MARADMINS : 590/05
R 140025Z DEC 05
FM CMC WASHINGTON DC(UC)
TO AL MARADMIN(UC)
UNCLASSIFIED//
MARADMIN 590/05
MSGID/GENADMIN/CMC WASHINGTON DC C4//
SUBJ/UPDATE TO REMOVABLE SECONDARY STORAGE MEDIA DEVICE POLICY//
REF/A/MARADMIN 450-03/-/251200ZSEP2003//
REF/B/MC IA OPSTD 008/USMC HQMC C4 IA/YMD:20040811//
POC/LETTEER R.A./GS14/HQMC C4/-/TEL:DSN 223-3490/TEL:703-693-3490
/EMAIL:LETTEERRA@HQMC.USMC.MIL//
POC/RYBCZYNSKI W.H./MSGT/HQMC C4/-/TEL:DSN 223-3490/TEL:703-693-3490
/EMAIL:RYBCZYNSKIWH@HQMC.USMC.MIL//
NARR/REF A IS THE CURRENT POLICY REGARDING THE USE OF SECONDARY
STORAGE MEDIA DEVICES. REF B IS THE CURRENT MARINE CORPS
OPERATIONAL STANDARD FOR THE SECURE TRANSFER OF DATA.//
GENTEXT/REMARKS/1. ADVANCES IN SECONDARY STORAGE MEDIA DEVICES
(USB/THUMB/PEN DRIVES) REQUIRE AN UPDATE TO REFERENCE A. THIS
MARADMIN CLARIFIES CURRENT USMC INFORMATION ASSURANCE (IA)
POLICY REGARDING THE USE OF REMOVABLE FLASH MEDIA DRIVES.
THE OPERATIONAL BENEFITS OF HIGHLY PORTABLE, REUSABLE AND
REMOVABLE SECONDARY STORAGE MEDIA DEVICES ARE ACKNOWLEDGED.
THESE SAME BENEFITS INTRODUCE RISK TO THE MARINE CORPS ENTERPRISE
NETWORK (MCEN) THAT MUST BE ADDRESSED. THIS POLICY APPLIES TO ANY
DEVICE THAT CAN BE CONNECTED TO A WORKSTATION OR OTHER COMPUTING
DEVICE VIA CABLE, UNIVERSAL SERIAL BUS (USB), FIREWIRE (IEEE 1394),
OR PERSONAL COMPUTER MEMORY CARD INTERNATIONAL ASSOCIATION (PCMCIA).
2. DUE TO THE INHERENT RISK THESE SECONDARY STORAGE MEDIA DEVICES
POSE, THE LOCAL DESIGNATED APPROVING AUTHORITY (DAA) SHALL ENSURE
USB PORTS ARE DISABLED ON COMPUTING DEVICES THAT PROCESS CLASSIFIED
MATERIAL TO THE MAXIMUM EXTENT POSSIBLE. LOCAL DAA APPROVAL SHALL
BE OBTAINED, IN WRITING, WHERE USB USE IS REQUIRED FOR SPECIFIC
CLASSIFIED COMPUTING DEVICES. USB DEVICES CONNECTING TO CLASSIFIED
NETWORKS SHALL BE TREATED AS CONTROLLED ITEMS.
3. USE OR CONNECTION OF PERSONALLY OWNED REMOVABLE SECONDARY
STORAGE MEDIA DEVICES WITH ANY UNCLASSIFIED GOVERNMENT COMPUTING
DEVICE WITHOUT PRIOR WRITTEN APPROVAL OF THE LOCAL DAA IS
PROHIBITED. BEFORE ANY PERSONALLY OWNED DEVICE IS APPROVED FOR USE,
COMMAND IA PERSONNEL MUST INSPECT THE DEVICE FOR MALICIOUS CODE.
FURTHERMORE, ALL FLASH MEDIA DEVICES WHETHER PERSONAL OR GOVERNMENT
PROCURED MUST BE SCANNED FOR MALICIOUS CODE EVERY TIME THE DEVICE IS
FIRST CONNECTED.
4. GOVERNMENT-PROCURED REMOVABLE SECONDARY STORAGE MEDIA DEVICES OF
ANY CAPACITY ARE APPROVED FOR USE IN NIPRNET OR OTHER UNCLASSIFIED
COMPUTER SYSTEMS. ORGANIZATIONS ISSUING REMOVABLE SECONDARY STORAGE
MEDIA DEVICES FOR USE SHALL CONTROL THEM IN A MANNER CONSISTENT WITH
ACCOUNTABILITY OF OTHER HIGHLY PILFERABLE ITEMS WITH RESPECT TO
PERSONNEL TRANSFER OR REISSUE. ISSUING ORGANIZATIONS SHALL ALSO
CREATE A LOCAL POLICY THAT ADDRESSES BOTH THE VALUE OF THE DEVICE
AND THE STORED INFORMATION.
5. ALL REMOVABLE SECONDARY STORAGE MEDIA SHALL BE LABELED
APPROPRIATELY, BY MEANS SUCH AS STANDARD FORM (SF) 710 (1-87) OR
SF 707 (1-97), INDICATING THE HIGHEST CLASSIFICATION OR SENSITIVITY
OF THE DATA CONTAINED ON THE DEVICE. IF THE DEVICE IS TOO SMALL,
A CARD WILL BE ATTACHED TO THE MEDIA WITH THE APPROPRIATE LABEL.
ADDITIONALLY THE DEVICE WILL BE MARKED WITH A PERMANENT MARKER
INDICATING THE CLASSIFICATION LEVEL.
6. SINCE THE PUBLICATION OF REF A, ADVANCES IN FLASH MEDIA
TECHNOLOGIES ALLOW FOR PHYSICAL WRITE PROTECTION MECHANISMS.
FLASH MEDIA DRIVES THAT WILL BE USED TO TRANSFER FILES BETWEEN
UNCLASSIFIED AND CLASSIFIED SYSTEMS MUST HAVE A PHYSICAL WRITE
PROTECT SWITCH.
A. TRANSFERING FILES FROM A HIGH SYSTEM TO A LOW SYSTEM OR FROM A
LOW SYSTEM TO A HIGH SYSTEM WILL BE CONDUCTED IN ACCORDANCE WITH REF
B.
B. INTRODUCTION OF REMOVABLE FLASH DIGITAL MEDIA DEVICES TO SIPRNET
OR ANY CLASSIFIED COMPUTING DEVICES OR STORED INFORMATION WITHOUT
PHYSICAL WRITE PROTECTION WILL MAKE THE STORAGE DEVICE PERMANENTLY
CLASSIFIED AT THE SAME LEVEL AS THE SYSTEM.
C. REMOVABLE FLASH DIGITAL MEDIA DEVICES INTRODUCED TO CLASSIFIED
COMPUTING SYSTEMS CAN NO LONGER BE INTRODUCED INTO COMPUTING DEVICES
OF LOWER CLASSIFICATION WITHOUT ENSURING THE PHYSICAL WRITE PROTECT
SWITCH IS USED AS OUTLINED IN PARAGRAPH 6(A).
D. ALL PROCURED FLASH DIGITAL MEDIA DEVICES SHALL HAVE THE
CAPABILITY FOR FILE ACCESS SECURITY AND DEVICE AUTHENTICATION.
FILE SECURITY ON SUCH DEVICES MUST PROVIDE THE SAME LEVEL OF
DISCRETIONARY ACCESS CONTROL (DAC) THAT IS FOUND ON THE COMPUTER TO
WHICH IT IS CONNECTING, I.E., NTFS TO NTFS. AUTHENTICATION SHALL
BE ACTIVE AND USED AT ALL TIMES.
7. ACTION. THIS POLICY IS EFFECTIVE IMMEDIATELY. COMMANDERS WILL
ENSURE THE IMPLEMENTATION OF THIS POLICY AND THE INCLUSION OF ITS
CONTENT IN LOCAL INFORMATION ASSURANCE AND SECURITY TRAINING.//