The National Institute of Standards and Technology's own policies and technical requirements on USB thumb drive security furnish other federal agencies with a de facto set of best practices. For one thing, officials at NIST, part of the Commerce Department and the federal government's lead agency on establishing information security standards, don't see the point in banning the use of storage devices such as thumb drives, despite the risks. On the contrary, they find them practical and useful for NIST's employees, many of whom are computer scientists, physicists and engineers.
"Removable media are portable, convenient and easy to use to exchange information, and prohibiting use of all removable media is not reasonable," said Carolyn Schmidt, program manager for IT security awareness, training and education in the NIST CIO office.
Carolyn Schmidtprogram manager for IT security awareness, training and educationNIST
NIST meticulously manages the use of portable storage devices by its employees. First, it restricts their use, prohibiting personally owned removable media in systems owned or operated by the Commerce Department, Schmidt said. Employees may use only devices owned and issued by the department.
"As this can be difficult to enforce, it is imperative to make our users aware of the risks removable media impose on our internal networks and systems," she said. To this end, NIST incorporates guidance on USB thumb drives and other portable media into its annual information security training for employees and continuously generates communiqués to its staff about threats and how they can be proactive in mitigating risks.
"As an organization, we have to maintain our continuous monitoring and assessment efforts to be able to discover and recover from threats," Schmidt said.
On the technical side, NIST computers are maintained with secure configurations, with autorun and autoplay disabled on Windows machines to help prevent the spread of malicious code, and systems are kept up to date with the latest patches and antivirus signatures, she said.
NIST's mobile device encryption policy requires the use of encryption that meets NIST Federal Information Processing Standards (FIPS) 140-2 when storing sensitive information on removable media, according to Schmidt. FIPS 140-2, issued by NIST in 2001, qualitatively specifies security requirements for cryptographic modules in four increasingly severe levels intended to cover the wide range of potential applications and environments in which cryptographic modules might be employed:
- Level 1. The lowest level of security. Requires at least one approved algorithm but no physical security
- Level 2. Requires role-based authentication and some physical security
- Level 3. Requires identify-based authentication and tighter physical security
- Level 4. Highest level of physical security, intended to provide "a complete envelope of protection" around the module
NIST also has implemented removable-media disposable procedures that require NIST employees drop off old portable devices in secured containers. The content of the secured containers is periodically collected and properly destroyed.
Ultimately, it's up to NIST's employees to follow such procedures and help establish a security culture at the agency that ensures that portable storage devices are used prudently, Schmidt said.
"Using removable media safely depends very heavily on our users' judgment, awareness and diligence," she said.