Wednesday, May 1, 2024
Wednesday, May 1, 2024
Key Issues HADES deployment SAOC contract FORGE framework
The Pentagon's Committee on National Security Systems last month established a "National Policy on Reducing the Risk of Removable Media" like thumb drives and their ilk.
The policy memo "establishes the criteria for using removable media with National Security Systems (NSS)." Further:
Removable media are widely used and it is important to note that the essential problem is not with the media themselves, but with the inability of networks in their typical default conditions to prevent malicious code from executing. The use of removable media can be allowed on NSS, provided safeguards are employed.
Additionally:
Protecting NSS and their associated information infrastructures requires keeping pace with evolving technology and the efforts of adversaries to penetrate, disrupt, exploit, or destroy critical elements of NSS. A layered defense addressing training, technology, procedures, and personal accountability is required to manage risks to NSS that result from the use of removable media.
Following that November policy document, CNSS this month promulgated an "advisory memorandum" that "establishes additional criteria for using removable media with NSS."
To limit the threat posed by removable media, the advisory memo states:
Operators and users of NSS should begin using physical configuration, software settings, a capability such as a Host-Based Security System (HBSS) (a DoD capability designed to address exploit traffic on network hosts), or any combination of these, to disable all "write" privileges for all forms of removable media devices on NSS. Ensure all removable media is prohibited from use on all NSS workstations unless specifically authorized by appropriate authority.
CNSS "provides a forum for the discussion of policy issues, and is responsible for setting national-level Information Assurance policies, directives, instructions, operational procedures, guidance, and advisories for U.S. Government (USG) departments and agencies for the security of National Security Systems (NSS) through the CNSS Issuance System," according to the panel's website. Further:
The CNSS is directed to assure the security of NSS against technical exploitation by providing: reliable and continuing assessments of threats and vulnerabilities and implementation of effective countermeasures; a technical base within the USG to achieve this security; and support from the private sector to enhance that technical base assuring that information systems security products are available to secure NSS.