STIGQter STIGQter: STIG Summary: Removable Storage and External Connections Security Technical Implementation Guide Version: 1 Release: 7 Benchmark Date: 27 Oct 2017: Require approval prior to allowing use of portable storage devices.

DISA Rule

SV-25612r1_rule

Vulnerability Number

V-22110

Group Title

STO-ALL-010 Approval for use

Rule Version

STO-ALL-010

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Require approval prior to allowing use of portable storage devices.

Check Contents

Further policy details:

This policy applies to devices attached using external Universal Serial Bus (USB), Firewire, or External Serial Advanced Technology Attachment (eSATA) ports. It also applied to devices containing either volatile or persistent (non-volatile) memory (e.g., thumb drives, memory sticks, camera memory cards, external USB hard drives, MP3 players, camcorders, cameras, printers, and network equipment). Blanket approvals by type are acceptable.

DAA approval is required prior to using thumb drives, memory sticks, and memory cards. DAAs may designate alternate flash media approving officials who are O-6 or equivalent.

Approvers will restrict flash media approvals to mission essential requirements.

Information Assurance Officer (IAO) approval is sufficient and necessary for use of externally connected hard disk drives and other persistent memory devices. This requirement also applies to devices that attach to external USB, firewire, or eSATA ports on end points attached to government systems containing non-public releasable data or attached to DoD networks.

Approvers will not authorize use or purchase of removable storage devices that are disguised to look like common items such as pens or bracelets. Disguised storage devices may be easily overlooked in a spot security search.

Check:
1. Verify an approval document signed by the IAO exists for the use of each type of USB device by device ID.

2. Verify an approval document signed by the DAA (or alternative approving official) exists for the use of flash drives, flash media readers, and memory cards.

3. Compare the approval documents to the device types listed on the required USB devices equipment list.

NOTE: The approval document may be a blanket approval by type of device (e.g., approved use of USB keyboard and mouse throughout the organization).

Vulnerability Number

V-22110

Documentable

False

Rule Version

STO-ALL-010

Severity Override Guidance

Further policy details:

This policy applies to devices attached using external Universal Serial Bus (USB), Firewire, or External Serial Advanced Technology Attachment (eSATA) ports. It also applied to devices containing either volatile or persistent (non-volatile) memory (e.g., thumb drives, memory sticks, camera memory cards, external USB hard drives, MP3 players, camcorders, cameras, printers, and network equipment). Blanket approvals by type are acceptable.

DAA approval is required prior to using thumb drives, memory sticks, and memory cards. DAAs may designate alternate flash media approving officials who are O-6 or equivalent.

Approvers will restrict flash media approvals to mission essential requirements.

Information Assurance Officer (IAO) approval is sufficient and necessary for use of externally connected hard disk drives and other persistent memory devices. This requirement also applies to devices that attach to external USB, firewire, or eSATA ports on end points attached to government systems containing non-public releasable data or attached to DoD networks.

Approvers will not authorize use or purchase of removable storage devices that are disguised to look like common items such as pens or bracelets. Disguised storage devices may be easily overlooked in a spot security search.

Check:
1. Verify an approval document signed by the IAO exists for the use of each type of USB device by device ID.

2. Verify an approval document signed by the DAA (or alternative approving official) exists for the use of flash drives, flash media readers, and memory cards.

3. Compare the approval documents to the device types listed on the required USB devices equipment list.

NOTE: The approval document may be a blanket approval by type of device (e.g., approved use of USB keyboard and mouse throughout the organization).

Check Content Reference

M

Responsibility

Designated Approving Authority

Target Key

1747

Comments