Access to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-22111	STO-DRV-010	SV-25614r3_rule		High

Description
If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a user-chosen PIN prior to unencrypting the drive. Users must choose a strong PIN. Implementation of access control on persistent memory devices helps to ensure that sensitive information is accessed only by authorized and authenticated individuals. Further policy details: In accordance with the DoD data-at-rest (DAR) policy, access control is required to protect data not approved for public release. The DoD Enterprise Software Initiative (ESI) blanket purchase agreements program requires all products support encryption and a FIPS 140-2 password, PIN, or passphrase. Access control can be implemented using either software or hardware. The recommended best practice is to purchase devices that include built-in security features, including on-board or hardware encryption, password management, key management, and malware protection. Several manufacturers offer drives with these features. A USB thumb drive security vulnerability was discovered by a German company that describes a security flaw that allows an attacker to use a very simple software tool that can unlock any of the affected hardware-encrypted storage devices and bypass the access control system. This exploit worked on several thumb drive models that were FIPS 140-2 validated. The following DoD policies apply to access control solutions for all USB storage devices. - Use of password or PIN to access the encrypted storage device. Certificate-based authentication can be used but is not mandated. - For devices with on-board access control and encryption features, the system administrator will configure these security features prior to issuance. Default PINs and passwords will be changed prior to use. - Password and/or key management procedures will be established for systems storing mission-critical information.

Description

If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a user-chosen PIN prior to unencrypting the drive. Users must choose a strong PIN. Implementation of access control on persistent memory devices helps to ensure that sensitive information is accessed only by authorized and authenticated individuals. Further policy details: In accordance with the DoD data-at-rest (DAR) policy, access control is required to protect data not approved for public release. The DoD Enterprise Software Initiative (ESI) blanket purchase agreements program requires all products support encryption and a FIPS 140-2 password, PIN, or passphrase. Access control can be implemented using either software or hardware. The recommended best practice is to purchase devices that include built-in security features, including on-board or hardware encryption, password management, key management, and malware protection. Several manufacturers offer drives with these features. A USB thumb drive security vulnerability was discovered by a German company that describes a security flaw that allows an attacker to use a very simple software tool that can unlock any of the affected hardware-encrypted storage devices and bypass the access control system. This exploit worked on several thumb drive models that were FIPS 140-2 validated. The following DoD policies apply to access control solutions for all USB storage devices. - Use of password or PIN to access the encrypted storage device. Certificate-based authentication can be used but is not mandated. - For devices with on-board access control and encryption features, the system administrator will configure these security features prior to issuance. Default PINs and passwords will be changed prior to use. - Password and/or key management procedures will be established for systems storing mission-critical information.

STIG	Date
Removable Storage and External Connections Security Technical Implementation Guide	2017-09-25

Details

Check Text ( C-27094r2_chk )
Interview the site representative and perform the following procedures. 1. Inspect a sampling of the different types of USB storage devices used. 2. Verify that a password or PIN is required to gain access to the data stored on the USB device by attempting access. If a password, PIN, or passphrase are not required to gain access to the data stored on the USB device, this is a finding.