Title

Persistent memory USB devices are not treated as removable media and contrary to DODD 5200.1-R; the devices are not secured, transported, and sanitized in a manner appropriate for the classification level of the data they contain. (Cat II impact)

Discussion

Persistent memory USB devices can function as removable media. They have the same vulnerabilities as floppy disk but greater capacity. They will be secured, transported and sanitized as required by DODD 5200-1-R in a manner appropriate for the classification level of the data they contain. The IAO, SA, and user will ensure that persistent memory USB devices are treated as removable media and, in accordance with DODD 5200.1-R; the devices are secured, transported, and sanitized in a manner appropriate for the classification level of the data they contain.

Check Content

The reviewer will interview the IAO to verify that the policy for treating persistent memory USB devices as removable media, and in accordance with DODD 5200.1-R; the devices are secured, transported, and sanitized in a manner appropriate for the classification level of the data they contain is disseminated to all users. This would include any device with internal non-removable persistent memory not just jump drives or disk driver.

Fix Text

Disseminate the policy requiring that persistent memory USB devices will be treated as removable media and, in accordance with DODD 5200.1-R; the devices will be secured, transported, and sanitized in a manner appropriate for the classification level of the data they contain.

Additional Identifiers

Rule ID: SV-6992r1_rule

Vulnerability ID: V-6770

Group Title: USB Persistent Memory DODD 5200-1-R Treatment

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.