Update to Removable Secondary Storage Media Device Policy

1. ADVANCES IN SECONDARY STORAGE MEDIA DEVICES 
(USB/THUMB/PEN DRIVES) REQUIRE AN UPDATE TO REFERENCE A. THIS 
MARADMIN CLARIFIES CURRENT USMC INFORMATION ASSURANCE (IA) 
POLICY REGARDING THE USE OF REMOVABLE FLASH MEDIA DRIVES. 
THE OPERATIONAL BENEFITS OF HIGHLY PORTABLE, REUSABLE AND 
REMOVABLE SECONDARY STORAGE MEDIA DEVICES ARE ACKNOWLEDGED. 
THESE SAME BENEFITS INTRODUCE RISK TO THE MARINE CORPS ENTERPRISE 
NETWORK (MCEN) THAT MUST BE ADDRESSED. THIS POLICY APPLIES TO ANY 
DEVICE THAT CAN BE CONNECTED TO A WORKSTATION OR OTHER COMPUTING 
DEVICE VIA CABLE, UNIVERSAL SERIAL BUS (USB), FIREWIRE (IEEE 1394), 
OR PERSONAL COMPUTER MEMORY CARD INTERNATIONAL ASSOCIATION (PCMCIA). 
2. DUE TO THE INHERENT RISK THESE SECONDARY STORAGE MEDIA DEVICES 
POSE, THE LOCAL DESIGNATED APPROVING AUTHORITY (DAA) SHALL ENSURE 
USB PORTS ARE DISABLED ON COMPUTING DEVICES THAT PROCESS CLASSIFIED 
MATERIAL TO THE MAXIMUM EXTENT POSSIBLE. LOCAL DAA APPROVAL SHALL 
BE OBTAINED, IN WRITING, WHERE USB USE IS REQUIRED FOR SPECIFIC 
CLASSIFIED COMPUTING DEVICES. USB DEVICES CONNECTING TO CLASSIFIED 
NETWORKS SHALL BE TREATED AS CONTROLLED ITEMS. 
3. USE OR CONNECTION OF PERSONALLY OWNED REMOVABLE SECONDARY
STORAGE MEDIA DEVICES WITH ANY UNCLASSIFIED GOVERNMENT COMPUTING
DEVICE WITHOUT PRIOR WRITTEN APPROVAL OF THE LOCAL DAA IS
PROHIBITED. BEFORE ANY PERSONALLY OWNED DEVICE IS APPROVED FOR USE,
COMMAND IA PERSONNEL MUST INSPECT THE DEVICE FOR MALICIOUS CODE. 
FURTHERMORE, ALL FLASH MEDIA DEVICES WHETHER PERSONAL OR GOVERNMENT 
PROCURED MUST BE SCANNED FOR MALICIOUS CODE EVERY TIME THE DEVICE IS 
FIRST CONNECTED. 
4. GOVERNMENT-PROCURED REMOVABLE SECONDARY STORAGE MEDIA DEVICES OF 
ANY CAPACITY ARE APPROVED FOR USE IN NIPRNET OR OTHER UNCLASSIFIED 
COMPUTER SYSTEMS. ORGANIZATIONS ISSUING REMOVABLE SECONDARY STORAGE 
MEDIA DEVICES FOR USE SHALL CONTROL THEM IN A MANNER CONSISTENT WITH 
ACCOUNTABILITY OF OTHER HIGHLY PILFERABLE ITEMS WITH RESPECT TO 
PERSONNEL TRANSFER OR REISSUE. ISSUING ORGANIZATIONS SHALL ALSO 
CREATE A LOCAL POLICY THAT ADDRESSES BOTH THE VALUE OF THE DEVICE
AND THE STORED INFORMATION. 
5. ALL REMOVABLE SECONDARY STORAGE MEDIA SHALL BE LABELED 
APPROPRIATELY, BY MEANS SUCH AS STANDARD FORM (SF) 710 (1-87) OR 
SF 707 (1-97), INDICATING THE HIGHEST CLASSIFICATION OR SENSITIVITY 
OF THE DATA CONTAINED ON THE DEVICE. IF THE DEVICE IS TOO SMALL, 
A CARD WILL BE ATTACHED TO THE MEDIA WITH THE APPROPRIATE LABEL. 
ADDITIONALLY THE DEVICE WILL BE MARKED WITH A PERMANENT MARKER 
INDICATING THE CLASSIFICATION LEVEL. 
6. SINCE THE PUBLICATION OF REF A, ADVANCES IN FLASH MEDIA 
TECHNOLOGIES ALLOW FOR PHYSICAL WRITE PROTECTION MECHANISMS. 
FLASH MEDIA DRIVES THAT WILL BE USED TO TRANSFER FILES BETWEEN 
UNCLASSIFIED AND CLASSIFIED SYSTEMS MUST HAVE A PHYSICAL WRITE 
PROTECT SWITCH. 
A. TRANSFERING FILES FROM A HIGH SYSTEM TO A LOW SYSTEM OR FROM A 
LOW SYSTEM TO A HIGH SYSTEM WILL BE CONDUCTED IN ACCORDANCE WITH REF
B. 
B. INTRODUCTION OF REMOVABLE FLASH DIGITAL MEDIA DEVICES TO SIPRNET 
OR ANY CLASSIFIED COMPUTING DEVICES OR STORED INFORMATION WITHOUT 
PHYSICAL WRITE PROTECTION WILL MAKE THE STORAGE DEVICE PERMANENTLY 
CLASSIFIED AT THE SAME LEVEL AS THE SYSTEM. 
C. REMOVABLE FLASH DIGITAL MEDIA DEVICES INTRODUCED TO CLASSIFIED 
COMPUTING SYSTEMS CAN NO LONGER BE INTRODUCED INTO COMPUTING DEVICES 
OF LOWER CLASSIFICATION WITHOUT ENSURING THE PHYSICAL WRITE PROTECT 
SWITCH IS USED AS OUTLINED IN PARAGRAPH 6(A). 
D. ALL PROCURED FLASH DIGITAL MEDIA DEVICES SHALL HAVE THE
CAPABILITY FOR FILE ACCESS SECURITY AND DEVICE AUTHENTICATION.
FILE SECURITY ON SUCH DEVICES MUST PROVIDE THE SAME LEVEL OF
DISCRETIONARY ACCESS CONTROL (DAC) THAT IS FOUND ON THE COMPUTER TO
WHICH IT IS CONNECTING, I.E., NTFS TO NTFS. AUTHENTICATION SHALL
BE ACTIVE AND USED AT ALL TIMES. 
7. ACTION. THIS POLICY IS EFFECTIVE IMMEDIATELY. COMMANDERS WILL 
ENSURE THE IMPLEMENTATION OF THIS POLICY AND THE INCLUSION OF ITS 
CONTENT IN LOCAL INFORMATION ASSURANCE AND SECURITY TRAINING.