UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.


Overview

Finding ID Version Rule ID IA Controls Severity
V-24176 STO-DRV-025 SV-29816r1_rule Low
Description
The DoD DAR policy requires encryption for portable and mobile storage. However, even when a FIPS140-2 validated cryptographic module is used, the implementation must be configured to use a NIST-approved algorithm. Advanced Encryption Standard (AES) is the most commonly available FIPS-approved algorithm and is required for use with USB thumb drives by CTO 10-084 (or latest version). The encryption algorithm must also be configured. Without this granular configuration, full protection of data encryption is not achieved and the data may be accessible if the drive is lost or stolen.
STIG Date
Removable Storage and External Connections Security Technical Implementation Guide 2016-12-16

Details

Check Text ( C-30119r1_chk )
Further policy details:
In accordance with CTO 10-084, USB thumb drives will be configured to meet the following requirements. External hard disk drives used for remote or portable storage of sensitive information must also meet these requirements unless exceptions are approved by the DAA.

1. The Random Number Generator shall follow NIST SP 800-90 or FIPS 140-2 Annex C and support the key size used for AES.

2. The USB flash drive data encryption algorithm shall be AES using the appropriate key size (128 or 256-bit key) in one of the following modes: CBC, CCM, CFB, CTR, OFB and XTS.

3. The implementation must meet FIPS 140-2 and FIPS PUB 197 and NIST SP 800-38 A.

4. Must support the ability to enter a strong passphrase/password that meets FIPS 140-2 standards.

5. Firmware updates on the USB device will be signed and verified using RSA 2048 or ECDSA with P256.

6. Firmware health checks should be authenticated with either Hashed Message Authentication Code (HMAC-SHA256) or a digital signature (RSA 2048 or ECDSA P256).

Check procedures:
1. Work with the site representative to view the configuration of the encryption module used with the thumb dirve of external hard drive.

2. Verify that AES is selected to be used as the encryption algorithm.

3. Verify that the configuration requirements listed in the Further policy details section of this check are configured.

Mark as a finding if any of the AES configuration requirements are not selected. To provide the required level of trust, AES must be configured correctly since these settings mitigate known risks to the stored data.
Fix Text (F-26927r1_fix)
Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.