| If USB media and devices are not protected by strong access control techniques, unauthorized access may put sensitive data at risk. Data-at-rest encryption products will be configured to require a user-chosen PIN prior to unencrypting the drive. Users must choose a strong PIN. Implementation of access control on persistent memory devices helps to ensure that sensitive information is accessed only by authorized and authenticated individuals.
Further policy details:
In accordance with the DoD data-at-rest (DAR) policy, access control is required to protect data not approved for public release. The DoD Enterprise Software Initiative (ESI) blanket purchase agreements program requires all products support encryption and a FIPS 140-2 password, PIN, or passphrase.
Access control can be implemented using either software or hardware. The recommended best practice is to purchase devices that include built-in security features, including on-board or hardware encryption, password management, key management, and malware protection. Several manufacturers offer drives with these features.
A USB thumb drive security vulnerability was discovered by a German company that describes a security flaw that allows an attacker to use a very simple software tool that can unlock any of the affected hardware-encrypted storage devices and bypass the access control system. This exploit worked on several thumb drive models that were FIPS 140-2 validated.
The following DoD policies apply to access control solutions for all USB storage devices.
- Use of password or PIN to access the encrypted storage device. Certificate-based authentication can be used but is not mandated.
- For devices with on-board access control and encryption features, the system administrator will configure these security features prior to issuance. Default PINs and passwords will be changed prior to use.
- Password and/or key management procedures will be established for systems storing mission-critical information. |
