Title

Sensitive data stored on a USB device with persistent memory, that the data owner requires encryption is not encrypted using NIST-certified cryptography. (Cat II impact)

Discussion

If the data owner believes that the data requires encryption it will be encrypted when at rest. If it is not encrypted this can lead to the compromise of sensitive data. The IAO, SA, and user will ensure that all sensitive data stored on a USB device with persistent memory, if required by the data owner, is encrypted using NIST-certified cryptography.

Check Content

The reviewer will interview the IAO to verify that all sensitive data stored on a USB device with persistent memory, if required by the data owner, is encrypted using NIST-certified cryptography.

Fix Text

Establish a process that will disseminate the requirement for encrypt of sensitive data that the data owner designates as needing encryption. Also establish a process identifying which data needs to be encrypted and notifying the users that the identified data needs encryption.

Additional Identifiers

Rule ID: SV-6994r1_rule

Vulnerability ID: V-6772

Group Title: Unencrypted Sensitive Data

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.