UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Permit only government-procured and -owned devices.


Overview

Finding ID Version Rule ID IA Controls Severity
V-22173 STO-ALL-020 SV-25811r1_rule High
Description
Persistent memory devices (e.g., thumb drives, memory cards, external hard drives, or other removable storage devices) may contain malware installed on the drive or within the firmware. Personally- or contractor-owned devices may not be compliant with rigorous standards for encryption, anti-virus, and data wiping that is required for the use of removable storage devices in DoD. Therefore, use of personal devices in PCs attached to the network may put the network at risk.
STIG Date
Removable Storage and External Connections Security Technical Implementation Guide 2017-09-25

Details

Check Text ( C-27322r1_chk )
Further policy details:

Use of coalition-owned devices, or devices owned by another government agency, though permitted, would require DAA approval and must be essential to mission requirements.

Check procedures:

Interview the site representative and ask the following questions.
1. Are non-DoD devices, such as personally- or contractor-owned devices used for data storage and/or transfer?
2. Are these devices allowed for use with end points containing non-publicly releasable information?
3. Are these devices allowed for use with end points that (periodically or frequently) attach to networks that process non-publicly releasable information.

If personally- or contractor-owned devices are in use, this is a finding.
Fix Text (F-23389r1_fix)
Permit only government-procured and -owned devices.