{
"stig": {
"date": "2011-01-18",
"description": "None",
"findings": {
"V-22110": {
"checkid": "C-27469r1_chk",
"checktext": "Further policy details:\n\nThis policy applies to devices attached using external Universal Serial Bus (USB), Firewire, or External Serial Advanced Technology Attachment (eSATA) ports. It also applied to devices containing either volatile or persistent (non-volatile) memory (e.g., thumb drives, memory sticks, camera memory cards, external USB hard drives, MP3 players, camcorders, cameras, printers, and network equipment). Blanket approvals by type are acceptable.\n\nDAA approval is required prior to using thumb drives, memory sticks, and memory cards. DAAs may designate alternate flash media approving officials who are O-6 or equivalent.\n\nApprovers will restrict flash media approvals to mission essential requirements. \n\nInformation Assurance Officer (IAO) approval is sufficient and necessary for use of externally connected hard disk drives and other persistent memory devices. This requirement also applies to devices that attach to external USB, firewire, or eSATA ports on end points attached to government systems containing non-public releasable data or attached to DoD networks.\n\nApprovers will not authorize use or purchase of removable storage devices that are disguised to look like common items such as pens or bracelets. Disguised storage devices may be easily overlooked in a spot security search.\n\nCheck:\n1. Verify an approval document signed by the IAO exists for the use of each type of USB device by device ID.\n\n2. Verify an approval document signed by the DAA (or alternative approving official) exists for the use of flash drives, flash media readers, and memory cards. \n\n3. Compare the approval documents to the device types listed on the required USB devices equipment list.\n \nNOTE: The approval document may be a blanket approval by type of device (e.g., approved use of USB keyboard and mouse throughout the organization).",
"description": "Use of unapproved devices to process non-publicly releasable data increases the risk to the network. Devices attached to or inserted into the end point's plug-and-play ports and slots can be a vector for the insertion of malware when used to access the network. Storage devices are portable and can be easily concealed. Devices with volatile memory (erased when not connected) may contain internal batteries that also pose a threat to attached systems. Requiring approval prior to use of these devices heightens awareness of the threat, limits the potential use of contaminated devices, and allows for proper tracking and control. Designated Approval Authority (DAA) approval of flash memory devices is required by the United States Cyber Command (USCYBERCOM) Communications Task Order (CTO) 10-004A Removable Flash Media Device Implementation within and between Department of Defense (DoD) Networks (U/FOUO) (or latest version of this CTO). ",
"fixid": "F-23556r1_fix",
"fixtext": "Require approval prior to allowing use of portable storage devices.",
"iacontrols": [
"ECSC-1"
],
"id": "V-22110",
"ruleID": "SV-25612r3_rule",
"severity": "high",
"title": "Require approval prior to allowing use of portable storage devices.",
"version": "STO-ALL-010"
},
"V-22111": {
"checkid": "C-27094r1_chk",
"checktext": "Further policy details:\n\nIn accordance with the DoD data-at-rest (DAR) policy, access control is required to protect data not approved for public release. The DoD Enterprise Software Initiative (ESI) blanket purchase agreements program requires all products support encryption and a FIPS 140-2 password, PIN, or passphrase.\n\nAccess control can be implemented using either software or hardware. The recommended best practice is to purchase devices that include built-in security features, including on-board or hardware encryption, password management, key management, and malware protection. Several manufacturers offer drives with these features. \n\nA USB thumb drive security vulnerability was discovered by a German company that describes a security flaw that allows an attacker to use a very simple software tool that can unlock any of the affected hardware-encrypted storage devices and bypass the access control system. This exploit worked on several thumb drive models that were FIPS 140-2 validated. Thus, it is imperative that organizations use thumb drives which are on the DAR contract.\n\nThe following DoD policies apply to access control solutions for all USB storage devices.\n\n- Use of password or PIN to access the encrypted storage device. Certificate-based authentication can be used but is not madated. \n\n- For devices with on-board access control and encryption features, the system administrator will configure these security features prior to issuance. Default PINs and passwords will be changed prior to use.\n\n- Password and/or key management procedures will be established for systems storing mission-critical information. \n\nCheck procedure:\n\nInterview the site representative and perform the following procedures. \n\n1. Inspect a sampling of the different types of USB storage devices used. \n2. Verify that a password or PIN is required to gain access to the data stored on the USB device by attempting access.\n\nMark as a finding if a PIN or password are not set.\n",
"description": "If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a user-chosen PIN prior to unencrypting the drive. Users must choose a strong PIN. Implementation of access control on persistent memory devices helps to ensure that sensitive information is accessed only by authorized and authenticated individuals.",
"fixid": "F-23196r1_fix",
"fixtext": "Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.",
"iacontrols": [
"ECCD-1",
"ECCD-2"
],
"id": "V-22111",
"ruleID": "SV-25614r2_rule",
"severity": "high",
"title": "Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.",
"version": "STO-DRV-010"
},
"V-22112": {
"checkid": "C-27097r1_chk",
"checktext": "Further policy details:\n\nNSA-approved tools must be used for scanning and wiping all external storage drives and media prior to first time use. \n\nA list of NSA-approved tools, approved specifically for scanning and wiping flash media is available at https://www.cybercom.mil/default.aspx. These are the only approved tools for flash media.\n\nCheck procedure:\n\n1. Interview the site representative. \n2. Ask if devices are wiped using approved software and procedures prior to using the drive to store or transfer DoD files.\n3. Mark as a finding if this is a Windows system and USCYBERCOM-approved tools are not used for scanning and wiping flash media prior to fist time use.\n4. Mark as a finding for all devices where the disk is not wiped before first-time use.",
"description": "Removable media often arrives from the vendor with many files already stored on the drive. These files may contain malware or spyware which present a risk to DoD resources. ",
"fixid": "F-23199r1_fix",
"fixtext": "For all USB flash media (thumb drives) and external hard disk drives, use an approved method to wipe the device before using for the first-time. ",
"iacontrols": [
"DCBP-1"
],
"id": "V-22112",
"ruleID": "SV-25617r2_rule",
"severity": "medium",
"title": "For all USB flash media (thumb drives) and external hard disk drives, use an approved method to wipe the device before using for the first-time. ",
"version": "STO-DRV-030"
},
"V-22113": {
"checkid": "C-27100r1_chk",
"checktext": "Further policy details:\n\n1. This policy applies to USB thumb drives and external hard drives. \n\n2. Since memory card, cameras, and other similar technologies do not have approved encryption solutions, these devices must be used only with DAA approval. However, compliance with HBSS/DCM and other STIG requirements is required.\n\n3. Purchase of all USB thumb drives and USB portable hard disk drives from the ESI contract as required by STO-DRV-005, will ensure that products have the capablility of implementing FIPS 140-2 validated encryption.\n\n4. For USB thumb drives, use an on-board cryptographic module. For USB external hard disk drives, an on-board module is not mandated.\n\n5. For USB thumb drives, use of FIPS 140-2 validated tamper-resistant and tamper-evident design with cryptographic chip protection. This is generally not visible on the case, thus the site representative will provide the reviewer with the device documentation showing this feature.\n\n6. For USB hard drives, tamper resistant features are required for drives which are used for mobile, remote, or portable storage.\n\nCheck procedure:\n\n1. Inspect a sample of USB thumb drives and portable storage devices. Verify, if the device is authorized for use with sensitive unclassifed data, that encryption is used.\n\n2. Verify that the encryption product used is compliant. Ask the site representative to provide documentation that the devices used were purchased through the DoD ESI contract, as required by STO-DRV-005.\n\nIf the device was not purchased from the ESI contract, then it is not known to meet the above requirements, so mark this policy as a finding.",
"description": "If information deemed sensitive (non-publicly releasable) by the data-owner is not encrypted when stored on removable storage media, this can lead to the compromise of unclassified sensitive data. These devices are portable and are often lost or stolen which makes the data more vulnerable than other storage devices. ",
"fixid": "F-23202r1_fix",
"fixtext": "Encrypt sensitive but unclassified data when stored on a USB flash drive and external hard disk drive. ",
"iacontrols": [
"ECCR-1"
],
"id": "V-22113",
"ruleID": "SV-25620r2_rule",
"severity": "medium",
"title": "Encrypt sensitive but unclassified data when stored on a USB flash drive and external hard disk drive. ",
"version": "STO-DRV-020"
},
"V-22114": {
"checkid": "C-27101r1_chk",
"checktext": "Further policy details:\n\nUsers will be trained to ensure devices are powered off for at least 60 seconds when disconnecting them from one system and connecting them to a different system to make sure enough time passes for all power to dissipate and the memory erased. Devices that contain volatile memory use the memory for temporary storage (e.g., page buffers in printers, image buffers in scanners, or cache buffers in removable storage devices like Zip drives). Special note should be made of USB hubs as they contain memory buffers even though it is not obvious. When power is removed from these devices by unplugging them from the port and unplugging them from a separate power supply if one is needed, their memory is erased. Because these devices are designed to withstand minor fluctuations in power, they contain some means of maintaining memory for short power interruptions. \n\nCheck procedures:\n\nInspect the relevant document. Verify the documentation or user agreement contains the following at a minimum.\n\nVolatile memory devices:\n\n1. Acceptable use and approval process for the use of volatile memory devices. \n2. Powering down volatile memory devices for 60 seconds before connecting to any end point.\n3. Labeling and handling instructions in coordination with the Security Manager (SM).\n4. Procedures for reporting lost/stolen devices.\n\nPersistent memory devices:\n\n1. Acceptable use and approval process for the use of all USB devices.\n2. Acceptable use and approval process for the use of flash media devices with the Windows OS.\n3. An explanation of the restrictions placed on attaching non-government-owned USB devices to a government-owned system. \n4. Use of authorized government-owned flash drives with personal or other unauthorized computers.\n5. Data transfer and wiping procedures.\n6. The prohibition against disguised USB drives.\n7. Labeling and handling instructions in coordination with the Security Manager (SM).\n8. Procedures for reporting lost or stolen devices.",
"description": "Written user guidance gives the users a place to learn about updated guidance on user responsibilities for safeguarding DoD information assets. Most security breaches occur when users violate security policy because they lack training. ",
"fixid": "F-23203r1_fix",
"fixtext": "Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program. \n\n\n.",
"iacontrols": [
"PRRB-1"
],
"id": "V-22114",
"ruleID": "SV-25621r1_rule",
"severity": "low",
"title": "Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program. ",
"version": "STO-ALL-050"
},
"V-22115": {
"checkid": "C-27103r1_chk",
"checktext": "Further policy details:\n\nSome systems do not have a setting for disabling boot from USB or other types of ports. In these cases, \"Boot from USB\" or other interface connection types should be moved to last in the boot device list in the BIOS. The risk is lessened but not mitigated, so the reviewer will mark this as a CAT II finding.\n\nCheck procedure:\n\n1. Inspect the BIOS settings. Navitage to the boot order configuration tab. \n\n2. Work with the site representative to verify that no end point has its BIOS set to allow a default boot from an external port. \n\n3. Verify that a system can be booted from a USB, firewire, or eSATA device for maintenance or recovery purposes, but it will not be allowed to do so when in normal use. ",
"description": "If the BIOS is left set to allow the end point to boot from a device attached to the USB, firewire, or eSATA port, an attacker could use a USB device to force a reboot by either performing a hardware reset or cycling the power. This can lead to a denial of service attack or the compromise of sensitive data on the system and the network to which it is connected.",
"fixid": "F-23205r1_fix",
"fixtext": "Set boot order of computers approved for use with removable storage such that the BIOS does not allow default booting from devices attached to a USB, firewire, or eSATA port.",
"iacontrols": [
"DCBP-1"
],
"id": "V-22115",
"ruleID": "SV-25623r1_rule",
"severity": "high",
"title": "Set boot order of computers approved for use with removable storage such that the Basic Input Output System (BIOS) does not allow default booting from devices attached to a USB, firewire, or eSATA port.",
"version": "STO-ALL-040"
},
"V-22169": {
"checkid": "C-27325r1_chk",
"checktext": "Interview the IAO or site representative. \n\nAdd the \u201cWireless Peripheral\u201d asset posture in VMS to the end point asset (e.g., desktop or notebook) and complete the Bluetooth checks as part of the workstation or end point security review.",
"description": "The use of unauthorized wireless devices can compromise DoD computers, networks, and data. The receiver for a wireless end point provides a wireless port on the computer that could be attacked by a hacker. Wireless transmissions can be intercepted by a hacker and easily viewed if required security is not used.",
"fixid": "F-23392r1_fix",
"fixtext": "For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy. \n",
"iacontrols": [
"ECSC-1"
],
"id": "V-22169",
"ruleID": "SV-25806r1_rule",
"severity": "medium",
"title": "For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy. \n",
"version": "USB-WUSB-010"
},
"V-22172": {
"checkid": "C-27321r1_chk",
"checktext": "Further policy details:\n\nTrack all devices: Flash media, external hard drives, CAC readers, printers, scanners, and other devices attached to USB, firewire, or eSata ports.\n \nNOTE: This requirement does not apply to keyboard and mice that do not contain persistent memory. \n\nNOTE: See Wireless STIG for security requirements for wireless keyboards and mice.\n\nCheck procedure:\n\nInspect the equipment list that is used to track flash media, external storage, and/or externally connected peripheral devices. Verify that identifying information is tracked and the list is kept updated as new equipment is replaced or purchased. \n\nThe following data must be included:\n1. Bar Code Tag or serial number.\n2. Type of device.\n3. Name and contact information of person to whom the device is issued.\n4. If the device was transferred, note disposition information such as date wiped and transferred.",
"description": "Many persistent memory media or devices are portable, easily stolen, and contain sensitive data. If these devices are lost or stolen, it may take a while to discover that sensitive information has been lost. Inventory and bar-coding of authorized devices will increase the organization\u2019s ability to uncover unauthorized portable storage devices.",
"fixid": "F-23388r1_fix",
"fixtext": "Maintain a list of approved removable storage media or devices.",
"iacontrols": [
"ECSC-1"
],
"id": "V-22172",
"ruleID": "SV-25810r3_rule",
"severity": "low",
"title": "Maintain a list of approved removable storage media or devices.",
"version": "STO-ALL-030"
},
"V-22173": {
"checkid": "C-27322r1_chk",
"checktext": "Further policy details:\n\nUse of coalition-owned devices, or devices owned by another government agency, though permitted, would require DAA approval and must be essential to mission requirements.\n\nCheck procedures:\n\nInterview the site representative and ask the following questions.\n1. Are non-DoD devices, such as personally- or contractor-owned devices used for data storage and/or transfer?\n2. Are these devices allowed for use with end points containing non-publicly releasable information?\n3. Are these devices allowed for use with end points that (periodically or frequently) attach to networks that process non-publicly releasable information.\n\nIf personally- or contractor-owned devices are in use, this is a finding. ",
"description": "Persistent memory devices (e.g., thumb drives, memory cards, external hard drives, or other removable storage devices) may contain malware installed on the drive or within the firmware. Personally- or contractor-owned devices may not be compliant with rigorous standards for encryption, anti-virus, and data wiping that is required for the use of removable storage devices in DoD. Therefore, use of personal devices in PCs attached to the network may put the network at risk. ",
"fixid": "F-23389r1_fix",
"fixtext": "Permit only government-procured and -owned devices.",
"iacontrols": [
"ECSC-1"
],
"id": "V-22173",
"ruleID": "SV-25811r3_rule",
"severity": "high",
"title": "Permit only government-procured and -owned devices.",
"version": "STO-ALL-020"
},
"V-22174": {
"checkid": "C-27323r1_chk",
"checktext": "Further policy details:\n\n1. The minimum HMAC for signature algorithm values are HMAC-SHA256 and Rivest-Shimir-Alderman (RSA) 2048 or better. \n\n2. This requirement applies to USB thumb drives. This requirement also applies to external hard disk drives regardless of connection type (e.g., eSATA, firewire, or USB). \n\n3. This requirement applies to media and devices used for storage of high value data or for transfer between systems with differing classification or trust levels (e.g., contrator to government system).\n\n4. Use of approved devices will ensure use of products with this feature.\n\nCheck:\n\nVerify use of approved devices from the DAR-approved products list for flash drive and removable storage devices. ",
"description": "Several security incidents have occurred when the firmware on devices contained malware. For devices used to store or transfer sensitive information, if the firmware is signed, then this provides added assurance that the firmware has not been compromised.",
"fixid": "F-23390r1_fix",
"fixtext": "Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures. ",
"iacontrols": [
"DCNR-1"
],
"id": "V-22174",
"ruleID": "SV-25812r1_rule",
"severity": "low",
"title": "Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures. ",
"version": "STO-DRV-040"
},
"V-22175": {
"checkid": "C-27332r1_chk",
"checktext": "Inspect the DAA-approved documentation of flash media procedures. Verify that the DAA or the designated Flash Media Approval Authority has established documentation on using flash media devices. Documentation must be signed by the DAA or his/her alternate and will include the following at a minimum:\n\n1. Types of flash media (e.g., thumb drives, camera memory) that may be used in the organization under its area of responsibility and by whom.\n\n2. Procedures for identifying, reporting, and investigating violations of the acceptable use policy.\n\n3. Procedures for random and periodic inspections to ensure compliance.\n\n4. Procedures for approval/disapproval of flash media use requests.",
"description": "USB flash media may have malware installed on the drive which may adversely impact the DoD network. Even the use of approved devices does not eliminate this risk. Use of sound security practices and procedures will further mitigate this risk when using flash media.",
"fixid": "F-23393r2_fix",
"fixtext": "Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented.",
"iacontrols": [
"ECSC-1"
],
"id": "V-22175",
"ruleID": "SV-25813r1_rule",
"severity": "medium",
"title": "Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-004(A or most recent version) and these procedures will be documented.",
"version": "STO-FLSH-010"
},
"V-22176": {
"checkid": "C-27333r1_chk",
"checktext": "Further policy details:\n\nThis check applies only to end points using Windows OS that use flash media devices. \n\nCheck Procedure:\n\nInspect the end points. Ensure the following:\n\n1. HBSS is installed and configured in compliance with the HBSS STIG. The site may provide the results of an SRR review or self-inspection. \n\n2. Verify DCM is installed and configured to allow only authorized flash media devices by using a device identifier or serial number.\n\n3. Verify DCM is configured in accordance with the CTO 10-004(A or updated version). \n\n4. If the HBSS/DCM solution is not used, an alternate solution which performs the required security functions is required, and this alternative must be approved by USCYBERCOM.",
"description": "Because of the innate security risks involved with using a USB flash media, an access control and authorization method is needed. DCM software provides granular end point access control and management of removable media. Currently, DCM only supports the Windows operating system (OS).",
"fixid": "F-23394r1_fix",
"fixtext": "Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use USB flash media (thumb drives). ",
"iacontrols": [
"ECSC-1"
],
"id": "V-22176",
"ruleID": "SV-25814r1_rule",
"severity": "medium",
"title": "Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use USB flash media (thumb drives). ",
"version": "STO-FLSH-040"
},
"V-22177": {
"checkid": "C-27334r1_chk",
"checktext": "Further policy details:\n\nHBSS DCM configuration guidance is located at www.dodpatchrepository.mil.\n\nCheck procedures:\n\n1. View the configuration of the DCM module.\n \n2. Verify that DCM is configured to allow or deny approved USB devices based on specific device parameters (i.e., serial number and device instance ID), device driver type (e.g., external USB storage device), and/or a specific host end point or user.",
"description": "Because of the innate security risks involved with using USB flash media, users must follow required access procedures. Restricting specific devices to each user allows for non-repudiation and audit tracking.",
"fixid": "F-23395r1_fix",
"fixtext": "For end points using Windows operating systems, USB flash media will be restricted by a specific device or by a unique identifier (e.g., serial number) to specific users and machines.",
"iacontrols": [
"ECSC-1"
],
"id": "V-22177",
"ruleID": "SV-25815r1_rule",
"severity": "medium",
"title": "For end points using Windows operating systems, USB flash media will be restricted by a specific device or by a unique identifier (e.g., serial number) to specific users and machines.",
"version": "STO-FLSH-050"
},
"V-23894": {
"checkid": "C-29515r1_chk",
"checktext": "Further policy details: \n\nPersonnel do not have to be matched to a particular machine or device. This check applies only to flash media devices.\n\nCheck procedure:\n\n1. Inspect the USB authorized personnel listing provided by the site representative. \n2. Verify that the list contains names and current contact information at a minimum.\n",
"description": "Many USB flash media devices are portable, easily stolen, and may be used to temporarily store sensitive information. If these devices are lost or stolen, it will assist the investigation if personnel who use these devices are readily identified with contact information.",
"fixid": "F-26579r1_fix",
"fixtext": "Maintain a list of all personnel that have been authorized to use flash media.",
"iacontrols": [
"ECSC-1"
],
"id": "V-23894",
"ruleID": "SV-28850r1_rule",
"severity": "low",
"title": "Maintain a list of all personnel that have been authorized to use flash media.",
"version": "STO-FLSH-020"
},
"V-23895": {
"checkid": "C-29516r1_chk",
"checktext": "Further check details:\n\nSystem does not have to be tied to a single specific device or individual on the listing.\n\nCheck procedure:\n\n1. Inspect the USB authorized end point listing. \n2. Verify that identifying information such as device serial number and location is tracked on the listing.",
"description": "Many USB persistent memory devices are portable and easily overlooked. They may be used as a vector for exfiltrating data. To help mitigate this risk, end points must be designated as properly authorized and configured for use with USB flash drives within the DoD. ",
"fixid": "F-26580r1_fix",
"fixtext": "Maintain a list of all end point systems that have been authorized for use with flash media.",
"iacontrols": [
"ECSC-1"
],
"id": "V-23895",
"ruleID": "SV-28851r1_rule",
"severity": "low",
"title": "Maintain a list of all end point systems that have been authorized for use with flash media.",
"version": "STO-FLSH-030"
},
"V-23896": {
"checkid": "C-29519r1_chk",
"checktext": "Verify use of the DAR contract for purchase of removable storage devices. The site representative may provide documentation that the product is on the approved DAR products list.\n\nThe list of approved flash media can be obtained from the USCYBERCOM website: https://www.jtfgno.mil/.\n\n\n",
"description": "The DoD Policy Memorandum \"Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media\" requires that remote and mobile\ndrives be encrypted using FIPS 140-2 modules. With a few exceptions, products must be\nprocured from the DAR contract. DoD components must purchase DAR encryption products to\nprotect DoD DAR on mobile computing devices and removable storage media through the ESI or\nGSA SmartBuy BPAs. Exceptions would be if those encryption products were FIPS 140-2\ncompliant and included as an integral part of other products, such as Vista BitLocker, or if the\ncryptographic modules are approved by NSA (with formal NSA Approval Letter).",
"fixid": "F-26585r1_fix",
"fixtext": "DoD components will purchase removable storage media and DAR products from the DoD ESI blanket purchase agreements program.",
"iacontrols": [
"ECSC-1"
],
"id": "V-23896",
"ruleID": "SV-28852r1_rule",
"severity": "low",
"title": "DoD components will purchase removable storage media and Data at Rest (DAR) products from the DoD Enterprise Software Initiative (ESI) blanket purchase agreements program.",
"version": "STO-DRV-005 "
},
"V-23919": {
"checkid": "C-29524r2_chk",
"checktext": "Further policy details:\n\nAll enterprise and host systems will be configured to perform on-access scanning for viruses/malware upon introduction to a system. If the destination device (e.g., router, camera, or printer) does not support on-access scanning, ensure data is scanned before loading. Reference the Intellipedia webpage related to HBSS for additional guidance regarding proper configuration and scanning capabilities of DoD-approved antivirus software.\n\nThe antivirus scanning on the host is configured in compliance with the Antivirus Security Guidance (available at http://iase.disa.mil/stigs/checklist/index.html) and the latest version of CTO 10-084 requirements.\n\nCheck procedures:\n\n1. Inspect a sampling of external drives, USB thumb drives, and other removable storage drives such as cameras.\n\n2. View the process of attaching these devices to an authorized host and verify that files are inspected by the anti-virus software when retrieved on access. \n\n3. Ask the site representative for evidence that verifies that a security review using the Antivirus Security Guidance and the latest version of CTO 10-084 requirements has been performed.\n\n4. Interview the IAO or site representative and verify that incident response procedures include flash media and external hard drive storage devices.",
"description": "Like the traditional hard drive, removable storage devices and media may contain malware which may threaten DoD systems to which they eventually directly or indirectly attach. To mitigate this risk, DoD policy requires anti-virus and malware detection solutions.",
"fixid": "F-26592r1_fix",
"fixtext": "The host system will perform on-access anti-virus and malware checking, regardless of whether the flash memory device has software or hardware malware features.\n",
"iacontrols": [
"ECSC-1"
],
"id": "V-23919",
"ruleID": "SV-28875r1_rule",
"severity": "medium",
"title": "The host system will perform on-access anti-virus and malware checking, regardless of whether the external storage or flash drive has software or hardware malware features.\n",
"version": "STO-ALL-070"
},
"V-23920": {
"checkid": "C-29525r1_chk",
"checktext": "Further policy details:\n\nThis requirement applies to flash media. \n\nHigher risk categories are defined as:\n1. Data transfers to or from non-DoD systems\n2. Special cases when data must traverse different classification domains\n\nHigher risk data transfer procedures for USB thumb drives:\n1. Insert/Unlock USB thumb drive.\n2. Load file from the source network.\n3. Scan flash media device with NSA\u2018s FiST.\n4. Set USB thumb drive to read only mode, if possible.\n5. Scan file using scanning software on the destination network.\n6. Load file to destination network.\n7. Use ME to wipe device when data is no longer needed.\n\nHigher risk data transfer procedures for memory cards:\n1. Insert card into card reader.\n2. Insert card reader (if separate) into NSA's FiST.\n3. Scan disk drive created by memory card using FiST.\n4. Scan disk drive created by the memory card using scanning software on the destination network.\n5. Load file to destination network.\n7. Use ME to wipe device when data is no longer needed.\n\nCheck procedures:\n\n1. Interview the site representative. \n2. Ask if higher risk data transfers, as outlined above, are performed. If so, ask how this transfer is done and verify compliance with above procedure. ",
"description": "These NSA-approved tools are built upon the Assured File Transfer guard, which is an approved Unified Cross Domain Management Office (UCDMO) file transfer Cross Domain Solution. Use of these tools with the procedures listed in the Check section is the only authorized method for using flash media for higher risk data transfers.",
"fixid": "F-26594r1_fix",
"fixtext": "For higher risk data transfers using thumb drives, the File Sanitization Tool (FiST) with Magik Eraser (ME) will be used.",
"iacontrols": [
"ECSC-1"
],
"id": "V-23920",
"ruleID": "SV-28876r1_rule",
"severity": "medium",
"title": "For higher risk data transfers using thumb drives, use the File Sanitization Tool (FiST) with Magik Eraser (ME) to protect against malware and data compromise.",
"version": "STO-FLSH-070"
},
"V-23921": {
"checkid": "C-29526r1_chk",
"checktext": "Further policy details:\n\nThis requirement applies to removable storage media and other persistent memory devices that are recovered after a loss or theft. This also applies to cases where the organization failed to maintain positive physical control commensurate with the classification of the data authorized to be transferred. \n\nReclaimed media and drives will be scanned (using FiST) for malicious activity and wiped (using ME) immediately when the data is no longer needed.\n\nReclamation procedures:\n1. Insert or access device.\n2. Scan device with NSA\u2018s FiST.\n3. Wipe device using ME.\n\n\nCheck procedures:\n\n1. Interview the site representative.\n2. Verify that the data transfer procedures outlined above are being followed if/when lost/stolen/or misplaced flash media and external hard drives are recovered.",
"description": "Failure to maintain proper control of storage devices used in sensitive systems may mean that the firmware or other files could have been compromised. Action is needed to scan for malicious code. Although, the data on the device is most likely protected by encryption and authentication controls, it is still possible that a sophisticated attacker may have compromised the device. The risk to the system and the network increases if the device is used on a server or by a user with administrator privileges.",
"fixid": "F-26595r1_fix",
"fixtext": "Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.",
"iacontrols": [
"ECSC-1"
],
"id": "V-23921",
"ruleID": "SV-28877r1_rule",
"severity": "medium",
"title": "Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.",
"version": "STO-DRV-060"
},
"V-23950": {
"checkid": "C-29531r1_chk",
"checktext": "Further policy details: \n\n1. This requirement applies to all flash media devices, including memory cards and USB devices.\n\n2. DCM will be configured to monitor all flash media, including camera memory, if it is used for non-publicly releasable information storage or to connect to clients attached to DoD networks.\n\nCheck procedure: \n\nInspect the end points and ensure the following. \n1. Verify that if USB thumb drives are used, then HBSS/DCM is used to track usage.\n\n2. Inspect to see if memory cards are used for non-publicly releasable data or are directly or indirectly attached to the NIPRNet or the SIPRNet. \n\n3. If either of these are true, then verify use of HBSS/DCM to monitor their usage.",
"description": "Because of the innate security risks involved with using flash media, an access control and authorization method is needed. DCM software provides granular end point access control and management of removable media. Currently, DCM only supports the Windows operating system.",
"fixid": "F-26611r1_fix",
"fixtext": "Organizations that do not have a properly configured HBSS with DCM configuration will not use flash media.",
"iacontrols": [
"ECSC-1"
],
"id": "V-23950",
"ruleID": "SV-28906r1_rule",
"severity": "medium",
"title": "Organizations that do not have a properly configured HBSS with DCM configuration will not use flash media.",
"version": "STO-FLSH-060"
},
"V-24176": {
"checkid": "C-30119r2_chk",
"checktext": "Further policy details: \nIn accordance with CTO 10-084, USB thumb drives will be configured to meet the following requirements. External hard disk drives used for remote or portable storage of sensitive information must also meet these requirements unless exceptions are approved by the DAA.\n\n1. The Random Number Generator shall follow NIST SP 800-90 or FIPS 140-2 Annex C and support the key size used for AES.\n\n2. The USB flash drive data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS. \n\n3. The implementation must meet FIPS 140-2 and FIPS PUB 197 and NIST SP 800-38 A.\n\n4. Must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards.\n\n5. Firmware updates on the USB device will be signed and verified using RSA 2048 or ECDSA with P256. \n\n6. Firmware health checks should be authenticated with either Hashed Message Authentication Code (HMAC-SHA256) or a digital signature (RSA 2048 or ECDSA P256).\n\nCheck procedures:\n1. Work with the site representative to view the configuration of the encryption module used with the thumb dirve of external hard drive. \n\n2. Verify that AES is selected to be used as the encryption algorithm.\n\n3. Verify that the configuration requirements listed in the Further policy details section of this check are configured.\n\nMark as a finding if any of the AES configuration requirements are not selected. To provide the required level of trust, AES must be configured correctly since these settings mitigate known risks to the stored data.",
"description": "The DoD DAR policy requires encryption for portable and mobile storage. However, even when a FIPS140-2 validated cryptographic module is used, the implementation must be configured to use a NIST-approved algorithm. Advanced Encryption Standard (AES) is the most commonly available FIPS-approved algorithm and is required for use with USB thumb drives by CTO 10-004 (latest version). The encryption algorithm must also be configured. Without this granular configuration, full protection of data encryption is not achieved and the data may be accessible if the drive is lost or stolen.",
"fixid": "F-26927r1_fix",
"fixtext": "Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.",
"iacontrols": [
"ECSC-1"
],
"id": "V-24176",
"ruleID": "SV-29816r1_rule",
"severity": "low",
"title": "Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.",
"version": "STO-DRV-025"
},
"V-24177": {
"checkid": "C-30145r1_chk",
"checktext": "1. Verify use of an NSA-approved solution which is approved for use for the level of classified data stored on the device. This solution will be implemented in consultation with NSA and will include the hardware, software, and configuration required for secure implementation of the solution.\n\n2. Verify use of an NSA-certified, Type 1 encryption module for protecting data-at-rest.\n",
"description": "The exploitation of this vulnerability will directly and immediately result in loss of, unauthorized disclosure of, or access to classified data or materials. An NSA-approved, Type 1 solution includes the hardware, software, and proof of coordination/approval with NSA for the level of classified processed by the external storage solution.\n",
"fixid": "F-26934r1_fix",
"fixtext": "Use an National Security Agency (NSA), Type 1 certified solution when storing classified information on USB flash media and other removable storage devices.",
"iacontrols": [
"ECCT-2"
],
"id": "V-24177",
"ruleID": "SV-29818r2_rule",
"severity": "high",
"title": "Use a National Security Agency (NSA)-approved, Type 1 certified data encryption and hardware solution when storing classified information on USB flash media and other removable storage devices.",
"version": "STO-DRV-021"
}
},
"profiles": {
"MAC-1_Classified": {
"description": "",
"findings": {
"V-22110": "true",
"V-22111": "true",
"V-22112": "true",
"V-22113": "true",
"V-22114": "true",
"V-22115": "true",
"V-22169": "true",
"V-22172": "true",
"V-22173": "true",
"V-22174": "true",
"V-22175": "true",
"V-22176": "true",
"V-22177": "true",
"V-23894": "true",
"V-23895": "true",
"V-23896": "true",
"V-23919": "true",
"V-23920": "true",
"V-23921": "true",
"V-23950": "true",
"V-24176": "true",
"V-24177": "true"
},
"id": "MAC-1_Classified",
"title": "I - Mission Critical Classified"
},
"MAC-1_Public": {
"description": "",
"findings": {
"V-22110": "true",
"V-22111": "true",
"V-22112": "true",
"V-22113": "true",
"V-22114": "true",
"V-22115": "true",
"V-22169": "true",
"V-22172": "true",
"V-22173": "true",
"V-22174": "true",
"V-22175": "true",
"V-22176": "true",
"V-23894": "true",
"V-23895": "true",
"V-23896": "true",
"V-23919": "true",
"V-23920": "true",
"V-23921": "true",
"V-23950": "true",
"V-24176": "true",
"V-24177": "true"
},
"id": "MAC-1_Public",
"title": "I - Mission Critical Public"
},
"MAC-1_Sensitive": {
"description": "",
"findings": {
"V-22110": "true",
"V-22111": "true",
"V-22112": "true",
"V-22113": "true",
"V-22114": "true",
"V-22115": "true",
"V-22169": "true",
"V-22172": "true",
"V-22173": "true",
"V-22174": "true",
"V-22175": "true",
"V-22176": "true",
"V-22177": "true",
"V-23894": "true",
"V-23895": "true",
"V-23896": "true",
"V-23919": "true",
"V-23920": "true",
"V-23921": "true",
"V-23950": "true",
"V-24176": "true",
"V-24177": "true"
},
"id": "MAC-1_Sensitive",
"title": "I - Mission Critical Sensitive"
},
"MAC-2_Classified": {
"description": "",
"findings": {
"V-22110": "true",
"V-22111": "true",
"V-22112": "true",
"V-22113": "true",
"V-22114": "true",
"V-22115": "true",
"V-22169": "true",
"V-22172": "true",
"V-22173": "true",
"V-22174": "true",
"V-22175": "true",
"V-22176": "true",
"V-22177": "true",
"V-23894": "true",
"V-23895": "true",
"V-23896": "true",
"V-23919": "true",
"V-23920": "true",
"V-23921": "true",
"V-23950": "true",
"V-24176": "true",
"V-24177": "true"
},
"id": "MAC-2_Classified",
"title": "II - Mission Support Classified"
},
"MAC-2_Public": {
"description": "",
"findings": {
"V-22110": "true",
"V-22111": "true",
"V-22112": "true",
"V-22113": "true",
"V-22114": "true",
"V-22115": "true",
"V-22169": "true",
"V-22172": "true",
"V-22173": "true",
"V-22174": "true",
"V-22175": "true",
"V-22176": "true",
"V-23894": "true",
"V-23895": "true",
"V-23896": "true",
"V-23919": "true",
"V-23920": "true",
"V-23921": "true",
"V-23950": "true",
"V-24176": "true",
"V-24177": "true"
},
"id": "MAC-2_Public",
"title": "II - Mission Support Public"
},
"MAC-2_Sensitive": {
"description": "",
"findings": {
"V-22110": "true",
"V-22111": "true",
"V-22112": "true",
"V-22113": "true",
"V-22114": "true",
"V-22115": "true",
"V-22169": "true",
"V-22172": "true",
"V-22173": "true",
"V-22174": "true",
"V-22175": "true",
"V-22176": "true",
"V-22177": "true",
"V-23894": "true",
"V-23895": "true",
"V-23896": "true",
"V-23919": "true",
"V-23920": "true",
"V-23921": "true",
"V-23950": "true",
"V-24176": "true",
"V-24177": "true"
},
"id": "MAC-2_Sensitive",
"title": "II - Mission Support Sensitive"
},
"MAC-3_Classified": {
"description": "",
"findings": {
"V-22110": "true",
"V-22111": "true",
"V-22112": "true",
"V-22113": "true",
"V-22114": "true",
"V-22115": "true",
"V-22169": "true",
"V-22172": "true",
"V-22173": "true",
"V-22174": "true",
"V-22175": "true",
"V-22176": "true",
"V-22177": "true",
"V-23894": "true",
"V-23895": "true",
"V-23896": "true",
"V-23919": "true",
"V-23920": "true",
"V-23921": "true",
"V-23950": "true",
"V-24176": "true",
"V-24177": "true"
},
"id": "MAC-3_Classified",
"title": "III - Administrative Classified"
},
"MAC-3_Public": {
"description": "",
"findings": {
"V-22110": "true",
"V-22111": "true",
"V-22112": "true",
"V-22113": "true",
"V-22114": "true",
"V-22115": "true",
"V-22169": "true",
"V-22172": "true",
"V-22173": "true",
"V-22174": "true",
"V-22175": "true",
"V-22176": "true",
"V-23894": "true",
"V-23895": "true",
"V-23896": "true",
"V-23919": "true",
"V-23920": "true",
"V-23921": "true",
"V-23950": "true",
"V-24176": "true",
"V-24177": "true"
},
"id": "MAC-3_Public",
"title": "III - Administrative Public"
},
"MAC-3_Sensitive": {
"description": "",
"findings": {
"V-22110": "true",
"V-22111": "true",
"V-22112": "true",
"V-22113": "true",
"V-22114": "true",
"V-22115": "true",
"V-22169": "true",
"V-22172": "true",
"V-22173": "true",
"V-22174": "true",
"V-22175": "true",
"V-22176": "true",
"V-22177": "true",
"V-23894": "true",
"V-23895": "true",
"V-23896": "true",
"V-23919": "true",
"V-23920": "true",
"V-23921": "true",
"V-23950": "true",
"V-24176": "true",
"V-24177": "true"
},
"id": "MAC-3_Sensitive",
"title": "III - Administrative Sensitive"
}
},
"slug": "removable_storage_and_external_connection_technologies",
"title": "Removable Storage and External Connection Technologies STIG",
"version": "None"
}
}