| Further policy details: |
In accordance with the DoD data-at-rest (DAR) policy, access control is required to protect data not approved for public release. The DoD Enterprise Software Initiative (ESI) blanket purchase agreements program requires all products support encryption and a FIPS 140-2 password, PIN, or passphrase.
Access control can be implemented using either software or hardware. The recommended best practice is to purchase devices that include built-in security features, including on-board or hardware encryption, password management, key management, and malware protection. Several manufacturers offer drives with these features.
A USB thumb drive security vulnerability was discovered by a German company that describes a security flaw that allows an attacker to use a very simple software tool that can unlock any of the affected hardware-encrypted storage devices and bypass the access control system. This exploit worked on several thumb drive models that were FIPS 140-2 validated. Thus, it is imperative that organizations use thumb drives which are on the DAR contract.
The following DoD policies apply to access control solutions for all USB storage devices.
- Use of password or PIN to access the encrypted storage device. Certificate-based authentication can be used but is not madated.
- For devices with on-board access control and encryption features, the system administrator will configure these security features prior to issuance. Default PINs and passwords will be changed prior to use.
- Password and/or key management procedures will be established for systems storing mission-critical information.
Interview the site representative and perform the following procedures.
1. Inspect a sampling of the different types of USB storage devices used.
2. Verify that a password or PIN is required to gain access to the data stored on the USB device by attempting access.
Mark as a finding if a PIN or password are not set.