There is no section within the SFUG, or equivalent documentation, describing the correct usage and handling of USB technologies.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6774	USB01.009.00	SV-6996r1_rule	PRRB-1	Medium

Description
The Security Features User Guide gives the user a single reference for information on the current general and site policies and procedures describing their security responsibilities. The lack of this reference could lead to the compromise of sensitive data. The reviewer will interview the IAO and review the relevant document. What needs to be here is a description for handling, and labeling of USB devices. Additionally an explanation of the restrictions placed on attaching non-government owned USB devices to a government owned IS and the prohibition of disguised USB jump drives.

Description

The Security Features User Guide gives the user a single reference for information on the current general and site policies and procedures describing their security responsibilities. The lack of this reference could lead to the compromise of sensitive data. The reviewer will interview the IAO and review the relevant document. What needs to be here is a description for handling, and labeling of USB devices. Additionally an explanation of the restrictions placed on attaching non-government owned USB devices to a government owned IS and the prohibition of disguised USB jump drives.

STIG	Date
VMware ESX 3 Server	2016-05-13

Details

Check Text ( C-2936r1_chk )
The reviewer will interview the IAO and review the relevant document. What needs to be here is a description for handling, and labeling of USB devices. Additionally an explanation of the restrictions placed on attaching non-government owned USB devices to a government owned IS and the prohibition of disguised USB jump drives.

Fix Text (F-6427r1_fix)
Develop, update, and distribute a SFUG section dealing with USB devices in accordance with the SPAN STIG.