| V-22110 | High | Require approval prior to allowing use of portable storage devices. | Use of unapproved devices to process non-publicly releasable data increases the risk to the network. Devices attached to or inserted into the end point's plug-and-play ports and slots can be a... |
| V-24177 | High | Use a National Security Agency (NSA)-approved, Type 1 certified data encryption and hardware solution when storing classified information on USB flash media and other removable storage devices. | The exploitation of this vulnerability will directly and immediately result in loss of, unauthorized disclosure of, or access to classified data or materials. An NSA-approved, Type 1 solution... |
| V-22115 | High | Set boot order of computers approved for use with removable storage such that the Basic Input Output System (BIOS) does not allow default booting from devices attached to a USB, firewire, or eSATA port. | If the BIOS is left set to allow the end point to boot from a device attached to the USB, firewire, or eSATA port, an attacker could use a USB device to force a reboot by either performing a... |
| V-22173 | High | Permit only government-procured and -owned devices. | Persistent memory devices (e.g., thumb drives, memory cards, external hard drives, or other removable storage devices) may contain malware installed on the drive or within the firmware.... |
| V-22111 | High | Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase. | If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a... |
| V-22113 | Medium | Sensitive but unclassified data must be encrypted using FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive. | If information deemed sensitive (non-publicly releasable) by the data-owner is not encrypted when stored on removable storage media, this can lead to the compromise of unclassified sensitive data.... |
| V-23919 | Medium | The host system will perform on-access anti-virus and malware checking, regardless of whether the external storage or flash drive has software or hardware malware features.
| Like the traditional hard drive, removable storage devices and media may contain malware which may threaten DoD systems to which they eventually directly or indirectly attach. To mitigate this... |
| V-22176 | Medium | Install and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use removable storage devices. | Because of the innate security risks involved with using removable storage devices (flash drives, thumb drives, disk drives, etc.), an access control and authorization method is needed. DCM... |
| V-23950 | Medium | Organizations that do not have a properly configured HBSS with DCM configuration will not use removable storage devices. | Because of the innate security risks involved with using removable storage devices (flash drives, thumb drives, disk drives, etc.), an access control and authorization method is needed. DCM... |
| V-22112 | Medium | For all removable flash media and external hard disk drives, use an organization-approved method to wipe the device before using for the first-time. | Removable media often arrives from the vendor with many files already stored on the drive. These files may contain malware or spyware which present a risk to DoD resources. |
| V-23920 | Medium | For higher risk data transfers using thumb drives, use the File Sanitization Tool (FiST) with Magik Eraser (ME) to protect against malware and data compromise. | These NSA-approved tools are built upon the Assured File Transfer guard, which is an approved Unified Cross Domain Management Office (UCDMO) file transfer Cross Domain Solution. Use of these tools... |
| V-23921 | Medium | Removable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation. | Failure to maintain proper control of storage devices used in sensitive systems may mean that the firmware or other files could have been compromised. Action is needed to scan for malicious code.... |
| V-22169 | Medium | For Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy.
| The use of unauthorized wireless devices can compromise DoD computers, networks, and data. The receiver for a wireless end point provides a wireless port on the computer that could be attacked by... |
| V-22177 | Medium | For end points using Windows operating systems, removable storage devices will be restricted by a unique device identifier (e.g. serial number, device instance ID) or to specific host end points or users. | Because of the innate security risks involved with using removable storage devices (e.g., flash drives, thumb drives, external solid state disk drives, etc.), users must follow required access... |
| V-22175 | Medium | Data transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented. | USB flash media may have malware installed on the drive which may adversely impact the DoD network. Even the use of approved devices does not eliminate this risk. Use of sound security practices... |
| V-24176 | Low | Configure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest. | The DoD DAR policy requires encryption for portable and mobile storage. However, even when a FIPS140-2 validated cryptographic module is used, the implementation must be configured to use a... |
| V-23895 | Low | Maintain a list of all end point systems that have been authorized for use with flash media. | Many USB persistent memory devices are portable and easily overlooked. They may be used as a vector for exfiltrating data. To help mitigate this risk, end points must be designated as properly... |
| V-22114 | Low | Train all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program. | Written user guidance gives the users a place to learn about updated guidance on user responsibilities for safeguarding DoD information assets. Most security breaches occur when users violate... |
| V-22174 | Low | Firmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures. | Several security incidents have occurred when the firmware on devices contained malware. For devices used to store or transfer sensitive information, if the firmware is signed, then this provides... |
| V-22172 | Low | Maintain a list of approved removable storage media or devices. | Many persistent memory media or devices are portable, easily stolen, and contain sensitive data. If these devices are lost or stolen, it may take a while to discover that sensitive information has... |
| V-23894 | Low | Maintain a list of all personnel that have been authorized to use flash media. | Many USB flash media devices are portable, easily stolen, and may be used to temporarily store sensitive information. If these devices are lost or stolen, it will assist the investigation if... |
