Title

Encrypt sensitive data (e.g., FOUO, Privacy Act information) stored on remote access/telework clients using a whole disk encryption method. The encryption system is on the Data at Rest (DAR) approved products list or is FIPS 140-2 overall Level 1 or 2 validated (as directed by the DAA based on the sensitivity of the data). (Cat II impact)

Discussion

The July 3, 2007 DoD Policy Memorandum "Encryption of Sensitive Unclassified Data at Rest on Mobile Computing Devices and Removable Storage Media" requires that remote and mobile drives be encrypted using FIPS 140-2 modules. With a few exceptions products must be procured from the DAR contract. DoD Components must purchase DAR encryption products to protect DoD DAR on mobile computing devices and removable storage media through the ESI or GSA SmartBuy BPAs. Exceptions would be if those encryption products were FIPS 140-2 compliant and included as an integral part of other products such as Vista BitLocker, or if the cryptographic modules are approved by NSA (with formal NSA Approval Letter).

Check Content

This check verifies use of an approved encryption product to protect data on client devices used for remote access. The site should provide documentation of compliance. The site may also provide documentation that product is on the approved Data at Rest (DAR) products list. To verify encryption is configured on the remote endpoints, check the configuration of the operating system. If either an approved product is not used or it is not configured for use on the devices, this is a finding.

Fix Text

Ensure sensitive data is encrypted using an approved encryption product.

Additional Identifiers

Rule ID: SV-6815r1_rule

Vulnerability ID: V-6667

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.