Tougher security standards coming for removable storage devices

A federal interagency group responsible for data encryption policy and acquisition efforts is considering changes to existing technology contracts to incorporate tougher security requirements for removable storage devices such as thumb drives and handheld devices, a Defense Department program manager confirmed on Thursday.

A list of approved removable storage products that meet minimum security standards should be released to agencies any day, according to a source in the federal information technology industry.

A dozen IT contracts agencies use to buy software that encrypts information on mobile-computing and removable-storage devices, such as thumb drives and CD-ROMs, could be changed to include anti-malware protection, said Dave Hollis, director of cyberspace programs for Defense's Information Assurance Program and the Data-at-Rest Tiger Team.

Defense formed the tiger team to implement a policy requiring the department to protect sensitive, unclassified information on mobile devices and removable storage. This information is typically referred to as "data at rest." The group manages 12 blanket purchase agreements in partnership with Defense's Enterprise Software Initiative and the General Service Administration's Smartbuy program, and provides acquisition services to state and local agencies.

The tiger team "is currently evaluating several vendor-proposed BPA contract modifications that include [removable storage management] as part of the normal technology refresh/upgrade process," Hollis said. Several of the removable storage management upgrades "include anti-malware capabilities in addition to a requirement to meet [data at rest] encryption technical requirements."

He added that the team has not approved any of contract modifications, nor has Defense decided on policy changes.

The department included requirements to refresh or upgrade technology in the five-year agreements, which were awarded in June 2007.

The tightening of security comes in the wake of Defense's November 2008 temporary ban on the use of thumb drives and other removable storage devices on its networks because of concerns that some devices were infected with viruses.

"What we [in industry] were told is that by the end of January, there will be a new approved list of removable media that incorporates anti-malware and encryption key management," said Dave Jevans, chief executive officer of IronKey, a manufacturer of flash drives. Encryption key management allows administrators to control who can decode information on an attached storage device.

Examples of anti-malware functions include the ability to disable AutoRun, which automatically launches programs detected by the Microsoft Windows operating system; to run an internal scan that checks a mobile or storage device for malicious code and deletes it; and to disable a read-only mode that locks data on a device whenever it's attached to an unauthorized computer.

These standards "will be adopted as best practices," Jevans said. "There are already some [agencies] that are making buying decisions based on what they expect will most likely become a requirement."

The tiger team policies likely will influence the National Security Agency to establish a baseline for securing removable storage devices. That baseline eventually could be accepted as an international standard.

"It's not like this is only happening here," Jevans said. "These malware [attacks] are some of the fastest spreading ever. Worms are based on previous worms that are based on previous worms. Enforcing policy to address the [risk] is going to take a long time because of the complexity."