Conditions of Use for Removable Media Devices
at the U.S. Naval Academy
Background
All flash-based Removable Media Devices (e.g. thumb drives, camera flash cards) were banned from the USNA network in accordance with NAVYNETWARCOM (NNWC) Computer Tasking Order 08-08. USNA has approved usage of flash-based Removable Media Devices with limitations. These limitations are to ensure the safety and security of the USNA network, while allowing the benefits of such devices to be realized. The following details the conditions of Acceptable Use:
1)Removable media devicesare to be used for authorized pedagogical, research,and administrative activities in support of the Naval Academy mission.
2)All removable media devices must be completely scanned before initial use by McAfee VirusScan Enterprise software. There may be a delay to complete the virus scan, depending on the amount of data. For assistance contact your IT representative, the Information Resource Center (IRC), or refer to the following:
3)All removable media devices must be formatted or re-formatted before initial use. Any existing data must be transferred to an alternate source, e.g. local or external hard drive. Only after the removable media device has been formatted can essential data be transferred back to the device. Miscellaneous programs that are pre-installed on the device by the manufacturer should not be used. For assistance contact your IT representative, the Information Resource Center (IRC), or refer to the following: (webpage to be created)
4)If data is to be transferred from a USNA to Non-USNA system or vice versa, e.g. home or public computer, there must be a fully updated anti-virus product installed on the Non-USNA system. In the case of home computers, McAfee Anti-Virus for Home Use can be downloaded by military and government users from be copied via CD / DVD or alternatively can be obtained free of charge from the IRC. Contract employees are ineligible for home licenses of McAfee Anti-Virus, and are prohibited from utilizing removable media devices to transfer data out of USNA.
5)Home users are encouraged to disable Autorun, which allows programs to automatically launch when a device is inserted into the computer. All Microsoft operating systems at USNA have Autorun disabled. Many viruses exploit this feature, which is native toremovable media devices. Please refer to the following for assistance: (webpage to be created)
6)No sensitive informationor illegal content shall ever be stored on a removable media device. In accordance with various USNA,Department of Defense, and Department of the Navy Directives, sensitive informationcan include but is not limited to, the following categories:
a)For Official Use Only (FOUO)
b)Privacy Act Data
c)Personally Identifiable Information (PII)
d)Unclassified Controlled Nuclear Information (UCNI)
e)Unclassified Technical Data
f)Proprietary Data
g)Foreign Government Information
h)Data Supporting Information Assurance Infrastructures
i)Telework
7)If military or government users develop a need to utilize removable media devices to move sensitive data, please send a request by email to and ITSD will assist to develop secure alternate methods.
Violations of these conditions are subject to the terms of the USNA Acceptable Use Policy. Anyone who misuses and/or abuses removable media devices will lose their privileges to use USNA IT Resources and may face conduct and/or legal issues.
Sensitive Data Definitions
References:
a)Department of Defense Directive 8500.01E, “Information Assurance,” April 23, 2007
b)Department of Navy Interim Policy for the Handling of Personally Identifiable Information (PII) , April 17, 2007
FOUO
In accordance with DoD 5400.7-R, DoD, information exempted from mandatory public disclosure under the Freedom of Information Act (FOIA).
Privacy Act Data
Any record that is contained in a system of records, as defined in Section 552a of title 5, United States Code, "The Privacy Act of 1974" and information the disclosure of which would constitute an unwarranted invasion of personal privacy.
Personally Identifiable Information (PII)
Per OMB Guidance M-06-19 on Reporting Incidents Involving PII and the DoD Guidance on Protecting PII, PII is defined as any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.
Unclassified Controlled Nuclear Information (DoD UCNI)
Unclassified information on security measures (security plans, procedures and
equipment) for the physical protection of DoD Special Nuclear Material (SNM),
equipment, or facilities in accordance with DoD Directive 5210.83.
Information is Designated DoD UCNI when it is determined that its unauthorized
disclosure could reasonably be expected to have a significant adverse effect on the health
and safety of the public or the common defense and security by increasing significantly
the likelihood of the illegal production of nuclear weapons or the theft, diversion, or
sabotage of DoD SNM, equipment, or facilities.
Unclassified Technical Data
Data that is not classified, but is subject to export control and is withheld from public disclosure according to DoD Directive 5230.25.
Proprietary Data
Information that is provided by a source or sources under the condition that it not be released to other sources.
Foreign Government Information
Information that originated from a foreign government and that is not classified CONFIDENTIAL or higher, but must be protected in accordance with DoD 5200.1-R, "DoD Information Security Program Regulation," January 14, 1997.
Data Supporting Information Assurance Infrastructures
Collections of interrelated processes, systems, and networks that provide a continual flow of information assurance services throughout the Department of Defense, e.g., the key management infrastructure or the incident detection and response infrastructure.
Telework
Any arrangement in which an employee performs officially assigned duties at an alternative worksite on either a regular and recurring, or on an ad hoc, basis (not including while on official travel).
Compiled by ITSD Security Team Last Updated 29 Jul 09