Military Lifts 15-Month Ban on Removable MediaLimits Placed on Use of Thumb Drives, Other Devices
|Follow GovInfoSecurity.com on Twitter|
The military has lifted its all-out ban of removable media, but will continue to have some limits on their use, including the prohibition of non-government owned devices.
"After extensive testing of mitigation measures, DoD decided to make this technology available again on a strictly controlled basis on DoD computers," Navy Vice Admiral Carl Mauney, deputy commander of the United States Strategic Command, said Friday in an e-mail response to an inquiry about lifting the ban. "Since the order restricting use of removable media, DoD developed capabilities and processes that allow safe use of these devices. Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met."
The military issued a communications tasking order announcing the lifting of the ban last Friday within the military.
In November 2008, the military suspended the use of USB flash media and removable storage devices on all Defense Department networks, including USB thumb drives, memory sticks/cards and camera flash cards, because some Navy personnel failed to follow procedures aimed at protecting the networks from viruses and safeguarding data stored on Defense systems.
The move to restore the use of removable media wasn't a surprise. In his blog last September, Navy Chief Information Officer Robert Carey wrote that the DoD Removable Storage Media Tiger Team, led by the Defense-wide Information Assurance Program, had been coordinating policy for incorporation into future Strategic Command operational guidance on removable storage.
"We expect that a government-owned and procured USB flash media that is uniquely and electronically identifiable for use in support of mission-essential functions on DoD networks will be permitted for use by authorized individuals," Carey said at the time. "We are working on upgraded anti-virus and malware detection, alert and eradication capabilities as well as implementation of controls to deny network access to unauthorized USB flash media and revised operating procedures for scanning and cleaning flash media. Those who are authorized to use portable media devices will receive updated user training and awareness and be informed again of his/her accountability through compliance audits and inspections."
Here are the conditions the military is imposing on removable storage:
- Employing approved procedures and hardware that prevent unauthorized use, and scan, clean and wipe the devices removing malicious software.
- Restricting use to operational mission requirements
- Allowing only properly inventoried, government-procured and -owned devices for use in Defense Department information systems.
- Prohibiting personally owned devices on all military networks and computers.
- Banning use of DoD-procured and owned devices on non-government networks or computers without authorization from an approval authority.
- Using flash media only as a last resort to transfer data from one location to another and only when other authorized network resources are not available.
- Subjecting randomly selected users and drives to periodic audits.
- Requiring combatant commands, cervices, and agencies to establish their own approval authorities for determining whether selected flash media may be used within their individual organizations.
Mauney said network administrators have the capability to monitor and audit activity on military networks, including files that may be introduced through removable devices. He said all Defense Department members are required to perform training that ensures they understand and acknowledge that all work conducted on its systems and networks is subject to monitoring.