Title

There is no document instructing users that USB devices be powered off for at least 60 seconds prior to being connected to an IS. (Cat III impact)

Discussion

Because USB devices that contain only volatile memory are designed to withstand minor fluctuations in power they contain some means of maintaining memory for short power interruptions. Users need to ensure that USB devices remain without power for at least 60 seconds when disconnecting them from one IS, and connecting to a different IS to make sure enough time passes for all power to dissipate and the memory erased. The IAO will ensure that the SFUG or an equivalent document requires that all USB devices be powered off for at least 60 seconds prior to being connected to an IS.

Check Content

The reviewer will interview the IAO and view the SFUG, or equivalent documentation, to verify that it is documented that users should remove all power from a USB device when it is moved from one IS to another for at least 60 seconds to allow all power to dissipate and the memory to erase.

Fix Text

Update the SFUG, or an equivalent document, to include this information.

Additional Identifiers

Rule ID: SV-6986r1_rule

Vulnerability ID: V-6764

Group Title: USB Poweroff Directive in SFUG

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.