5 FAM 1560
REMOVABLE STORAGE MEDIA
(CT:IM-218; 10-19-2018)
(Office of Origin: IRM/IA/PLT)
5 FAM 1561 BACKGROUND
(CT:IM-218; 10-19-2018)
a. Recent advances in technology have resulted in more and greater weaknesses introduced by removable media storage devices. In addition, their small size and increasingly high storage capacity has been instrumental in the loss of or theft of sensitive information from enterprise networks. Personally owned and/or procured devices may not be compliant with rigorous standards for access control, encryption, anti-virus, and data wiping that is required for the use of removable storage devices in the Department. Therefore, these devices are often vectors for malicious code and can be used to exfiltrate sensitive but unclassified (SBU) and personally identifiable information (PII).
b. To address a systemic problem regarding unauthorized attempts to access the Department networks and data, this FAM establishes policy and assigns responsibilities for the use and protection of removable media storage devices.
5 FAM 1562 scoPE
(CT:IM-218; 10-19-2018)
This policy applies to:
(1) All Department information systems (IS);
(2) All Department and non-Department employees, domestic and abroad; and
(3) All removable media devices attached using external Universal Serial Bus (USB), Firewire, or External Serial Advanced Technology Attachment (eSATA) ports to connect to Department IS. This includes devices containing either volatile or persistent (non-volatile) memory (e.g., including but not limited to thumb drives, memory sticks, camera memory cards, secure digital (SD) cards, phones, external USB hard drives, CD/DVD, MP3 players, camcorders, cameras, printers, network equipment and other peripheral devices with storage capabilities).
5 FAM 1563 POLICY
(CT:IM-218; 10-19-2018)
a. Removable media and storage devices (e.g., USB drives) used to conduct file transfers must be approved by the IT CCB prior to use. All users should consult the approved products list via the IT CCB webpage.
b. The Department will provide a centrally managed advanced security application and device control capability to enforce the use of approved removable media devices. The capability will be configured to:
(1) Detect and evaluate endpoint compliance of each USB port in all networked information systems;
(2) Protect against malicious attacks and provide automated remediation capabilities; and
(3) Ensure access policies are configured based upon whitelisting and blacklisting by unique physical device identification:
(a) Whitelisted devices are approved by the Information Technology Configuration Control Board (ITCCB) and IRM Change Advisory Board (ICAB), and added to the exclusions list; and
(b) Blacklisted devices will be added to the blocked list.
c. All Department IS used to conduct file transfers using removable media will be configured consistent with applicable Department-approved security configuration standards. At a minimum:
(1) Approved USB media storage devices will be protected by federally approved encryption access controls to prevent unauthorized access;
(2) All IS will be configured to conduct on-access scanning of removable media devices for malware and authorized use upon introduction; and
(3) All IS approved for use with removable media will be configured to disallow default booting from devices attached to a USB or eSATA port.
5 FAM 1564 REsPONSIBILITIES
(CT:IM-218; 10-19-2018)
a. Management officials will:
(1) Assign a system owner (SO), information system security officer (ISSO), and system administrator (SA) for the respective information systems;
(2) Ensure that all users and information systems authorized to use removable storage media are identified to the assigned ISSO;
(3) Ensure all information system users are trained on the acceptable use of secure removable media and storage devices annually, and once technologies are updated and/or changed;
(4) Ensure all users conduct file transfers between information systems using removable media IAW policy in 12 FAH-10 H-700; and
(5) Validate the list of authorized users and IS, and initiate removal of access completely if not required, on a quarterly bases.
b. IRM/FO/ITI/SI/IIB/ES2 will:
(1) In coordination with system administrators (SA), centrally manage the application and device control for USBs. Ensure the application and device control capability for USBs is installed and configured enterprise-wide;
(2) Ensure that removable media downloading functionality (e.g. USB port, CD writer) is disabled on all Department information systems unless granted an approval by the ITCCB and ICAB. Exceptions must be granted by the chief information security officer; and
(3) Ensure through control policies that all unapproved removable media storage devices are prohibited from use.
c. IRM/OPS/ENM will in coordination with IRM/FO/ITI/SI/IIB/ES2, ensure system patches are available for endpoint user devices.
d. ISSOs will:
(1) Ensure that users approved to transfer files only use ITCCB approved storage devices;
(2) Maintain a list of all users and information systems that are authorized to use removable media;
(3) Ensure that approved users perform transfers in accordance with 12 FAM 623.10, Media Protection Policy (MP-1), and 12 FAH-10 H-713, File Download Procedures; and
(4) Execute ISSO responsibilities IAW, 12 FAH-10 H-712.3, File Transfers –ISSO Responsibilities.
e. System administrators (SA) will:
(1) In coordination with IRM/FO/ITI/SI/IIB/ES2, ensure the application and device control capability for USBs is installed and configured enterprise-wide; and
(2) In coordination with IRM/FO/ITI/SI/IIB/ES2, manage the application and device control for USBs within assigned organization unit (OU).
f. Users will:
(1) Perform file transfers in accordance with 12 FAH-10 H-712, File Transfers, 12 FAH-10 H-713, File Downloads Procedures; and 12 FAM 623.10, Media Protection Policy (MP-1); and
(2) Ensure all removable media used on Department information systems are approved for use by the IT CCB.
5 FAM 1565 policy compliance
(CT:IM-218; 10-19-2018)
a. Adherence to this policy is a mandatory requirement for all Department information system users. Cybersecurity violations associated with failure to comply with established information system policies and configuration guidance are subject to disciplinary actions based upon categories identified in 12 FAM 590, Cyber Security Incident Program.
b. Any questions regarding the execution of this policy should be addressed to the assigned ISSO, Regional Security Office (RSO) abroad, or the ISSO Oversight via AskISSO@state.gov.