Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-22173 | STO-ALL-020 | SV-25811r1_rule | High |
Description |
---|
Persistent memory devices (e.g., thumb drives, memory cards, external hard drives, or other removable storage devices) may contain malware installed on the drive or within the firmware. Personally- or contractor-owned devices may not be compliant with rigorous standards for encryption, anti-virus, and data wiping that is required for the use of removable storage devices in DoD. Therefore, use of personal devices in PCs attached to the network may put the network at risk. |
STIG | Date |
---|---|
Removable Storage and External Connections Security Technical Implementation Guide | 2017-09-25 |
Check Text ( C-27322r1_chk ) |
---|
Further policy details: Use of coalition-owned devices, or devices owned by another government agency, though permitted, would require DAA approval and must be essential to mission requirements. Check procedures: Interview the site representative and ask the following questions. 1. Are non-DoD devices, such as personally- or contractor-owned devices used for data storage and/or transfer? 2. Are these devices allowed for use with end points containing non-publicly releasable information? 3. Are these devices allowed for use with end points that (periodically or frequently) attach to networks that process non-publicly releasable information. If personally- or contractor-owned devices are in use, this is a finding. |
Fix Text (F-23389r1_fix) |
---|
Permit only government-procured and -owned devices. |