MARADMIN 590/05
««-----------------------------------------------------»»
Date signed: 14/12/2005 MARADMIN Number:
590/05
R 140025Z DEC 05
FM CMC WASHINGTON DC(UC)
TO AL MARADMIN(UC)
UNCLASSIFIED//
MARADMIN 590/05
MSGID/GENADMIN/CMC WASHINGTON DC C4//
SUBJ/UPDATE TO REMOVABLE SECONDARY STORAGE
MEDIA DEVICE POLICY//
REF/A/MARADMIN 450-03/-/251200ZSEP2003//
REF/B/MC IA OPSTD 008/USMC HQMC C4 IA/YMD:20040811//
POC/LETTEER R.A./GS14/HQMC C4/-/TEL:DSN
223-3490/TEL:703-693-3490
/EMAIL:LETTEERRA@HQMC.USMC.MIL//
POC/RYBCZYNSKI W.H./MSGT/HQMC C4/-/TEL:DSN
223-3490/TEL:703-693-3490
/EMAIL:RYBCZYNSKIWH@HQMC.USMC.MIL//
NARR/REF A IS THE CURRENT POLICY REGARDING
THE USE OF SECONDARY
STORAGE MEDIA DEVICES. REF B IS THE
CURRENT MARINE CORPS
OPERATIONAL STANDARD FOR THE SECURE TRANSFER
OF DATA.//
GENTEXT/REMARKS/1. ADVANCES IN
SECONDARY STORAGE MEDIA DEVICES
(USB/THUMB/PEN DRIVES) REQUIRE AN UPDATE TO
REFERENCE A. THIS
MARADMIN CLARIFIES CURRENT USMC INFORMATION
ASSURANCE (IA)
POLICY REGARDING THE USE OF REMOVABLE FLASH
MEDIA DRIVES.
THE OPERATIONAL BENEFITS OF HIGHLY PORTABLE,
REUSABLE AND
REMOVABLE SECONDARY STORAGE MEDIA DEVICES
ARE ACKNOWLEDGED.
THESE SAME BENEFITS INTRODUCE RISK TO THE
MARINE CORPS ENTERPRISE
NETWORK (MCEN) THAT MUST BE ADDRESSED. THIS
POLICY APPLIES TO ANY
DEVICE THAT CAN BE CONNECTED TO A
WORKSTATION OR OTHER COMPUTING
DEVICE VIA CABLE, UNIVERSAL SERIAL BUS
(USB), FIREWIRE (IEEE 1394),
OR PERSONAL COMPUTER MEMORY CARD
INTERNATIONAL ASSOCIATION (PCMCIA).
2. DUE TO THE INHERENT RISK THESE
SECONDARY STORAGE MEDIA DEVICES
POSE, THE LOCAL DESIGNATED APPROVING
AUTHORITY (DAA) SHALL ENSURE
USB PORTS ARE DISABLED ON COMPUTING DEVICES
THAT PROCESS CLASSIFIED
MATERIAL TO THE MAXIMUM EXTENT POSSIBLE.
LOCAL DAA APPROVAL SHALL
BE OBTAINED, IN WRITING, WHERE USB USE IS
REQUIRED FOR SPECIFIC
CLASSIFIED COMPUTING DEVICES. USB
DEVICES CONNECTING TO CLASSIFIED
NETWORKS SHALL BE TREATED AS CONTROLLED
ITEMS.
3. USE OR CONNECTION OF PERSONALLY
OWNED REMOVABLE SECONDARY
STORAGE MEDIA DEVICES WITH ANY UNCLASSIFIED
GOVERNMENT COMPUTING
DEVICE WITHOUT PRIOR WRITTEN APPROVAL OF THE
LOCAL DAA IS
PROHIBITED. BEFORE ANY PERSONALLY OWNED
DEVICE IS APPROVED FOR USE,
COMMAND IA PERSONNEL MUST INSPECT THE DEVICE
FOR MALICIOUS CODE.
FURTHERMORE, ALL FLASH MEDIA DEVICES WHETHER
PERSONAL OR GOVERNMENT
PROCURED MUST BE SCANNED FOR MALICIOUS CODE
EVERY TIME THE DEVICE IS
FIRST CONNECTED.
4. GOVERNMENT-PROCURED REMOVABLE
SECONDARY STORAGE MEDIA DEVICES OF
ANY CAPACITY ARE APPROVED FOR USE IN NIPRNET
OR OTHER UNCLASSIFIED
COMPUTER SYSTEMS. ORGANIZATIONS
ISSUING REMOVABLE SECONDARY STORAGE
MEDIA DEVICES FOR USE SHALL CONTROL THEM IN
A MANNER CONSISTENT WITH
ACCOUNTABILITY OF OTHER HIGHLY PILFERABLE
ITEMS WITH RESPECT TO
PERSONNEL TRANSFER OR REISSUE. ISSUING
ORGANIZATIONS SHALL ALSO
CREATE A LOCAL POLICY THAT ADDRESSES BOTH
THE VALUE OF THE DEVICE
AND THE STORED INFORMATION.
5. ALL REMOVABLE SECONDARY STORAGE
MEDIA SHALL BE LABELED
APPROPRIATELY, BY MEANS SUCH AS STANDARD
FORM (SF) 710 (1-87) OR
SF 707 (1-97), INDICATING THE HIGHEST
CLASSIFICATION OR SENSITIVITY
OF THE DATA CONTAINED ON THE DEVICE.
IF THE DEVICE IS TOO SMALL,
A CARD WILL BE ATTACHED TO THE MEDIA WITH
THE APPROPRIATE LABEL.
ADDITIONALLY THE DEVICE WILL BE MARKED WITH
A PERMANENT MARKER
INDICATING THE CLASSIFICATION LEVEL.
6. SINCE THE PUBLICATION OF REF A,
ADVANCES IN FLASH MEDIA
TECHNOLOGIES ALLOW FOR PHYSICAL WRITE
PROTECTION MECHANISMS.
FLASH MEDIA DRIVES THAT WILL BE USED TO
TRANSFER FILES BETWEEN
UNCLASSIFIED AND CLASSIFIED SYSTEMS MUST
HAVE A PHYSICAL WRITE
PROTECT SWITCH.
A. TRANSFERING FILES FROM A HIGH
SYSTEM TO A LOW SYSTEM OR FROM A
LOW SYSTEM TO A HIGH SYSTEM WILL BE
CONDUCTED IN ACCORDANCE WITH REF
B.
B. INTRODUCTION OF REMOVABLE FLASH
DIGITAL MEDIA DEVICES TO SIPRNET
OR ANY CLASSIFIED COMPUTING DEVICES OR
STORED INFORMATION WITHOUT
PHYSICAL WRITE PROTECTION WILL MAKE THE
STORAGE DEVICE PERMANENTLY
CLASSIFIED AT THE SAME LEVEL AS THE SYSTEM.
C. REMOVABLE FLASH DIGITAL MEDIA
DEVICES INTRODUCED TO CLASSIFIED
COMPUTING SYSTEMS CAN NO LONGER BE
INTRODUCED INTO COMPUTING DEVICES
OF LOWER CLASSIFICATION WITHOUT ENSURING THE
PHYSICAL WRITE PROTECT
SWITCH IS USED AS OUTLINED IN PARAGRAPH
6(A).
D. ALL PROCURED FLASH DIGITAL MEDIA
DEVICES SHALL HAVE THE
CAPABILITY FOR FILE ACCESS SECURITY AND
DEVICE AUTHENTICATION.
FILE SECURITY ON SUCH DEVICES MUST PROVIDE
THE SAME LEVEL OF
DISCRETIONARY ACCESS CONTROL (DAC) THAT IS
FOUND ON THE COMPUTER TO
WHICH IT IS CONNECTING, I.E., NTFS TO NTFS.
AUTHENTICATION SHALL
BE ACTIVE AND USED AT ALL TIMES.
7. ACTION. THIS POLICY IS EFFECTIVE
IMMEDIATELY. COMMANDERS WILL
ENSURE THE IMPLEMENTATION OF THIS POLICY AND
THE INCLUSION OF ITS
CONTENT IN LOCAL INFORMATION ASSURANCE AND
SECURITY TRAINING.//
