DOD details strict flash drive rules

Devices no longer banned, but still controlled

The Defense Department was able to lift a ban on portable storage devices such as thumb drives because of changes to DOD computer systems that make the devices safer to use, Vice Adm. Carl Mauney, deputy commander of the U.S. Strategic Command, said today. But that doesn't mean personnel have carte blanche. DOD still maintains strict rules for the devices.

“After extensive testing of mitigation measures, DOD decided to make this technology available again on a strictly controlled basis on DOD computers,” Mauney said via e-mail. “Since the order restricting use of removable media, DOD developed capabilities and processes that allow safe use of these devices. Removable media use will be limited to mission-essential operations, and only after strict compliance requirements are met.”

The new policy, issued Feb. 12, only applies to government-procured and government-owned devices, Mauney said. Personally owned devices are still barred from all DOD networks and computers. Flash media can only be used as a last resort to transfer data from one location to another, and only when other authorized network resources are not available, he said.

Related story:

DOD lifts USB ban


Randomly selected users and drives will be subject to periodic auditing, under the new policy. Individual services and agencies will determine whether flash media may be used in their individual organizations, Mauney said.

Some in the military found the all out ban too restrictive, according to one DOD source. The new policy is a compromise.

“This is not a return to 'business as usual,'” Mauney said. “There remain strict limitations on using these devices. Use will be permitted only in DOD computers that are in compliance with requirements for hardware that allows for safe transfer of data.”

For now, Army officials plan to keep the ban on flash drives in place, according to the Army News Service.

“We are currently conducting mission analysis in order to provide guidance for the Army's safe return of thumb drives and flash media,” officials from the Army Global Network Operations Security Center said, according to the news service.

The ban was issued in November 2008 after a virus was found to be spreading through military networks by copying itself from one removable drive to another. The ban covered all forms of USB flash media, such as thumb drives, memory sticks and cards, and camera memory cards, as well as some other removable media.

About the Author

Doug Beizer is a staff writer for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Mon, Mar 1, 2010 Radagast

The best solution is no local storage. My employer requires that all data remain on network volumes at all times. We don't allow storage on local devices. Our staff don't even have full laptops, they have diskless thin clients. All their work occurs on a Citrix server farm. The only exception is the use of a USB stick for the purpose of obtaining a file from an external party (we are a government audit agency) and uploading it to the network the next time they're on their thin client. The need is rare. We use Ironkey thumb drives for this purpose, as encryption is mandatory and the devices can be centrally provisioned, deprovisioned, and even destroyed. If someone has 10 failed p/w attempts, it self destructs. If it is accessed 10 times without being attached to the internet, it self destructs. The staff also have local scanners, but they scan directly to the network. Keep all your data on the network, and there is no risk of lost data if a local device is damaged, lost or stolen.

Sun, Feb 28, 2010

Alan said: "I agree: security is #1. But can individuals who can be trusted with classified information be trusted with flash and SD cards too? It sure would make that matter more efficient." Considering that of the flash devices analized after being seized, a good percentage contained classified information uname/pword combo to SIPRnet, TOs, AFIs, etc...I'd say not. The average user, regardless of profession or clearance level, they simply don't understand the risk these devices pose to a network. Of the member's I interviewed after a network security incident involving USB drives, many cite "need" over "consequences".

Fri, Feb 26, 2010

With numerous occurences of spyware/malware arriving pre-installed on thumbdrives and flash media from factories in Asia...formattable digital media presents a safer starting point for file transfer. That being said, ANY storage medium has inherent risks and it falls on the shoulders of us trusted users to follow the security guidelines and safeguard government data.

Thu, Feb 25, 2010

We do a lot of work developing training for the USAF. When we take a photo of the aircraft's equipment, we download the image from the camera to a PC that is owned by our company, process the image, burn it to a CD-ROM, insert the CD into a networked military owned PC, save the image to our working databases, then drop the CD in a CD shredder. How is this safer for the systems than using an approved thumb drive?

Thu, Feb 25, 2010 Bergy

Instead of carrying a thumb or flash drive on official business trips, containing training and briefing presentations, I now carry over a dozen DVD, properly marked, in my briefcase. Each time the presentation is updated, more DVDs are needed. I have a TS clearance and should be trusted to follow proper security procedures with a government issued flash or thumb drive.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above