Encrypt sensitive but unclassified data when stored on a USB flash drive and external hard disk drive.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22113	STO-DRV-020	SV-25620r2_rule	ECCR-1	Medium

Description
If information deemed sensitive (non-publicly releasable) by the data-owner is not encrypted when stored on removable storage media, this can lead to the compromise of unclassified sensitive data. These devices are portable and are often lost or stolen which makes the data more vulnerable than other storage devices.

STIG	Date
Removable Storage and External Connection Technologies STIG	2011-01-18

Details

Check Text ( C-27100r1_chk )
Further policy details: 1. This policy applies to USB thumb drives and external hard drives. 2. Since memory card, cameras, and other similar technologies do not have approved encryption solutions, these devices must be used only with DAA approval. However, compliance with HBSS/DCM and other STIG requirements is required. 3. Purchase of all USB thumb drives and USB portable hard disk drives from the ESI contract as required by STO-DRV-005, will ensure that products have the capablility of implementing FIPS 140-2 validated encryption. 4. For USB thumb drives, use an on-board cryptographic module. For USB external hard disk drives, an on-board module is not mandated. 5. For USB thumb drives, use of FIPS 140-2 validated tamper-resistant and tamper-evident design with cryptographic chip protection. This is generally not visible on the case, thus the site representative will provide the reviewer with the device documentation showing this feature. 6. For USB hard drives, tamper resistant features are required for drives which are used for mobile, remote, or portable storage. Check procedure: 1. Inspect a sample of USB thumb drives and portable storage devices. Verify, if the device is authorized for use with sensitive unclassifed data, that encryption is used. 2. Verify that the encryption product used is compliant. Ask the site representative to provide documentation that the devices used were purchased through the DoD ESI contract, as required by STO-DRV-005. If the device was not purchased from the ESI contract, then it is not known to meet the above requirements, so mark this policy as a finding.

Check Text ( C-27100r1_chk )

Further policy details:

1. This policy applies to USB thumb drives and external hard drives.

2. Since memory card, cameras, and other similar technologies do not have approved encryption solutions, these devices must be used only with DAA approval. However, compliance with HBSS/DCM and other STIG requirements is required.

3. Purchase of all USB thumb drives and USB portable hard disk drives from the ESI contract as required by STO-DRV-005, will ensure that products have the capablility of implementing FIPS 140-2 validated encryption.

4. For USB thumb drives, use an on-board cryptographic module. For USB external hard disk drives, an on-board module is not mandated.

5. For USB thumb drives, use of FIPS 140-2 validated tamper-resistant and tamper-evident design with cryptographic chip protection. This is generally not visible on the case, thus the site representative will provide the reviewer with the device documentation showing this feature.

6. For USB hard drives, tamper resistant features are required for drives which are used for mobile, remote, or portable storage.

Check procedure:

1. Inspect a sample of USB thumb drives and portable storage devices. Verify, if the device is authorized for use with sensitive unclassifed data, that encryption is used.

2. Verify that the encryption product used is compliant. Ask the site representative to provide documentation that the devices used were purchased through the DoD ESI contract, as required by STO-DRV-005.

If the device was not purchased from the ESI contract, then it is not known to meet the above requirements, so mark this policy as a finding.