USB flash media may have malware installed on the drive which may adversely impact the DoD network. Even the use of approved devices does not eliminate this risk. Use of sound security practices and procedures will further mitigate this risk when using flash media.
Inspect the DAA-approved documentation of flash media procedures. Verify that the DAA or the designated Flash Media Approval Authority has established documentation on using flash media devices. Documentation must be signed by the DAA or his/her alternate and will include the following at a minimum:
1. Types of flash media (e.g., thumb drives, camera memory) that may be used in the organization under its area of responsibility and by whom.
2. Procedures for identifying, reporting, and investigating violations of the acceptable use policy.
3. Procedures for random and periodic inspections to ensure compliance.
4. Procedures for approval/disapproval of flash media use requests.
Fix Text (F-23393r2_fix)
Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented.