STIGQter STIGQter: STIG Summary: Removable Storage and External Connections Security Technical Implementation Guide

Version: 1

Release: 7 Benchmark Date: 27 Oct 2017

CheckedNameTitle
SV-25612r1_ruleRequire approval prior to allowing use of portable storage devices.
SV-25614r3_ruleAccess to mobile and removable storage devices such as USB thumb drives and external hard disk drives will be protected by password, PIN, or passphrase.
SV-25617r2_ruleFor all removable flash media and external hard disk drives, use an organization-approved method to wipe the device before using for the first-time.
SV-25620r3_ruleSensitive but unclassified data must be encrypted using FIPS 140-2 validated modules when stored on a USB flash drive and external hard disk drive.
SV-25621r1_ruleTrain all users on the secure use of removable media and storage devices, acceptable use policy, and approval process through use of user's guide, user's agreement, or training program.
SV-25623r1_ruleSet boot order of computers approved for use with removable storage such that the Basic Input Output System (BIOS) does not allow default booting from devices attached to a USB, firewire, or eSATA port.
SV-25806r1_ruleFor Wireless USB (WUSB) devices, comply with the Wireless STIG peripheral devices policy.
SV-25810r1_ruleMaintain a list of approved removable storage media or devices.
SV-25811r1_rulePermit only government-procured and -owned devices.
SV-25812r1_ruleFirmware on the USB flash drive and external hard drive will be signed and verified with either Hashed Message Authentication Code (HMAC) or digital signatures.
SV-25813r1_ruleData transfers using USB flash media (thumb drives) will comply with the requirements in the CTO 10-084 (or most recent version) and these procedures will be documented.
SV-25814r2_ruleInstall and configure Host-Based Security System (HBSS) with Device Control Module (DCM) on all Windows host computers that will use removable storage devices.
SV-25815r3_ruleFor end points using Windows operating systems, removable storage devices will be restricted by a unique device identifier (e.g. serial number, device instance ID) or to specific host end points or users.
SV-28850r1_ruleMaintain a list of all personnel that have been authorized to use flash media.
SV-28851r1_ruleMaintain a list of all end point systems that have been authorized for use with flash media.
SV-28875r1_ruleThe host system will perform on-access anti-virus and malware checking, regardless of whether the external storage or flash drive has software or hardware malware features.
SV-28876r2_ruleFor higher risk data transfers using flash media, use an organization approved security scanning software and disk wipe software to protect against malware and data compromise.
SV-28877r2_ruleRemovable storage devices for which the organization has failed to maintain physical control will be scanned for malicious activity upon reclamation.
SV-28906r2_ruleOrganizations that do not have a properly configured HBSS with DCM configuration will not use removable storage devices.
SV-29816r1_ruleConfigure the cryptographic module on a USB thumb drive or external hard drive using a NIST-approved encryption algorithm to encrypt sensitive or restricted data-at-rest.
SV-29818r1_ruleUse a National Security Agency (NSA)-approved, Type 1 certified data encryption and hardware solution when storing classified information on USB flash media and other removable storage devices.