German company that describes a security flaw that allows an attacker to use a very simple software tool that can unlock any of the affected hardware-encrypted storage devices and bypass the access control system. This exploit worked on several thumb drive models that were FIPS 140-2 validated. Thus, it is imperative that organizations use thumb drives which are on the DAR contract. The following DoD policies apply to access control solutions for all USB storage devices. - Use of password or PIN to access the encrypted storage device. Certificate-based authentication can be used but is not madated. - For devices with on-board access control and encryption features, the system administrator will configure these security features prior to issuance. Default PINs and passwords will be changed prior to use. - Password and/or key management procedures will be established for systems storing mission-critical information. Check procedure: Interview the site representative and perform the following procedures. 1. Inspect a sampling of the different types of USB storage devices used. 2. Verify that a password or PIN is required to gain access to the data stored on the USB device by attempting access. Mark as a finding if a PIN or password are not set.

Fix: F-23196r1_fix

Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.

b

For all USB flash media (thumb drives) and external hard disk drives, use an approved method to wipe the device before using for the first-time.

Medium - V-22112 - SV-25617r1_rule

RMF Control

Severity

M

CCI

Version

STO-DRV-030

Vuln IDs

V-22112

Rule IDs

SV-25617r1_rule

Removable media often arrives from the vendor with many files already stored on the drive. These files may contain malware or spyware which present a risk to DoD resources. Information Assurance OfficerDCBP-1

Checks: C-27097r1_chk

Further policy details: NSA-approved tools must be used for scanning and wiping all external storage drives and media prior to first time use. A list of NSA-approved tools, approved specifically for scanning and wiping flash media is available at https://www.cybercom.mil/default.aspx. These are the only approved tools for flash media. Check procedure: 1. Interview the site representative. 2. Ask if devices are wiped using approved software and procedures prior to using the drive to store or transfer DoD files. 3. Mark as a finding if this is a Windows system and USCYBERCOM-approved tools are not used for scanning and wiping flash media prior to fist time use. 4. Mark as a finding for all devices where the disk is not wiped before first-time use.

Fix: F-23199r1_fix

For all USB flash media (thumb drives) and external hard disk drives, use an approved method to wipe the device before using for the first-time.

b

Sensitive but unclassified data must be encrypted using FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive.

Medium - V-22113 - SV-25620r2_rule

RMF Control

Severity

M

CCI

Version

STO-DRV-020

Vuln IDs

V-22113

Rule IDs

SV-25620r2_rule

If information deemed sensitive (non-publicly releasable) by the data-owner is not encrypted when stored on removable storage media, this can lead to the compromise of unclassified sensitive data. These devices are portable and are often lost or stolen, which makes the data more vulnerable than other storage devices.ApprovalDo not mark as a finding for camera cards and memory cards if AO approval is documented.Do not mark as a finding for camera cards and memory cards if DAA approval is documented. Some missions may require the storage of sensitive information on these devices. However, if these devices are then connected to sensitive networks, the host computer and network must comply with the HBSS/DCM tracking and on-access malware/virus checking requirements.Information Assurance OfficerECCR-1

Checks: C-27100r2_chk

Inspect a sample of USB thumb drives and portable storage devices. Verify, if the device is authorized for use with sensitive unclassified data, that encryption is used. -This policy applies to USB thumb drives and external hard drives. Since memory card, cameras, and other similar technologies do not have approved encryption solutions, these devices must be used only with AO approval. However, compliance with HBSS/DCM and other STIG requirements is required. -For USB thumb drives, use an on-board cryptographic module. For USB external hard disk drives, an on-board module is not mandated. -For USB thumb drives, use of FIPS 140-2 validated tamper-resistant and tamper-evident design with cryptographic chip protection. This is generally not visible on the case, thus the site representative will provide the reviewer with the device documentation showing this feature. -For USB hard drives, tamper resistant features are required for drives that are used for mobile, remote, or portable storage. If sensitive but unclassified data is not being encrypted using FIPS 140-2 validated modules on USB flash drives and external hard disk drives, this is a finding.

Fix: F-23202r2_fix

Encrypt sensitive but unclassified data with FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive.

a

Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program.

Low - V-22114 - SV-25621r1_rule

RMF Control

Severity

L

CCI

Version

STO-ALL-050

Vuln IDs

V-22114

Rule IDs

SV-25621r1_rule

Written user guidance gives the users a place to learn about updated guidance on user responsibilities for safeguarding DoD information assets. Most security breaches occur when users violate security policy because they lack training. Information Assurance OfficerPRRB-1

Checks: C-27101r1_chk

Further policy details: Users will be trained to ensure devices are powered off for at least 60 seconds when disconnecting them from one system and connecting them to a different system to make sure enough time passes for all power to dissipate and the memory erased. Devices that contain volatile memory use the memory for temporary storage (e.g., page buffers in printers, image buffers in scanners, or cache buffers in removable storage devices like Zip drives). Special note should be made of USB hubs as they contain memory buffers even though it is not obvious. When power is removed from these devices by unplugging them from the port and unplugging them from a separate power supply if one is needed, their memory is erased. Because these devices are designed to withstand minor fluctuations in power, they contain some means of maintaining memory for short power interruptions. Check procedures: Inspect the relevant document. Verify the documentation or user agreement contains the following at a minimum. Volatile memory devices: 1. Acceptable use and approval process for the use of volatile memory devices. 2. Powering down volatile memory devices for 60 seconds before connecting to any end point. 3. Labeling and handling instructions in coordination with the Security Manager (SM). 4. Procedures for reporting lost/stolen devices. Persistent memory devices: 1. Acceptable use and approval process for the use of all USB devices. 2. Acceptable use and approval process for the use of flash media devices with the Windows OS. 3. An explanation of the restrictions placed on attaching non-government-owned USB devices to a government-owned system. 4. Use of authorized government-owned flash drives with personal or other unauthorized computers. 5. Data transfer and wiping procedures. 6. The prohibition against disguised USB drives. 7. Labeling and handling instructions in coordination with the Security Manager (SM). 8. Procedures for reporting lost or stolen devices.

Fix: F-23203r1_fix

Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program. .

c

Set boot order of computers approved for use with removable storage such that the Basic Input Output System (BIOS) does not allow default booting from devices attached to a USB, firewire, or eSATA port.

High - V-22115 - SV-25623r1_rule

RMF Control

Severity

H

CCI

Version

STO-ALL-040

Vuln IDs

V-22115

Rule IDs

SV-25623r1_rule

If the BIOS is left set to allow the end point to boot from a device attached to the USB, firewire, or eSATA port, an attacker could use a USB device to force a reboot by either performing a hardware reset or cycling the power. This can lead to a denial of service attack or the compromise of sensitive data on the system and the network to which it is connected.Some systems do not have a setting for disabling boot from USB. In these cases, "Boot from USB" should be moved to last in the boot device list in the BIOS. In this case, the risk is lessened, but not fully mitigated, so the reviewer will mark this as a CAT II finding.Information Assurance OfficerDCBP-1

Checks: C-27103r1_chk

Further policy details: Some systems do not have a setting for disabling boot from USB or other types of ports. In these cases, "Boot from USB" or other interface connection types should be moved to last in the boot device list in the BIOS. The risk is lessened but not mitigated, so the reviewer will mark this as a CAT II finding. Check procedure: 1. Inspect the BIOS settings. Navitage to the boot order configuration tab. 2. Work with the site representative to verify that no end point has its BIOS set to allow a default boot from an external port. 3. Verify that a system can be booted from a USB, firewire, or eSATA device for maintenance or recovery purposes, but it will not be allowed to do so when in normal use.

Fix: F-23205r1_fix

Set boot order of computers approved for use with removable storage such that the BIOS does not allow default booting from devices attached to a USB, firewire, or eSATA port.

b

For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy.

Medium - V-22169 - SV-25806r1_rule

RMF Control

Severity

M

CCI

Version

USB-WUSB-010

Vuln IDs

V-22169

Rule IDs

SV-25806r1_rule

The use of unauthorized wireless devices can compromise DoD computers, networks, and data. The receiver for a wireless end point provides a wireless port on the computer that could be attacked by a hacker. Wireless transmissions can be intercepted by a hacker and easily viewed if required security is not used.Information Assurance OfficerECSC-1

Checks: C-27325r1_chk

Interview the IAO or site representative. Add the “Wireless Peripheral” asset posture in VMS to the end point asset (e.g., desktop or notebook) and complete the Bluetooth checks as part of the workstation or end point security review.

Fix: F-23392r1_fix

For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy.

a

Maintain a list of approved removable storage media or devices.

Low - V-22172 - SV-25810r1_rule

RMF Control

Severity

L

CCI

Version

STO-ALL-030

Vuln IDs

V-22172

Rule IDs

SV-25810r1_rule

Many persistent memory media or devices are portable, easily stolen, and contain sensitive data. If these devices are lost or stolen, it may take a while to discover that sensitive information has been lost. Inventory and bar-coding of authorized devices will increase the organization’s ability to uncover unauthorized portable storage devices.Information Assurance OfficerECSC-1

Checks: C-27321r1_chk

Further policy details: Track all devices: Flash media, external hard drives, CAC readers, printers, scanners, and other devices attached to USB, firewire, or eSata ports. NOTE: This requirement does not apply to keyboard and mice that do not contain persistent memory. NOTE: See Wireless STIG for security requirements for wireless keyboards and mice. Check procedure: Inspect the equipment list that is used to track flash media, external storage, and/or externally connected peripheral devices. Verify that identifying information is tracked and the list is kept updated as new equipment is replaced or purchased. The following data must be included: 1. Bar Code Tag or serial number. 2. Type of device. 3. Name and contact information of person to whom the device is issued. 4. If the device was transferred, note disposition information such as date wiped and transferred.

Fix: F-23388r1_fix

Maintain a list of approved removable storage media or devices.

c

Permit only government-procured and -owned devices.

High - V-22173 - SV-25811r1_rule

RMF Control

Severity

H

CCI

Version

STO-ALL-020

Vuln IDs

V-22173

Rule IDs

SV-25811r1_rule

Persistent memory devices (e.g., thumb drives, memory cards, external hard drives, or other removable storage devices) may contain malware installed on the drive or within the firmware. Personally- or contractor-owned devices may not be compliant with rigorous standards for encryption, anti-virus, and data wiping that is required for the use of removable storage devices in DoD. Therefore, use of personal devices in PCs attached to the network may put the network at risk. Information Assurance OfficerECSC-1

Checks: C-27322r1_chk

Further policy details: Use of coalition-owned devices, or devices owned by another government agency, though permitted, would require DAA approval and must be essential to mission requirements. Check procedures: Interview the site representative and ask the following questions. 1. Are non-DoD devices, such as personally- or contractor-owned devices used for data storage and/or transfer? 2. Are these devices allowed for use with end points containing non-publicly releasable information? 3. Are these devices allowed for use with end points that (periodically or frequently) attach to networks that process non-publicly releasable information. If personally- or contractor-owned devices are in use, this is a finding.

Fix: F-23389r1_fix

Permit only government-procured and -owned devices.

a

Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures.

Low - V-22174 - SV-25812r1_rule

RMF Control

Severity

L

CCI

Version

STO-DRV-040

Vuln IDs

V-22174

Rule IDs

SV-25812r1_rule

Several security incidents have occurred when the firmware on devices contained malware. For devices used to store or transfer sensitive information, if the firmware is signed, then this provides added assurance that the firmware has not been compromised.Information Assurance OfficerDCNR-1

Checks: C-27323r1_chk

Further policy details: 1. The minimum HMAC for signature algorithm values are HMAC-SHA256 and Rivest-Shimir-Alderman (RSA) 2048 or better. 2. This requirement applies to USB thumb drives. This requirement also applies to external hard disk drives regardless of connection type (e.g., eSATA, firewire, or USB). 3. This requirement applies to media and devices used for storage of high value data or for transfer between systems with differing classification or trust levels (e.g., contrator to government system). 4. Use of approved devices will ensure use of products with this feature. Check: Verify use of approved devices from the DAR-approved products list for flash drive and removable storage devices.

Fix: F-23390r1_fix

Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures.

b

Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented.

Medium - V-22175 - SV-25813r1_rule

RMF Control

Severity

M

CCI

Version

STO-FLSH-010

Vuln IDs

V-22175

Rule IDs

SV-25813r1_rule

USB flash media may have malware installed on the drive which may adversely impact the DoD network. Even the use of approved devices does not eliminate this risk. Use of sound security practices and procedures will further mitigate this risk when using flash media.Information Assurance OfficerECSC-1

Checks: C-27332r1_chk

Inspect the DAA-approved documentation of flash media procedures. Verify that the DAA or the designated Flash Media Approval Authority has established documentation on using flash media devices. Documentation must be signed by the DAA or his/her alternate and will include the following at a minimum: 1. Types of flash media (e.g., thumb drives, camera memory) that may be used in the organization under its area of responsibility and by whom. 2. Procedures for identifying, reporting, and investigating violations of the acceptable use policy. 3. Procedures for random and periodic inspections to ensure compliance. 4. Procedures for approval/disapproval of flash media use requests.

Fix: F-23393r1_fix

Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented.

b

Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use USB flash media (thumb drives).

Medium - V-22176 - SV-25814r1_rule

RMF Control

Severity

M

CCI

Version

STO-FLSH-040

Vuln IDs

V-22176

Rule IDs

SV-25814r1_rule

Because of the innate security risks involved with using a USB flash media, an access control and authorization method is needed. DCM software provides granular end point access control and management of removable media. Currently, DCM only supports the Windows operating system (OS).Information Assurance OfficerECSC-1

Checks: C-27333r1_chk

Further policy details: This check applies only to end points using Windows OS that use flash media devices. Check Procedure: Inspect the end points. Ensure the following: 1. HBSS is installed and configured in compliance with the HBSS STIG. The site may provide the results of an SRR review or self-inspection. 2. Verify DCM is installed and configured to allow only authorized flash media devices by using a device identifier or serial number. 3. Verify DCM is configured in accordance with the CTO 10-004(A or updated version). 4. If the HBSS/DCM solution is not used, an alternate solution which performs the required security functions is required, and this alternative must be approved by USCYBERCOM.

Fix: F-23394r1_fix

Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use USB flash media (thumb drives).

b

For end points using Windows operating systems, USB flash media will be restricted by a specific device or by a unique identifier (e.g., serial number) to specific users and machines.

Medium - V-22177 - SV-25815r1_rule

RMF Control

Severity

M

CCI

Version

STO-FLSH-050

Vuln IDs

V-22177

Rule IDs

SV-25815r1_rule

Because of the innate security risks involved with using USB flash media, users must follow required access procedures. Restricting specific devices to each user allows for non-repudiation and audit tracking.Information Assurance OfficerECSC-1

Checks: C-27334r1_chk

Further policy details: HBSS DCM configuration guidance is located at www.dodpatchrepository.mil. Check procedures: 1. View the configuration of the DCM module. 2. Verify that DCM is configured to allow or deny approved USB devices based on specific device parameters (i.e., serial number and device instance ID), device driver type (e.g., external USB storage device), and/or a specific host end point or user.

Fix: F-23395r1_fix

For end points using Windows operating systems, USB flash media will be restricted by a specific device or by a unique identifier (e.g., serial number) to specific users and machines.

a

Maintain a list of all personnel that have been authorized to use flash media.

Low - V-23894 - SV-28850r1_rule

RMF Control

Severity

L

CCI

Version

STO-FLSH-020

Vuln IDs

V-23894

Rule IDs

SV-28850r1_rule

Many USB flash media devices are portable, easily stolen, and may be used to temporarily store sensitive information. If these devices are lost or stolen, it will assist the investigation if personnel who use these devices are readily identified with contact information.Information Assurance OfficerECSC-1

Checks: C-29515r1_chk

Further policy details: Personnel do not have to be matched to a particular machine or device. This check applies only to flash media devices. Check procedure: 1. Inspect the USB authorized personnel listing provided by the site representative. 2. Verify that the list contains names and current contact information at a minimum.

Fix: F-26579r1_fix

Maintain a list of all personnel that have been authorized to use flash media.

a

Maintain a list of all end point systems that have been authorized for use with flash media.

Low - V-23895 - SV-28851r1_rule

RMF Control

Severity

L

CCI

Version

STO-FLSH-030

Vuln IDs

V-23895

Rule IDs

SV-28851r1_rule

Many USB persistent memory devices are portable and easily overlooked. They may be used as a vector for exfiltrating data. To help mitigate this risk, end points must be designated as properly authorized and configured for use with USB flash drives within the DoD. Information Assurance OfficerECSC-1

Checks: C-29516r1_chk

Further check details: System does not have to be tied to a single specific device or individual on the listing. Check procedure: 1. Inspect the USB authorized end point listing. 2. Verify that identifying information such as device serial number and location is tracked on the listing.

Fix: F-26580r1_fix

Maintain a list of all end point systems that have been authorized for use with flash media.

b

The host system will perform on-access anti-virus and malware checking, regardless of whether the external storage or flash drive has software or hardware malware features.

Medium - V-23919 - SV-28875r1_rule

RMF Control

Severity

M

CCI

Version

STO-ALL-070

Vuln IDs

V-23919

Rule IDs

SV-28875r1_rule

Like the traditional hard drive, removable storage devices and media may contain malware which may threaten DoD systems to which they eventually directly or indirectly attach. To mitigate this risk, DoD policy requires anti-virus and malware detection solutions.Information Assurance OfficerECSC-1

Checks: C-29524r1_chk

Further policy details: All enterprise and host systems will be configured to perform on-access scanning for viruses/malware upon introduction to a system. If the destination device (e.g., router, camera, or printer) does not support on-access scanning, ensure data is scanned before loading. Reference the Intellipedia webpage related to HBSS for additional guidance regarding proper configuration and scanning capabilities of DoD-approved antivirus software. The antivirus scanning on the host is configured in compliance with the Antivirus Security Guidance (available at http://iase.disa.mil/stigs/checklist/index.html) and the latest version of CTO 10-084 requirements. Check procedures: 1. Inspect a sampling of external drives, USB thumb drives, and other removable storage drives such as cameras. 2. View the process of attaching these devices to an authorized host and verify that files are inspected by the anti-virus software when retrieved on access. 3. Ask the site representative for evidence that verifies that a security review using the Antivirus Security Guidance and the latest version of CTO 10-084 requirements has been performed. 4. Interview the IAO or site representative and verify that incident response procedures include flash media and external hard drive storage devices.

Fix: F-26592r1_fix

The host system will perform on-access anti-virus and malware checking, regardless of whether the flash memory device has software or hardware malware features.

b

For higher risk data transfers using thumb drives, use the File Sanitization Tool (FiST) with Magik Eraser (ME) to protect against malware and data compromise.

Medium - V-23920 - SV-28876r1_rule

RMF Control

Severity

M

CCI

Version

STO-FLSH-070

Vuln IDs

V-23920

Rule IDs

SV-28876r1_rule

These NSA-approved tools are built upon the Assured File Transfer guard, which is an approved Unified Cross Domain Management Office (UCDMO) file transfer Cross Domain Solution. Use of these tools with the procedures listed in the Check section is the only authorized method for using flash media for higher risk data transfers.Information Assurance OfficerECSC-1

Checks: C-29525r1_chk

Further policy details: This requirement applies to flash media. Higher risk categories are defined as: 1. Data transfers to or from non-DoD systems 2. Special cases when data must traverse different classification domains Higher risk data transfer procedures for USB thumb drives: 1. Insert/Unlock USB thumb drive. 2. Load file from the source network. 3. Scan flash media device with NSA‘s FiST. 4. Set USB thumb drive to read only mode, if possible. 5. Scan file using scanning software on the destination network. 6. Load file to destination network. 7. Use ME to wipe device when data is no longer needed. Higher risk data transfer procedures for memory cards: 1. Insert card into card reader. 2. Insert card reader (if separate) into NSA's FiST. 3. Scan disk drive created by memory card using FiST. 4. Scan disk drive created by the memory card using scanning software on the destination network. 5. Load file to destination network. 7. Use ME to wipe device when data is no longer needed. Check procedures: 1. Interview the site representative. 2. Ask if higher risk data transfers, as outlined above, are performed. If so, ask how this transfer is done and verify compliance with above procedure.

Fix: F-26594r1_fix

For higher risk data transfers using thumb drives, the File Sanitization Tool (FiST) with Magik Eraser (ME) will be used.

b

Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.

Medium - V-23921 - SV-28877r1_rule

RMF Control

Severity

M

CCI

Version

STO-DRV-060

Vuln IDs

V-23921

Rule IDs

SV-28877r1_rule

Failure to maintain proper control of storage devices used in sensitive systems may mean that the firmware or other files could have been compromised. Action is needed to scan for malicious code. Although, the data on the device is most likely protected by encryption and authentication controls, it is still possible that a sophisticated attacker may have compromised the device. The risk to the system and the network increases if the device is used on a server or by a user with administrator privileges.Information Assurance OfficerECSC-1

Checks: C-29526r1_chk

Further policy details: This requirement applies to removable storage media and other persistent memory devices that are recovered after a loss or theft. This also applies to cases where the organization failed to maintain positive physical control commensurate with the classification of the data authorized to be transferred. Reclaimed media and drives will be scanned (using FiST) for malicious activity and wiped (using ME) immediately when the data is no longer needed. Reclamation procedures: 1. Insert or access device. 2. Scan device with NSA‘s FiST. 3. Wipe device using ME. Check procedures: 1. Interview the site representative. 2. Verify that the data transfer procedures outlined above are being followed if/when lost/stolen/or misplaced flash media and external hard drives are recovered.

Fix: F-26595r1_fix

Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.

b

Organizations that do not have a properly configured HBSS with DCM configuration will not use flash media.

Medium - V-23950 - SV-28906r1_rule

RMF Control

Severity

M

CCI

Version

STO-FLSH-060

Vuln IDs

V-23950

Rule IDs

SV-28906r1_rule

Because of the innate security risks involved with using flash media, an access control and authorization method is needed. DCM software provides granular end point access control and management of removable media. Currently, DCM only supports the Windows operating system.Information Assurance OfficerECSC-1

Checks: C-29531r1_chk

Further policy details: 1. This requirement applies to all flash media devices, including memory cards and USB devices. 2. DCM will be configured to monitor all flash media, including camera memory, if it is used for non-publicly releasable information storage or to connect to clients attached to DoD networks. Check procedure: Inspect the end points and ensure the following. 1. Verify that if USB thumb drives are used, then HBSS/DCM is used to track usage. 2. Inspect to see if memory cards are used for non-publicly releasable data or are directly or indirectly attached to the NIPRNet or the SIPRNet. 3. If either of these are true, then verify use of HBSS/DCM to monitor their usage.

Fix: F-26611r1_fix

Organizations that do not have a properly configured HBSS with DCM configuration will not use flash media.

a

Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.

Low - V-24176 - SV-29816r1_rule

RMF Control

Severity

L

CCI

Version

STO-DRV-025

Vuln IDs

V-24176

Rule IDs

SV-29816r1_rule

The DoD DAR policy requires encryption for portable and mobile storage. However, even when a FIPS140-2 validated cryptographic module is used, the implementation must be configured to use a NIST-approved algorithm. Advanced Encryption Standard (AES) is the most commonly available FIPS-approved algorithm and is required for use with USB thumb drives by CTO 10-084 (or latest version). The encryption algorithm must also be configured. Without this granular configuration, full protection of data encryption is not achieved and the data may be accessible if the drive is lost or stolen.Information Assurance OfficerECSC-1

Checks: C-30119r1_chk

Further policy details: In accordance with CTO 10-084, USB thumb drives will be configured to meet the following requirements. External hard disk drives used for remote or portable storage of sensitive information must also meet these requirements unless exceptions are approved by the DAA. 1. The Random Number Generator shall follow NIST SP 800-90 or FIPS 140-2 Annex C and support the key size used for AES. 2. The USB flash drive data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. 3. The implementation must meet FIPS 140-2 and FIPS PUB 197 and NIST SP 800-38 A. 4. Must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards. 5. Firmware updates on the USB device will be signed and verified using RSA 2048 or ECDSA with P256. 6. Firmware health checks should be authenticated with either Hashed Message Authentication Code (HMAC-SHA256) or a digital signature (RSA 2048 or ECDSA P256). Check procedures: 1. Work with the site representative to view the configuration of the encryption module used with the thumb dirve of external hard drive. 2. Verify that AES is selected to be used as the encryption algorithm. 3. Verify that the configuration requirements listed in the Further policy details section of this check are configured. Mark as a finding if any of the AES configuration requirements are not selected. To provide the required level of trust, AES must be configured correctly since these settings mitigate known risks to the stored data.

Fix: F-26927r1_fix

Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.

c

Use a National Security Agency (NSA)-approved, Type 1 certified data encryption and hardware solution when storing classified information on USB flash media and other removable storage devices.

High - V-24177 - SV-29818r1_rule

RMF Control

Severity

H

CCI

Version

STO-DRV-021

Vuln IDs

V-24177

Rule IDs

SV-29818r1_rule

The exploitation of this vulnerability will directly and immediately result in loss of, unauthorized disclosure of, or access to classified data or materials. An NSA-approved, Type 1 solution includes the hardware, software, and proof of coordination/approval with NSA for the level of classified processed by the external storage solution. Information Assurance OfficerECCT-2

Checks: C-30145r1_chk

1. Verify use of an NSA-approved solution which is approved for use for the level of classified data stored on the device. This solution will be implemented in consultation with NSA and will include the hardware, software, and configuration required for secure implementation of the solution. 2. Verify use of an NSA-certified, Type 1 encryption module for protecting data-at-rest.

Fix: F-26934r1_fix

Use an National Security Agency (NSA), Type 1 certified solution when storing classified information on USB flash media and other removable storage devices.

Checks: C-27469r1_chk

Fix: F-23556r1_fix

Generate Mitigation Statement:

Checks: C-27094r1_chk

Fix: F-23196r1_fix

Generate Mitigation Statement:

Checks: C-27097r1_chk

Fix: F-23199r1_fix

Generate Mitigation Statement:

Checks: C-27100r2_chk

Fix: F-23202r2_fix

Generate Mitigation Statement:

Checks: C-27101r1_chk

Fix: F-23203r1_fix

Generate Mitigation Statement:

Checks: C-27103r1_chk

Fix: F-23205r1_fix

Generate Mitigation Statement:

Checks: C-27325r1_chk

Fix: F-23392r1_fix

Generate Mitigation Statement:

Checks: C-27321r1_chk

Fix: F-23388r1_fix

Generate Mitigation Statement:

Checks: C-27322r1_chk

Fix: F-23389r1_fix

Generate Mitigation Statement:

Checks: C-27323r1_chk

Fix: F-23390r1_fix

Generate Mitigation Statement:

Checks: C-27332r1_chk

Fix: F-23393r1_fix

Generate Mitigation Statement:

Checks: C-27333r1_chk

Fix: F-23394r1_fix

Generate Mitigation Statement:

Checks: C-27334r1_chk

Fix: F-23395r1_fix

Generate Mitigation Statement:

Checks: C-29515r1_chk

Fix: F-26579r1_fix

Generate Mitigation Statement:

Checks: C-29516r1_chk

Fix: F-26580r1_fix

Generate Mitigation Statement:

Checks: C-29524r1_chk

Fix: F-26592r1_fix

Generate Mitigation Statement:

Checks: C-29525r1_chk

Fix: F-26594r1_fix

Generate Mitigation Statement:

Checks: C-29526r1_chk

Fix: F-26595r1_fix

Generate Mitigation Statement:

Checks: C-29531r1_chk

Fix: F-26611r1_fix

Generate Mitigation Statement:

Checks: C-30119r1_chk

Fix: F-26927r1_fix

Generate Mitigation Statement:

Checks: C-30145r1_chk

Fix: F-26934r1_fix

Generate Mitigation Statement: