DoD components will purchase removable storage media and Data at Rest (DAR) products from the DoD Enterprise Software Initiative (ESI) blanket purchase agreements program.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-23896 | STO-DRV-005 | SV-28852r1_rule | ECSC-1 | Low |
| Description |
|---|
| The DoD Policy Memorandum "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media" requires that remote and mobile drives be encrypted using FIPS 140-2 modules. With a few exceptions, products must be procured from the DAR contract. DoD components must purchase DAR encryption products to protect DoD DAR on mobile computing devices and removable storage media through the ESI or GSA SmartBuy BPAs. Exceptions would be if those encryption products were FIPS 140-2 compliant and included as an integral part of other products, such as Vista BitLocker, or if the cryptographic modules are approved by NSA (with formal NSA Approval Letter). |
| STIG | Date |
|---|---|
| Removable Storage and External Connection Technologies STIG | 2011-01-18 |
Details
| Check Text ( C-29519r1_chk ) |
|---|
| Verify use of the DAR contract for purchase of removable storage devices. The site representative may provide documentation that the product is on the approved DAR products list. The list of approved flash media can be obtained from the USCYBERCOM website: https://www.jtfgno.mil/. |
| Fix Text (F-26585r1_fix) |
|---|
| DoD components will purchase removable storage media and DAR products from the DoD ESI blanket purchase agreements program. |