The USB usage section of the SFUG, or equivalent document, does not contain a discussion of the devices that contain persistent non-removable memory.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6775	USB01.010.00	SV-6997r1_rule	PRRB-1	Low

Description
Without a discussion of tthe devices that contain persistent non-removable memory, an uninformed user can mistakenly attach such a device to an IS leading to the denial of service caused by an infection of the IS and possibly the network with malicious code. Additionally the user might compromise sensitive data thinking that removal of a memory card removed all the persistent memory within a device. The IAO will ensure that the USB usage section of the SFUG contains a discussion of the devices that contain persistent non-removable memory.

Description

Without a discussion of tthe devices that contain persistent non-removable memory, an uninformed user can mistakenly attach such a device to an IS leading to the denial of service caused by an infection of the IS and possibly the network with malicious code. Additionally the user might compromise sensitive data thinking that removal of a memory card removed all the persistent memory within a device. The IAO will ensure that the USB usage section of the SFUG contains a discussion of the devices that contain persistent non-removable memory.

STIG	Date
VMware ESX 3 Server	2016-05-13

Details

Check Text ( C-2937r1_chk )
The reviewer will interview the IAO and review the relevant documentation. The discussion should point out that with some devices it may not be obvious that it contains persistent non-removable memory and that, if there is a doubt, it will be treated as if it contains persistent memory.

Fix Text (F-6428r1_fix)
Develop, update, and distribute a SFUG section on USB devices that discusses devices that may contain persistent non-removable memory in accordance with the SPAN STIG.