Sensitive data stored on a USB device with persistent memory, that the data owner requires encryption is not encrypted using NIST-certified cryptography.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6772 | USB01.007.00 | SV-6994r1_rule | Medium |
| Description |
|---|
| If the data owner believes that the data requires encryption it will be encrypted when at rest. If it is not encrypted this can lead to the compromise of sensitive data. The IAO, SA, and user will ensure that all sensitive data stored on a USB device with persistent memory, if required by the data owner, is encrypted using NIST-certified cryptography. |
| STIG | Date |
|---|---|
| VMware ESX 3 Server | 2016-05-13 |
Details
| Check Text ( C-2934r1_chk ) |
|---|
| The reviewer will interview the IAO to verify that all sensitive data stored on a USB device with persistent memory, if required by the data owner, is encrypted using NIST-certified cryptography. |
| Fix Text (F-6425r1_fix) |
|---|
| Establish a process that will disseminate the requirement for encrypt of sensitive data that the data owner designates as needing encryption. Also establish a process identifying which data needs to be encrypted and notifying the users that the identified data needs encryption. |