Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Removable Storage and External Connections Security Technical Implementation Guide

  • Version/Release: V1R7
  • Published: 2017-09-25
  • Released: 2017-10-27
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

c
Require approval prior to allowing use of portable storage devices.
High - V-22110 - SV-25612r1_rule
RMF Control
Severity
High
CCI
Version
STO-ALL-010
Vuln IDs
  • V-22110
Rule IDs
  • SV-25612r1_rule
Use of unapproved devices to process non-publicly releasable data increases the risk to the network. Devices attached to or inserted into the end point's plug-and-play ports and slots can be a vector for the insertion of malware when used to access the network. Storage devices are portable and can be easily concealed. Devices with volatile memory (erased when not connected) may contain internal batteries that also pose a threat to attached systems. Requiring approval prior to use of these devices heightens awareness of the threat, limits the potential use of contaminated devices, and allows for proper tracking and control. Designated Approval Authority (DAA) approval of flash memory devices is required by the United States Cyber Command (USCYBERCOM) Communications Task Order (CTO) 10-084 Removable Flash Media Device Implementation within and between Department of Defense (DoD) Networks (U/FOUO) (or latest version of this CTO). Information Assurance OfficerDesignated Approving Authority
Checks: C-27469r1_chk

Further policy details: This policy applies to devices attached using external Universal Serial Bus (USB), Firewire, or External Serial Advanced Technology Attachment (eSATA) ports. It also applied to devices containing either volatile or persistent (non-volatile) memory (e.g., thumb drives, memory sticks, camera memory cards, external USB hard drives, MP3 players, camcorders, cameras, printers, and network equipment). Blanket approvals by type are acceptable. DAA approval is required prior to using thumb drives, memory sticks, and memory cards. DAAs may designate alternate flash media approving officials who are O-6 or equivalent. Approvers will restrict flash media approvals to mission essential requirements. Information Assurance Officer (IAO) approval is sufficient and necessary for use of externally connected hard disk drives and other persistent memory devices. This requirement also applies to devices that attach to external USB, firewire, or eSATA ports on end points attached to government systems containing non-public releasable data or attached to DoD networks. Approvers will not authorize use or purchase of removable storage devices that are disguised to look like common items such as pens or bracelets. Disguised storage devices may be easily overlooked in a spot security search. Check: 1. Verify an approval document signed by the IAO exists for the use of each type of USB device by device ID. 2. Verify an approval document signed by the DAA (or alternative approving official) exists for the use of flash drives, flash media readers, and memory cards. 3. Compare the approval documents to the device types listed on the required USB devices equipment list. NOTE: The approval document may be a blanket approval by type of device (e.g., approved use of USB keyboard and mouse throughout the organization).

Fix: F-23556r1_fix

Require approval prior to allowing use of portable storage devices.

c
Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.
High - V-22111 - SV-25614r3_rule
RMF Control
Severity
High
CCI
Version
STO-DRV-010
Vuln IDs
  • V-22111
Rule IDs
  • SV-25614r3_rule
If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a user-chosen PIN prior to unencrypting the drive. Users must choose a strong PIN. Implementation of access control on persistent memory devices helps to ensure that sensitive information is accessed only by authorized and authenticated individuals. Further policy details: In accordance with the DoD data-at-rest (DAR) policy, access control is required to protect data not approved for public release. The DoD Enterprise Software Initiative (ESI) blanket purchase agreements program requires all products support encryption and a FIPS 140-2 password, PIN, or passphrase. Access control can be implemented using either software or hardware. The recommended best practice is to purchase devices that include built-in security features, including on-board or hardware encryption, password management, key management, and malware protection. Several manufacturers offer drives with these features. A USB thumb drive security vulnerability was discovered by a German company that describes a security flaw that allows an attacker to use a very simple software tool that can unlock any of the affected hardware-encrypted storage devices and bypass the access control system. This exploit worked on several thumb drive models that were FIPS 140-2 validated. The following DoD policies apply to access control solutions for all USB storage devices. - Use of password or PIN to access the encrypted storage device. Certificate-based authentication can be used but is not mandated. - For devices with on-board access control and encryption features, the system administrator will configure these security features prior to issuance. Default PINs and passwords will be changed prior to use. - Password and/or key management procedures will be established for systems storing mission-critical information.
Checks: C-27094r2_chk

Interview the site representative and perform the following procedures. 1. Inspect a sampling of the different types of USB storage devices used. 2. Verify that a password or PIN is required to gain access to the data stored on the USB device by attempting access. If a password, PIN, or passphrase are not required to gain access to the data stored on the USB device, this is a finding.

Fix: F-23196r1_fix

Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.

b
For all removable flash media and external hard disk drives, use an organization-approved method to wipe the device before using for the first-time.
Medium - V-22112 - SV-25617r2_rule
RMF Control
Severity
Medium
CCI
Version
STO-DRV-030
Vuln IDs
  • V-22112
Rule IDs
  • SV-25617r2_rule
Removable media often arrives from the vendor with many files already stored on the drive. These files may contain malware or spyware which present a risk to DoD resources.
Checks: C-27097r2_chk

Interview the site representative to determine if organization-approved tools are being used for scanning and wiping all external storage drives and removable media prior to first time use. If organization approved scanning and wiping tools are not used prior to first time use of removable flash media or external hard disk drives, this is a finding.

Fix: F-23199r2_fix

For all removable flash media and external hard disk drives, use an organization-approved method to wipe the device before using for the first-time.

b
Sensitive but unclassified data must be encrypted using FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive.
Medium - V-22113 - SV-25620r3_rule
RMF Control
Severity
Medium
CCI
Version
STO-DRV-020
Vuln IDs
  • V-22113
Rule IDs
  • SV-25620r3_rule
If information deemed sensitive (non-publicly releasable) by the data-owner is not encrypted when stored on removable storage media, this can lead to the compromise of unclassified sensitive data. These devices are portable and are often lost or stolen, which makes the data more vulnerable than other storage devices.ApprovalDo not mark as a finding for camera cards and memory cards if AO approval is documented.Do not mark as a finding for camera cards and memory cards if DAA approval is documented. Some missions may require the storage of sensitive information on these devices. However, if these devices are then connected to sensitive networks, the host computer and network must comply with the HBSS/DCM tracking and on-access malware/virus checking requirements.
Checks: C-27100r3_chk

Inspect a sample of USB thumb drives and portable storage devices. Verify, if the device is authorized for use with sensitive unclassified data, that encryption is used. -This policy applies to USB thumb drives and external hard drives. Since memory card, cameras, and other similar technologies do not have approved encryption solutions, these devices must be used only with AO approval. However, compliance with HBSS/DCM and other STIG requirements is required. -For USB thumb drives, use an on-board cryptographic module. For USB external hard disk drives, an on-board module is not mandated. -For USB thumb drives, use of FIPS 140-2 validated tamper-resistant and tamper-evident design with cryptographic chip protection. This is generally not visible on the case, thus the site representative will provide the reviewer with the device documentation showing this feature. If sensitive but unclassified data is not being encrypted using FIPS 140-2 validated modules on USB flash drives and external hard disk drives, this is a finding.

Fix: F-23202r2_fix

Encrypt sensitive but unclassified data with FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive.

a
Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program.
Low - V-22114 - SV-25621r1_rule
RMF Control
Severity
Low
CCI
Version
STO-ALL-050
Vuln IDs
  • V-22114
Rule IDs
  • SV-25621r1_rule
Written user guidance gives the users a place to learn about updated guidance on user responsibilities for safeguarding DoD information assets. Most security breaches occur when users violate security policy because they lack training. Information Assurance Officer
Checks: C-27101r1_chk

Further policy details: Users will be trained to ensure devices are powered off for at least 60 seconds when disconnecting them from one system and connecting them to a different system to make sure enough time passes for all power to dissipate and the memory erased. Devices that contain volatile memory use the memory for temporary storage (e.g., page buffers in printers, image buffers in scanners, or cache buffers in removable storage devices like Zip drives). Special note should be made of USB hubs as they contain memory buffers even though it is not obvious. When power is removed from these devices by unplugging them from the port and unplugging them from a separate power supply if one is needed, their memory is erased. Because these devices are designed to withstand minor fluctuations in power, they contain some means of maintaining memory for short power interruptions. Check procedures: Inspect the relevant document. Verify the documentation or user agreement contains the following at a minimum. Volatile memory devices: 1. Acceptable use and approval process for the use of volatile memory devices. 2. Powering down volatile memory devices for 60 seconds before connecting to any end point. 3. Labeling and handling instructions in coordination with the Security Manager (SM). 4. Procedures for reporting lost/stolen devices. Persistent memory devices: 1. Acceptable use and approval process for the use of all USB devices. 2. Acceptable use and approval process for the use of flash media devices with the Windows OS. 3. An explanation of the restrictions placed on attaching non-government-owned USB devices to a government-owned system. 4. Use of authorized government-owned flash drives with personal or other unauthorized computers. 5. Data transfer and wiping procedures. 6. The prohibition against disguised USB drives. 7. Labeling and handling instructions in coordination with the Security Manager (SM). 8. Procedures for reporting lost or stolen devices.

Fix: F-23203r1_fix

Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program. .

c
Set boot order of computers approved for use with removable storage such that the Basic Input Output System (BIOS) does not allow default booting from devices attached to a USB, firewire, or eSATA port.
High - V-22115 - SV-25623r1_rule
RMF Control
Severity
High
CCI
Version
STO-ALL-040
Vuln IDs
  • V-22115
Rule IDs
  • SV-25623r1_rule
If the BIOS is left set to allow the end point to boot from a device attached to the USB, firewire, or eSATA port, an attacker could use a USB device to force a reboot by either performing a hardware reset or cycling the power. This can lead to a denial of service attack or the compromise of sensitive data on the system and the network to which it is connected.Some systems do not have a setting for disabling boot from USB. In these cases, "Boot from USB" should be moved to last in the boot device list in the BIOS. In this case, the risk is lessened, but not fully mitigated, so the reviewer will mark this as a CAT II finding.Information Assurance Officer
Checks: C-27103r1_chk

Further policy details: Some systems do not have a setting for disabling boot from USB or other types of ports. In these cases, "Boot from USB" or other interface connection types should be moved to last in the boot device list in the BIOS. The risk is lessened but not mitigated, so the reviewer will mark this as a CAT II finding. Check procedure: 1. Inspect the BIOS settings. Navitage to the boot order configuration tab. 2. Work with the site representative to verify that no end point has its BIOS set to allow a default boot from an external port. 3. Verify that a system can be booted from a USB, firewire, or eSATA device for maintenance or recovery purposes, but it will not be allowed to do so when in normal use.

Fix: F-23205r1_fix

Set boot order of computers approved for use with removable storage such that the BIOS does not allow default booting from devices attached to a USB, firewire, or eSATA port.

b
For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy.
Medium - V-22169 - SV-25806r1_rule
RMF Control
Severity
Medium
CCI
Version
USB-WUSB-010
Vuln IDs
  • V-22169
Rule IDs
  • SV-25806r1_rule
The use of unauthorized wireless devices can compromise DoD computers, networks, and data. The receiver for a wireless end point provides a wireless port on the computer that could be attacked by a hacker. Wireless transmissions can be intercepted by a hacker and easily viewed if required security is not used.Information Assurance Officer
Checks: C-27325r1_chk

Interview the IAO or site representative. Add the “Wireless Peripheral” asset posture in VMS to the end point asset (e.g., desktop or notebook) and complete the Bluetooth checks as part of the workstation or end point security review.

Fix: F-23392r1_fix

For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy.

a
Maintain a list of approved removable storage media or devices.
Low - V-22172 - SV-25810r1_rule
RMF Control
Severity
Low
CCI
Version
STO-ALL-030
Vuln IDs
  • V-22172
Rule IDs
  • SV-25810r1_rule
Many persistent memory media or devices are portable, easily stolen, and contain sensitive data. If these devices are lost or stolen, it may take a while to discover that sensitive information has been lost. Inventory and bar-coding of authorized devices will increase the organization’s ability to uncover unauthorized portable storage devices.Information Assurance Officer
Checks: C-27321r1_chk

Further policy details: Track all devices: Flash media, external hard drives, CAC readers, printers, scanners, and other devices attached to USB, firewire, or eSata ports. NOTE: This requirement does not apply to keyboard and mice that do not contain persistent memory. NOTE: See Wireless STIG for security requirements for wireless keyboards and mice. Check procedure: Inspect the equipment list that is used to track flash media, external storage, and/or externally connected peripheral devices. Verify that identifying information is tracked and the list is kept updated as new equipment is replaced or purchased. The following data must be included: 1. Bar Code Tag or serial number. 2. Type of device. 3. Name and contact information of person to whom the device is issued. 4. If the device was transferred, note disposition information such as date wiped and transferred.

Fix: F-23388r1_fix

Maintain a list of approved removable storage media or devices.

c
Permit only government-procured and -owned devices.
High - V-22173 - SV-25811r1_rule
RMF Control
Severity
High
CCI
Version
STO-ALL-020
Vuln IDs
  • V-22173
Rule IDs
  • SV-25811r1_rule
Persistent memory devices (e.g., thumb drives, memory cards, external hard drives, or other removable storage devices) may contain malware installed on the drive or within the firmware. Personally- or contractor-owned devices may not be compliant with rigorous standards for encryption, anti-virus, and data wiping that is required for the use of removable storage devices in DoD. Therefore, use of personal devices in PCs attached to the network may put the network at risk. Information Assurance Officer
Checks: C-27322r1_chk

Further policy details: Use of coalition-owned devices, or devices owned by another government agency, though permitted, would require DAA approval and must be essential to mission requirements. Check procedures: Interview the site representative and ask the following questions. 1. Are non-DoD devices, such as personally- or contractor-owned devices used for data storage and/or transfer? 2. Are these devices allowed for use with end points containing non-publicly releasable information? 3. Are these devices allowed for use with end points that (periodically or frequently) attach to networks that process non-publicly releasable information. If personally- or contractor-owned devices are in use, this is a finding.

Fix: F-23389r1_fix

Permit only government-procured and -owned devices.

a
Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures.
Low - V-22174 - SV-25812r1_rule
RMF Control
Severity
Low
CCI
Version
STO-DRV-040
Vuln IDs
  • V-22174
Rule IDs
  • SV-25812r1_rule
Several security incidents have occurred when the firmware on devices contained malware. For devices used to store or transfer sensitive information, if the firmware is signed, then this provides added assurance that the firmware has not been compromised.Information Assurance Officer
Checks: C-27323r1_chk

Further policy details: 1. The minimum HMAC for signature algorithm values are HMAC-SHA256 and Rivest-Shimir-Alderman (RSA) 2048 or better. 2. This requirement applies to USB thumb drives. This requirement also applies to external hard disk drives regardless of connection type (e.g., eSATA, firewire, or USB). 3. This requirement applies to media and devices used for storage of high value data or for transfer between systems with differing classification or trust levels (e.g., contrator to government system). 4. Use of approved devices will ensure use of products with this feature. Check: Verify use of approved devices from the DAR-approved products list for flash drive and removable storage devices.

Fix: F-23390r1_fix

Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures.

b
Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented.
Medium - V-22175 - SV-25813r1_rule
RMF Control
Severity
Medium
CCI
Version
STO-FLSH-010
Vuln IDs
  • V-22175
Rule IDs
  • SV-25813r1_rule
USB flash media may have malware installed on the drive which may adversely impact the DoD network. Even the use of approved devices does not eliminate this risk. Use of sound security practices and procedures will further mitigate this risk when using flash media.Information Assurance Officer
Checks: C-27332r1_chk

Inspect the DAA-approved documentation of flash media procedures. Verify that the DAA or the designated Flash Media Approval Authority has established documentation on using flash media devices. Documentation must be signed by the DAA or his/her alternate and will include the following at a minimum: 1. Types of flash media (e.g., thumb drives, camera memory) that may be used in the organization under its area of responsibility and by whom. 2. Procedures for identifying, reporting, and investigating violations of the acceptable use policy. 3. Procedures for random and periodic inspections to ensure compliance. 4. Procedures for approval/disapproval of flash media use requests.

Fix: F-23393r1_fix

Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented.

b
Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use removable storage devices.
Medium - V-22176 - SV-25814r2_rule
RMF Control
Severity
Medium
CCI
Version
STO-FLSH-040
Vuln IDs
  • V-22176
Rule IDs
  • SV-25814r2_rule
Because of the innate security risks involved with using removable storage devices (flash drives, thumb drives, disk drives, etc.), an access control and authorization method is needed. DCM software provides granular end point access control and management of removable media. Currently, DCM only supports the Windows operating system (OS).ECSC-1
Checks: C-27333r2_chk

Further policy details: This check applies only to end points using Windows OS that use removable storage devices. Check Procedure: Inspect the end points. Ensure the following: 1. HBSS is installed and configured in compliance with the HBSS STIG. The site may provide the results of an SRR review or self-inspection. 2. Verify DCM is installed and configured to allow only authorized removable storage devices by using a device identifier or serial number. 3. Verify DCM is configured in accordance with the CTO 10-004a or updated version. 4. If the HBSS/DCM solution is not used, an alternate solution which performs the required security functions is required, and this alternative must be approved by USCYBERCOM. If HBSS with DCM is not installed and configured on a Windows host that uses removable storage devices, this is a finding.

Fix: F-23394r2_fix

Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use removable storage devices (flash drives, thumb drives, disk drives, etc.).

b
For end points using Windows operating systems, removable storage devices will be restricted by a unique device identifier (e.g. serial number, device instance ID) or to specific host end points or users.
Medium - V-22177 - SV-25815r3_rule
RMF Control
Severity
Medium
CCI
Version
STO-FLSH-050
Vuln IDs
  • V-22177
Rule IDs
  • SV-25815r3_rule
Because of the innate security risks involved with using removable storage devices (e.g., flash drives, thumb drives, external solid state disk drives, etc.), users must follow required access procedures. Restricting specific devices to each user allows for non-repudiation and audit tracking.
Checks: C-27334r3_chk

Further policy details: HBSS DCM configuration guidance can be obtained from the DoD Patch Repository - https://patches.csd.disa.mil/Default.aspx. Check procedures: 1. View the configuration of the DCM module. 2. Verify DCM is configured to allow or deny approved removable storage devices based on specific device parameters (e.g. serial number, device instance ID), device driver type (e.g. external USB storage device), or specific host end points or users. If HBSS DCM is not configured to allow or deny approved removable storage devices based on specific device parameters (e.g. serial number, device instance ID), device driver type (e.g. external USB storage device), or specific host end points or users, this is a finding.

Fix: F-23395r3_fix

For end points using Windows operating systems, restrict removable storage devices by specific device, unique identifier (e.g. serial number, device instance), or to specific host end points or users.

a
Maintain a list of all personnel that have been authorized to use flash media.
Low - V-23894 - SV-28850r1_rule
RMF Control
Severity
Low
CCI
Version
STO-FLSH-020
Vuln IDs
  • V-23894
Rule IDs
  • SV-28850r1_rule
Many USB flash media devices are portable, easily stolen, and may be used to temporarily store sensitive information. If these devices are lost or stolen, it will assist the investigation if personnel who use these devices are readily identified with contact information.Information Assurance Officer
Checks: C-29515r1_chk

Further policy details: Personnel do not have to be matched to a particular machine or device. This check applies only to flash media devices. Check procedure: 1. Inspect the USB authorized personnel listing provided by the site representative. 2. Verify that the list contains names and current contact information at a minimum.

Fix: F-26579r1_fix

Maintain a list of all personnel that have been authorized to use flash media.

a
Maintain a list of all end point systems that have been authorized for use with flash media.
Low - V-23895 - SV-28851r1_rule
RMF Control
Severity
Low
CCI
Version
STO-FLSH-030
Vuln IDs
  • V-23895
Rule IDs
  • SV-28851r1_rule
Many USB persistent memory devices are portable and easily overlooked. They may be used as a vector for exfiltrating data. To help mitigate this risk, end points must be designated as properly authorized and configured for use with USB flash drives within the DoD. Information Assurance Officer
Checks: C-29516r1_chk

Further check details: System does not have to be tied to a single specific device or individual on the listing. Check procedure: 1. Inspect the USB authorized end point listing. 2. Verify that identifying information such as device serial number and location is tracked on the listing.

Fix: F-26580r1_fix

Maintain a list of all end point systems that have been authorized for use with flash media.

b
The host system will perform on-access anti-virus and malware checking, regardless of whether the external storage or flash drive has software or hardware malware features.
Medium - V-23919 - SV-28875r1_rule
RMF Control
Severity
Medium
CCI
Version
STO-ALL-070
Vuln IDs
  • V-23919
Rule IDs
  • SV-28875r1_rule
Like the traditional hard drive, removable storage devices and media may contain malware which may threaten DoD systems to which they eventually directly or indirectly attach. To mitigate this risk, DoD policy requires anti-virus and malware detection solutions.Information Assurance Officer
Checks: C-29524r1_chk

Further policy details: All enterprise and host systems will be configured to perform on-access scanning for viruses/malware upon introduction to a system. If the destination device (e.g., router, camera, or printer) does not support on-access scanning, ensure data is scanned before loading. Reference the Intellipedia webpage related to HBSS for additional guidance regarding proper configuration and scanning capabilities of DoD-approved antivirus software. The antivirus scanning on the host is configured in compliance with the Antivirus Security Guidance (available at http://iase.disa.mil/stigs/checklist/index.html) and the latest version of CTO 10-084 requirements. Check procedures: 1. Inspect a sampling of external drives, USB thumb drives, and other removable storage drives such as cameras. 2. View the process of attaching these devices to an authorized host and verify that files are inspected by the anti-virus software when retrieved on access. 3. Ask the site representative for evidence that verifies that a security review using the Antivirus Security Guidance and the latest version of CTO 10-084 requirements has been performed. 4. Interview the IAO or site representative and verify that incident response procedures include flash media and external hard drive storage devices.

Fix: F-26592r1_fix

The host system will perform on-access anti-virus and malware checking, regardless of whether the flash memory device has software or hardware malware features.

b
For higher risk data transfers using flash media, use an organization approved security scanning software and disk wipe software to protect against malware and data compromise.
Medium - V-23920 - SV-28876r2_rule
RMF Control
Severity
Medium
CCI
Version
STO-FLSH-070
Vuln IDs
  • V-23920
Rule IDs
  • SV-28876r2_rule
Use of an organization approved security scanning software and disk wipe software with the procedures listed in the Check section is the only authorized method for using flash media for higher risk data transfers.
Checks: C-29525r2_chk

Further policy details: This requirement applies to flash media. Higher risk categories are defined as: 1. Data transfers to or from non-DoD systems 2. Special cases when data must traverse different classification domains Higher risk data transfer procedures for USB thumb drives: 1. Insert/Unlock USB thumb drive. 2. Load file from the source network. 3. Scan flash media device with an organization approved security scanning software. 4. Set USB thumb drive to read only mode, if possible. 5. Scan file using scanning software on the destination network. 6. Load file to destination network. 7. Use an organization approved disk wipe software to wipe device when data is no longer needed. Higher risk data transfer procedures for memory cards: 1. Insert card into card reader. 2. Scan disk drive created by memory card using organization approved security scanning software. 3. Scan disk drive created by the memory card using scanning software on the destination network. 4. Load file to destination network. 5. Use organization approved disk wipe software to wipe the device when data is no longer needed. Check procedures: 1. Interview the site representative. 2. Ask if higher risk data transfers, as outlined above, are performed. If so, ask how this transfer is done and verify compliance with above procedure. If an organization approved security scanning software and disk wipe software are not being utilized when flash media is used for higher risk data transfers, this is a finding.

Fix: F-26594r2_fix

For higher risk data transfers using flash media, an organization approved security scanning and disk wipe software will be used.

b
Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.
Medium - V-23921 - SV-28877r2_rule
RMF Control
Severity
Medium
CCI
Version
STO-DRV-060
Vuln IDs
  • V-23921
Rule IDs
  • SV-28877r2_rule
Failure to maintain proper control of storage devices used in sensitive systems may mean the firmware or other files could have been compromised. Action is needed to scan for malicious code. Although, the data on the device is most likely protected by encryption and authentication controls, it is still possible that a sophisticated attacker may have compromised the device. The risk to the system and the network increases if the device is used on a server or by a user with administrator privileges.
Checks: C-29526r2_chk

Further policy details: This requirement applies to removable storage media and other persistent memory devices that are recovered after a loss or theft. This also applies to cases where the organization failed to maintain positive physical control commensurate with the classification of the data authorized to be transferred. Reclaimed media and drives will be scanned for malicious activity and wiped immediately when the data is no longer needed. Reclamation procedures: 1. Insert or access device. 2. Scan device with organization approved security scanning software. 3. Wipe device using organization approved disk wipe software. Check procedures: 1. Interview the site representative. 2. Verify the data transfer procedures outlined above are being followed if/when lost/stolen/or misplaced flash media and external hard drives are recovered. If security scanning software and disk wipe software are not used on reclaimed or recovered storage devices, this is a finding.

Fix: F-26595r1_fix

Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.

b
Organizations that do not have a properly configured HBSS with DCM configuration will not use removable storage devices.
Medium - V-23950 - SV-28906r2_rule
RMF Control
Severity
Medium
CCI
Version
STO-FLSH-060
Vuln IDs
  • V-23950
Rule IDs
  • SV-28906r2_rule
Because of the innate security risks involved with using removable storage devices (flash drives, thumb drives, disk drives, etc.), an access control and authorization method is needed. DCM software provides granular end point access control and management of removable media. Currently, DCM only supports the Windows operating system.ECSC-1
Checks: C-29531r2_chk

Further policy details: 1. This requirement applies to all removable storage devices, including memory cards and USB devices. 2. DCM will be configured to monitor all removable storage devices, including camera memory, if it is used for non-publicly releasable information storage or to connect to clients attached to DoD networks. Check procedure: Inspect the end points and ensure the following. 1. Verify that if removable storage devices are used, then HBSS/DCM is used to track usage. 2. Inspect to see if removable storage devices are used for non-publicly releasable data or are directly or indirectly attached to the NIPRNet or the SIPRNet. 3. If either of these are true, then verify use of HBSS/DCM to monitor their usage. If the organization is using removable storage devices without having HBSS with DCM installed and properly configured, this is a finding.

Fix: F-26611r2_fix

Organizations that do not have a properly configured HBSS with DCM configuration will not use removable storage devices.

a
Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.
Low - V-24176 - SV-29816r1_rule
RMF Control
Severity
Low
CCI
Version
STO-DRV-025
Vuln IDs
  • V-24176
Rule IDs
  • SV-29816r1_rule
The DoD DAR policy requires encryption for portable and mobile storage. However, even when a FIPS140-2 validated cryptographic module is used, the implementation must be configured to use a NIST-approved algorithm. Advanced Encryption Standard (AES) is the most commonly available FIPS-approved algorithm and is required for use with USB thumb drives by CTO 10-084 (or latest version). The encryption algorithm must also be configured. Without this granular configuration, full protection of data encryption is not achieved and the data may be accessible if the drive is lost or stolen.Information Assurance Officer
Checks: C-30119r1_chk

Further policy details: In accordance with CTO 10-084, USB thumb drives will be configured to meet the following requirements. External hard disk drives used for remote or portable storage of sensitive information must also meet these requirements unless exceptions are approved by the DAA. 1. The Random Number Generator shall follow NIST SP 800-90 or FIPS 140-2 Annex C and support the key size used for AES. 2. The USB flash drive data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. 3. The implementation must meet FIPS 140-2 and FIPS PUB 197 and NIST SP 800-38 A. 4. Must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards. 5. Firmware updates on the USB device will be signed and verified using RSA 2048 or ECDSA with P256. 6. Firmware health checks should be authenticated with either Hashed Message Authentication Code (HMAC-SHA256) or a digital signature (RSA 2048 or ECDSA P256). Check procedures: 1. Work with the site representative to view the configuration of the encryption module used with the thumb dirve of external hard drive. 2. Verify that AES is selected to be used as the encryption algorithm. 3. Verify that the configuration requirements listed in the Further policy details section of this check are configured. Mark as a finding if any of the AES configuration requirements are not selected. To provide the required level of trust, AES must be configured correctly since these settings mitigate known risks to the stored data.

Fix: F-26927r1_fix

Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.

c
Use a National Security Agency (NSA)-approved, Type 1 certified data encryption and hardware solution when storing classified information on USB flash media and other removable storage devices.
High - V-24177 - SV-29818r1_rule
RMF Control
Severity
High
CCI
Version
STO-DRV-021
Vuln IDs
  • V-24177
Rule IDs
  • SV-29818r1_rule
The exploitation of this vulnerability will directly and immediately result in loss of, unauthorized disclosure of, or access to classified data or materials. An NSA-approved, Type 1 solution includes the hardware, software, and proof of coordination/approval with NSA for the level of classified processed by the external storage solution. Information Assurance Officer
Checks: C-30145r1_chk

1. Verify use of an NSA-approved solution which is approved for use for the level of classified data stored on the device. This solution will be implemented in consultation with NSA and will include the hardware, software, and configuration required for secure implementation of the solution. 2. Verify use of an NSA-certified, Type 1 encryption module for protecting data-at-rest.

Fix: F-26934r1_fix

Use an National Security Agency (NSA), Type 1 certified solution when storing classified information on USB flash media and other removable storage devices.