Title

Unused USB ports on the KVM switch must be blocked with tamper evident seals on a KVM switch that can encapsulate and send the USB protocol over the network to the client. (Cat II impact)

Discussion

By blocking the unused USB ports on a network attached KVM switch that can encapsulate USB over IP with tamper evident seals there will be an indication if someone has attached an unauthorized USB connection to the KVM switch. When a seal is found to have been tampered with or broken, it should be investigated. The ISSO will ensure any open USB ports on the KVM switch are blocked with tamper evident seals.

Check Content

If the KVM switch can encrypt USB and send it over the network, the reviewer will view the KVM switch and verify that unused USB ports are blocked with tamper evident seals. If unused USB ports are not blocked with tamper evident seals, this is a finding.

Fix Text

Block unused USB ports on a network attached KVM switch that can encapsulate USB over IP with tamper evident seals. NSA IAD Protective Technologies has tamper evident products available for use, including seals for RJ45, D-sub, and USB ports. These can be obtained by contacting them either on NIPRNet at ptproducts@radium.ncsc.mil or on SIPRNet at ptproducts@nsa.smil.mil. When ordering, please specify that this is for use on a DoD Information System and the government use version is needed.

Additional Identifiers

Rule ID: SV-6915r3_rule

Vulnerability ID: V-6715

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.