Sensitive but unclassified data must be encrypted using FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22113	STO-DRV-020	SV-25620r2_rule	ECCR-1	Medium

Description
If information deemed sensitive (non-publicly releasable) by the data-owner is not encrypted when stored on removable storage media, this can lead to the compromise of unclassified sensitive data. These devices are portable and are often lost or stolen, which makes the data more vulnerable than other storage devices.

STIG	Date
Removable Storage and External Connections Security Technical Implementation Guide	2016-12-16

Details

Check Text ( C-27100r2_chk )
Inspect a sample of USB thumb drives and portable storage devices. Verify, if the device is authorized for use with sensitive unclassified data, that encryption is used. -This policy applies to USB thumb drives and external hard drives. Since memory card, cameras, and other similar technologies do not have approved encryption solutions, these devices must be used only with AO approval. However, compliance with HBSS/DCM and other STIG requirements is required. -For USB thumb drives, use an on-board cryptographic module. For USB external hard disk drives, an on-board module is not mandated. -For USB thumb drives, use of FIPS 140-2 validated tamper-resistant and tamper-evident design with cryptographic chip protection. This is generally not visible on the case, thus the site representative will provide the reviewer with the device documentation showing this feature. -For USB hard drives, tamper resistant features are required for drives that are used for mobile, remote, or portable storage. If sensitive but unclassified data is not being encrypted using FIPS 140-2 validated modules on USB flash drives and external hard disk drives, this is a finding.

Check Text ( C-27100r2_chk )

Inspect a sample of USB thumb drives and portable storage devices. Verify, if the device is authorized for use with sensitive unclassified data, that encryption is used.

-This policy applies to USB thumb drives and external hard drives. Since memory card, cameras, and other similar technologies do not have approved encryption solutions, these devices must be used only with AO approval. However, compliance with HBSS/DCM and other STIG requirements is required.

-For USB thumb drives, use an on-board cryptographic module. For USB external hard disk drives, an on-board module is not mandated.

-For USB thumb drives, use of FIPS 140-2 validated tamper-resistant and tamper-evident design with cryptographic chip protection. This is generally not visible on the case, thus the site representative will provide the reviewer with the device documentation showing this feature.

-For USB hard drives, tamper resistant features are required for drives that are used for mobile, remote, or portable storage.

If sensitive but unclassified data is not being encrypted using FIPS 140-2 validated modules on USB flash drives and external hard disk drives, this is a finding.

Fix Text (F-23202r2_fix)
Encrypt sensitive but unclassified data with FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive.