Title

USB devices are attached to a DoD IS without prior IAO approval. (Cat II impact)

Discussion

The IAO needs to be aware of what type of USB devices are being attached to DoD ISs and needs to stop prohibited devices from being attached. By requiring the IAO to approve the USB devices the IAO will be informed. The IAO or SA will ensure that no USB device is attached to a DoD IS unless approved by the IAO.

Check Content

The reviewer will interview the IAO or SA to verify that prior approval by the IAO is required before USB devices are attached to DoD ISs and that this policy is disseminated to all users.

Fix Text

The IAO will know that approval by the IAO is required before USB devices are attached to DoD ISs and the IAO will ensure that this policy is disseminated to all users.

Additional Identifiers

Rule ID: SV-6988r1_rule

Vulnerability ID: V-6766

Group Title: USB Devices Without Prior Approval

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.