Title

There is no section within the SFUG, or equivalent documentation, describing the correct usage and handling of USB technologies. (Cat II impact)

Discussion

The Security Features User Guide gives the user a single reference for information on the current general and site policies and procedures describing their security responsibilities. The lack of this reference could lead to the compromise of sensitive data. The reviewer will interview the IAO and review the relevant document. What needs to be here is a description for handling, and labeling of USB devices. Additionally an explanation of the restrictions placed on attaching non-government owned USB devices to a government owned IS and the prohibition of disguised USB jump drives.

Check Content

The reviewer will interview the IAO and review the relevant document. What needs to be here is a description for handling, and labeling of USB devices. Additionally an explanation of the restrictions placed on attaching non-government owned USB devices to a government owned IS and the prohibition of disguised USB jump drives.

Fix Text

Develop, update, and distribute a SFUG section dealing with USB devices in accordance with the SPAN STIG.

Additional Identifiers

Rule ID: SV-6996r1_rule

Vulnerability ID: V-6774

Group Title: USB SFUG Section

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.