Select any two versions of this STIG to compare the individual requirements
Select any old version/release of this STIG to view the previous requirements
Further policy details: This policy applies to devices attached using external Universal Serial Bus (USB), Firewire, or External Serial Advanced Technology Attachment (eSATA) ports. It also applied to devices containing either volatile or persistent (non-volatile) memory (e.g., thumb drives, memory sticks, camera memory cards, external USB hard drives, MP3 players, camcorders, cameras, printers, and network equipment). Blanket approvals by type are acceptable. DAA approval is required prior to using thumb drives, memory sticks, and memory cards. DAAs may designate alternate flash media approving officials who are O-6 or equivalent. Approvers will restrict flash media approvals to mission essential requirements. Information Assurance Officer (IAO) approval is sufficient and necessary for use of externally connected hard disk drives and other persistent memory devices. This requirement also applies to devices that attach to external USB, firewire, or eSATA ports on end points attached to government systems containing non-public releasable data or attached to DoD networks. Approvers will not authorize use or purchase of removable storage devices that are disguised to look like common items such as pens or bracelets. Disguised storage devices may be easily overlooked in a spot security search. Check: 1. Verify an approval document signed by the IAO exists for the use of each type of USB device by device ID. 2. Verify an approval document signed by the DAA (or alternative approving official) exists for the use of flash drives, flash media readers, and memory cards. 3. Compare the approval documents to the device types listed on the required USB devices equipment list. NOTE: The approval document may be a blanket approval by type of device (e.g., approved use of USB keyboard and mouse throughout the organization).
Require approval prior to allowing use of portable storage devices.
Interview the site representative and perform the following procedures. 1. Inspect a sampling of the different types of USB storage devices used. 2. Verify that a password or PIN is required to gain access to the data stored on the USB device by attempting access. If a password, PIN, or passphrase are not required to gain access to the data stored on the USB device, this is a finding.
Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.
Interview the site representative to determine if organization-approved tools are being used for scanning and wiping all external storage drives and removable media prior to first time use. If organization approved scanning and wiping tools are not used prior to first time use of removable flash media or external hard disk drives, this is a finding.
For all removable flash media and external hard disk drives, use an organization-approved method to wipe the device before using for the first-time.
Inspect a sample of USB thumb drives and portable storage devices. Verify, if the device is authorized for use with sensitive unclassified data, that encryption is used. -This policy applies to USB thumb drives and external hard drives. Since memory card, cameras, and other similar technologies do not have approved encryption solutions, these devices must be used only with AO approval. However, compliance with HBSS/DCM and other STIG requirements is required. -For USB thumb drives, use an on-board cryptographic module. For USB external hard disk drives, an on-board module is not mandated. -For USB thumb drives, use of FIPS 140-2 validated tamper-resistant and tamper-evident design with cryptographic chip protection. This is generally not visible on the case, thus the site representative will provide the reviewer with the device documentation showing this feature. If sensitive but unclassified data is not being encrypted using FIPS 140-2 validated modules on USB flash drives and external hard disk drives, this is a finding.
Encrypt sensitive but unclassified data with FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive.
Further policy details: Users will be trained to ensure devices are powered off for at least 60 seconds when disconnecting them from one system and connecting them to a different system to make sure enough time passes for all power to dissipate and the memory erased. Devices that contain volatile memory use the memory for temporary storage (e.g., page buffers in printers, image buffers in scanners, or cache buffers in removable storage devices like Zip drives). Special note should be made of USB hubs as they contain memory buffers even though it is not obvious. When power is removed from these devices by unplugging them from the port and unplugging them from a separate power supply if one is needed, their memory is erased. Because these devices are designed to withstand minor fluctuations in power, they contain some means of maintaining memory for short power interruptions. Check procedures: Inspect the relevant document. Verify the documentation or user agreement contains the following at a minimum. Volatile memory devices: 1. Acceptable use and approval process for the use of volatile memory devices. 2. Powering down volatile memory devices for 60 seconds before connecting to any end point. 3. Labeling and handling instructions in coordination with the Security Manager (SM). 4. Procedures for reporting lost/stolen devices. Persistent memory devices: 1. Acceptable use and approval process for the use of all USB devices. 2. Acceptable use and approval process for the use of flash media devices with the Windows OS. 3. An explanation of the restrictions placed on attaching non-government-owned USB devices to a government-owned system. 4. Use of authorized government-owned flash drives with personal or other unauthorized computers. 5. Data transfer and wiping procedures. 6. The prohibition against disguised USB drives. 7. Labeling and handling instructions in coordination with the Security Manager (SM). 8. Procedures for reporting lost or stolen devices.
Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program. .
Further policy details: Some systems do not have a setting for disabling boot from USB or other types of ports. In these cases, "Boot from USB" or other interface connection types should be moved to last in the boot device list in the BIOS. The risk is lessened but not mitigated, so the reviewer will mark this as a CAT II finding. Check procedure: 1. Inspect the BIOS settings. Navitage to the boot order configuration tab. 2. Work with the site representative to verify that no end point has its BIOS set to allow a default boot from an external port. 3. Verify that a system can be booted from a USB, firewire, or eSATA device for maintenance or recovery purposes, but it will not be allowed to do so when in normal use.
Set boot order of computers approved for use with removable storage such that the BIOS does not allow default booting from devices attached to a USB, firewire, or eSATA port.
Interview the IAO or site representative. Add the “Wireless Peripheral” asset posture in VMS to the end point asset (e.g., desktop or notebook) and complete the Bluetooth checks as part of the workstation or end point security review.
For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy.
Further policy details: Track all devices: Flash media, external hard drives, CAC readers, printers, scanners, and other devices attached to USB, firewire, or eSata ports. NOTE: This requirement does not apply to keyboard and mice that do not contain persistent memory. NOTE: See Wireless STIG for security requirements for wireless keyboards and mice. Check procedure: Inspect the equipment list that is used to track flash media, external storage, and/or externally connected peripheral devices. Verify that identifying information is tracked and the list is kept updated as new equipment is replaced or purchased. The following data must be included: 1. Bar Code Tag or serial number. 2. Type of device. 3. Name and contact information of person to whom the device is issued. 4. If the device was transferred, note disposition information such as date wiped and transferred.
Maintain a list of approved removable storage media or devices.
Further policy details: Use of coalition-owned devices, or devices owned by another government agency, though permitted, would require DAA approval and must be essential to mission requirements. Check procedures: Interview the site representative and ask the following questions. 1. Are non-DoD devices, such as personally- or contractor-owned devices used for data storage and/or transfer? 2. Are these devices allowed for use with end points containing non-publicly releasable information? 3. Are these devices allowed for use with end points that (periodically or frequently) attach to networks that process non-publicly releasable information. If personally- or contractor-owned devices are in use, this is a finding.
Permit only government-procured and -owned devices.
Further policy details: 1. The minimum HMAC for signature algorithm values are HMAC-SHA256 and Rivest-Shimir-Alderman (RSA) 2048 or better. 2. This requirement applies to USB thumb drives. This requirement also applies to external hard disk drives regardless of connection type (e.g., eSATA, firewire, or USB). 3. This requirement applies to media and devices used for storage of high value data or for transfer between systems with differing classification or trust levels (e.g., contrator to government system). 4. Use of approved devices will ensure use of products with this feature. Check: Verify use of approved devices from the DAR-approved products list for flash drive and removable storage devices.
Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures.
Inspect the DAA-approved documentation of flash media procedures. Verify that the DAA or the designated Flash Media Approval Authority has established documentation on using flash media devices. Documentation must be signed by the DAA or his/her alternate and will include the following at a minimum: 1. Types of flash media (e.g., thumb drives, camera memory) that may be used in the organization under its area of responsibility and by whom. 2. Procedures for identifying, reporting, and investigating violations of the acceptable use policy. 3. Procedures for random and periodic inspections to ensure compliance. 4. Procedures for approval/disapproval of flash media use requests.
Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented.
Further policy details: This check applies only to end points using Windows OS that use removable storage devices. Check Procedure: Inspect the end points. Ensure the following: 1. HBSS is installed and configured in compliance with the HBSS STIG. The site may provide the results of an SRR review or self-inspection. 2. Verify DCM is installed and configured to allow only authorized removable storage devices by using a device identifier or serial number. 3. Verify DCM is configured in accordance with the CTO 10-004a or updated version. 4. If the HBSS/DCM solution is not used, an alternate solution which performs the required security functions is required, and this alternative must be approved by USCYBERCOM. If HBSS with DCM is not installed and configured on a Windows host that uses removable storage devices, this is a finding.
Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use removable storage devices (flash drives, thumb drives, disk drives, etc.).
Further policy details: HBSS DCM configuration guidance can be obtained from the DoD Patch Repository - https://patches.csd.disa.mil/Default.aspx. Check procedures: 1. View the configuration of the DCM module. 2. Verify DCM is configured to allow or deny approved removable storage devices based on specific device parameters (e.g. serial number, device instance ID), device driver type (e.g. external USB storage device), or specific host end points or users. If HBSS DCM is not configured to allow or deny approved removable storage devices based on specific device parameters (e.g. serial number, device instance ID), device driver type (e.g. external USB storage device), or specific host end points or users, this is a finding.
For end points using Windows operating systems, restrict removable storage devices by specific device, unique identifier (e.g. serial number, device instance), or to specific host end points or users.
Further policy details: Personnel do not have to be matched to a particular machine or device. This check applies only to flash media devices. Check procedure: 1. Inspect the USB authorized personnel listing provided by the site representative. 2. Verify that the list contains names and current contact information at a minimum.
Maintain a list of all personnel that have been authorized to use flash media.
Further check details: System does not have to be tied to a single specific device or individual on the listing. Check procedure: 1. Inspect the USB authorized end point listing. 2. Verify that identifying information such as device serial number and location is tracked on the listing.
Maintain a list of all end point systems that have been authorized for use with flash media.
Further policy details: All enterprise and host systems will be configured to perform on-access scanning for viruses/malware upon introduction to a system. If the destination device (e.g., router, camera, or printer) does not support on-access scanning, ensure data is scanned before loading. Reference the Intellipedia webpage related to HBSS for additional guidance regarding proper configuration and scanning capabilities of DoD-approved antivirus software. The antivirus scanning on the host is configured in compliance with the Antivirus Security Guidance (available at http://iase.disa.mil/stigs/checklist/index.html) and the latest version of CTO 10-084 requirements. Check procedures: 1. Inspect a sampling of external drives, USB thumb drives, and other removable storage drives such as cameras. 2. View the process of attaching these devices to an authorized host and verify that files are inspected by the anti-virus software when retrieved on access. 3. Ask the site representative for evidence that verifies that a security review using the Antivirus Security Guidance and the latest version of CTO 10-084 requirements has been performed. 4. Interview the IAO or site representative and verify that incident response procedures include flash media and external hard drive storage devices.
The host system will perform on-access anti-virus and malware checking, regardless of whether the flash memory device has software or hardware malware features.
Further policy details: This requirement applies to flash media. Higher risk categories are defined as: 1. Data transfers to or from non-DoD systems 2. Special cases when data must traverse different classification domains Higher risk data transfer procedures for USB thumb drives: 1. Insert/Unlock USB thumb drive. 2. Load file from the source network. 3. Scan flash media device with an organization approved security scanning software. 4. Set USB thumb drive to read only mode, if possible. 5. Scan file using scanning software on the destination network. 6. Load file to destination network. 7. Use an organization approved disk wipe software to wipe device when data is no longer needed. Higher risk data transfer procedures for memory cards: 1. Insert card into card reader. 2. Scan disk drive created by memory card using organization approved security scanning software. 3. Scan disk drive created by the memory card using scanning software on the destination network. 4. Load file to destination network. 5. Use organization approved disk wipe software to wipe the device when data is no longer needed. Check procedures: 1. Interview the site representative. 2. Ask if higher risk data transfers, as outlined above, are performed. If so, ask how this transfer is done and verify compliance with above procedure. If an organization approved security scanning software and disk wipe software are not being utilized when flash media is used for higher risk data transfers, this is a finding.
For higher risk data transfers using flash media, an organization approved security scanning and disk wipe software will be used.
Further policy details: This requirement applies to removable storage media and other persistent memory devices that are recovered after a loss or theft. This also applies to cases where the organization failed to maintain positive physical control commensurate with the classification of the data authorized to be transferred. Reclaimed media and drives will be scanned for malicious activity and wiped immediately when the data is no longer needed. Reclamation procedures: 1. Insert or access device. 2. Scan device with organization approved security scanning software. 3. Wipe device using organization approved disk wipe software. Check procedures: 1. Interview the site representative. 2. Verify the data transfer procedures outlined above are being followed if/when lost/stolen/or misplaced flash media and external hard drives are recovered. If security scanning software and disk wipe software are not used on reclaimed or recovered storage devices, this is a finding.
Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.
Further policy details: 1. This requirement applies to all removable storage devices, including memory cards and USB devices. 2. DCM will be configured to monitor all removable storage devices, including camera memory, if it is used for non-publicly releasable information storage or to connect to clients attached to DoD networks. Check procedure: Inspect the end points and ensure the following. 1. Verify that if removable storage devices are used, then HBSS/DCM is used to track usage. 2. Inspect to see if removable storage devices are used for non-publicly releasable data or are directly or indirectly attached to the NIPRNet or the SIPRNet. 3. If either of these are true, then verify use of HBSS/DCM to monitor their usage. If the organization is using removable storage devices without having HBSS with DCM installed and properly configured, this is a finding.
Organizations that do not have a properly configured HBSS with DCM configuration will not use removable storage devices.
Further policy details: In accordance with CTO 10-084, USB thumb drives will be configured to meet the following requirements. External hard disk drives used for remote or portable storage of sensitive information must also meet these requirements unless exceptions are approved by the DAA. 1. The Random Number Generator shall follow NIST SP 800-90 or FIPS 140-2 Annex C and support the key size used for AES. 2. The USB flash drive data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. 3. The implementation must meet FIPS 140-2 and FIPS PUB 197 and NIST SP 800-38 A. 4. Must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards. 5. Firmware updates on the USB device will be signed and verified using RSA 2048 or ECDSA with P256. 6. Firmware health checks should be authenticated with either Hashed Message Authentication Code (HMAC-SHA256) or a digital signature (RSA 2048 or ECDSA P256). Check procedures: 1. Work with the site representative to view the configuration of the encryption module used with the thumb dirve of external hard drive. 2. Verify that AES is selected to be used as the encryption algorithm. 3. Verify that the configuration requirements listed in the Further policy details section of this check are configured. Mark as a finding if any of the AES configuration requirements are not selected. To provide the required level of trust, AES must be configured correctly since these settings mitigate known risks to the stored data.
Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.
1. Verify use of an NSA-approved solution which is approved for use for the level of classified data stored on the device. This solution will be implemented in consultation with NSA and will include the hardware, software, and configuration required for secure implementation of the solution. 2. Verify use of an NSA-certified, Type 1 encryption module for protecting data-at-rest.
Use an National Security Agency (NSA), Type 1 certified solution when storing classified information on USB flash media and other removable storage devices.