Require approval prior to allowing use of portable storage devices.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22110	STO-ALL-010	SV-25612r3_rule	ECSC-1	High

Description
Use of unapproved devices to process non-publicly releasable data increases the risk to the network. Devices attached to or inserted into the end point's plug-and-play ports and slots can be a vector for the insertion of malware when used to access the network. Storage devices are portable and can be easily concealed. Devices with volatile memory (erased when not connected) may contain internal batteries that also pose a threat to attached systems. Requiring approval prior to use of these devices heightens awareness of the threat, limits the potential use of contaminated devices, and allows for proper tracking and control. Designated Approval Authority (DAA) approval of flash memory devices is required by the United States Cyber Command (USCYBERCOM) Communications Task Order (CTO) 10-004A Removable Flash Media Device Implementation within and between Department of Defense (DoD) Networks (U/FOUO) (or latest version of this CTO).

Description

Use of unapproved devices to process non-publicly releasable data increases the risk to the network. Devices attached to or inserted into the end point's plug-and-play ports and slots can be a vector for the insertion of malware when used to access the network. Storage devices are portable and can be easily concealed. Devices with volatile memory (erased when not connected) may contain internal batteries that also pose a threat to attached systems. Requiring approval prior to use of these devices heightens awareness of the threat, limits the potential use of contaminated devices, and allows for proper tracking and control. Designated Approval Authority (DAA) approval of flash memory devices is required by the United States Cyber Command (USCYBERCOM) Communications Task Order (CTO) 10-004A Removable Flash Media Device Implementation within and between Department of Defense (DoD) Networks (U/FOUO) (or latest version of this CTO).

STIG	Date
Removable Storage and External Connection Technologies STIG	2011-01-18

Details

Check Text ( C-27469r1_chk )
Further policy details: This policy applies to devices attached using external Universal Serial Bus (USB), Firewire, or External Serial Advanced Technology Attachment (eSATA) ports. It also applied to devices containing either volatile or persistent (non-volatile) memory (e.g., thumb drives, memory sticks, camera memory cards, external USB hard drives, MP3 players, camcorders, cameras, printers, and network equipment). Blanket approvals by type are acceptable. DAA approval is required prior to using thumb drives, memory sticks, and memory cards. DAAs may designate alternate flash media approving officials who are O-6 or equivalent. Approvers will restrict flash media approvals to mission essential requirements. Information Assurance Officer (IAO) approval is sufficient and necessary for use of externally connected hard disk drives and other persistent memory devices. This requirement also applies to devices that attach to external USB, firewire, or eSATA ports on end points attached to government systems containing non-public releasable data or attached to DoD networks. Approvers will not authorize use or purchase of removable storage devices that are disguised to look like common items such as pens or bracelets. Disguised storage devices may be easily overlooked in a spot security search. Check: 1. Verify an approval document signed by the IAO exists for the use of each type of USB device by device ID. 2. Verify an approval document signed by the DAA (or alternative approving official) exists for the use of flash drives, flash media readers, and memory cards. 3. Compare the approval documents to the device types listed on the required USB devices equipment list. NOTE: The approval document may be a blanket approval by type of device (e.g., approved use of USB keyboard and mouse throughout the organization).

Check Text ( C-27469r1_chk )

Further policy details:

This policy applies to devices attached using external Universal Serial Bus (USB), Firewire, or External Serial Advanced Technology Attachment (eSATA) ports. It also applied to devices containing either volatile or persistent (non-volatile) memory (e.g., thumb drives, memory sticks, camera memory cards, external USB hard drives, MP3 players, camcorders, cameras, printers, and network equipment). Blanket approvals by type are acceptable.

DAA approval is required prior to using thumb drives, memory sticks, and memory cards. DAAs may designate alternate flash media approving officials who are O-6 or equivalent.

Approvers will restrict flash media approvals to mission essential requirements.

Information Assurance Officer (IAO) approval is sufficient and necessary for use of externally connected hard disk drives and other persistent memory devices. This requirement also applies to devices that attach to external USB, firewire, or eSATA ports on end points attached to government systems containing non-public releasable data or attached to DoD networks.

Approvers will not authorize use or purchase of removable storage devices that are disguised to look like common items such as pens or bracelets. Disguised storage devices may be easily overlooked in a spot security search.

Check:
1. Verify an approval document signed by the IAO exists for the use of each type of USB device by device ID.

2. Verify an approval document signed by the DAA (or alternative approving official) exists for the use of flash drives, flash media readers, and memory cards.

3. Compare the approval documents to the device types listed on the required USB devices equipment list.

NOTE: The approval document may be a blanket approval by type of device (e.g., approved use of USB keyboard and mouse throughout the organization).