UNCLASSIFIED
Cyber Awareness Challenge 2022 Removable Media and Mobile Devices
1
UNCLASSIFIED
Removable Media and Mobile Devices
Removable media include flash media, such as thumb drives, memory sticks, and flash drives; external
hard drives; optical discs (such as CDs, DVDs, and Blu-rays); and music players (such as iPods). Other
portable electronic devices (PEDs) and mobile computing devices, such as laptops, fitness bands, tablets,
smartphones, electronic readers, and Bluetooth devices, have similar features. The same rules and
protections apply to both.
• Use only removable media approved by your organization
• Only use flash media or other removable storage when operationally necessary, owned by your
organization, and approved by the appropriate authority in accordance with policy
• Do not use any personally owned/non-organizational removable media on your organization’s
systems
• Do not use your organization’s removable media on non-organizational/personal systems
• Never plug unauthorized devices into a government system
• Be aware that wireless connections to the devices bring increased threats and vulnerabilities
• Abide by the signed End User License Agreement for mobile devices
• Understand and follow your organization’s Bring Your Own Device (BYOD) policy
Use of Removable Media and Mobile Devices
Your organization may severely restrict or prohibit the use of removable media and PEDs. Follow your
organization’s policies or contact your security POC with questions. If allowed, use appropriately:
• Do not download data from the classified networks onto removable storage media
• Encrypt data appropriately and in accordance with its classification or sensitivity level
• As a best practice, label all removable media regardless of classification or environment and avoid
inserting removable media with unknown content into your computer
• Store according to the appropriate security classification in GSA-approved storage containers
• Mark all classified and sensitive material correctly
• Ensure unclassified media in a classified environment is labeled appropriately
• Label all media containing Privacy Act information, personally identifiable information (PII), or
protected health information (PHI) appropriately regardless of environment
• Follow your organization’s policy for sanitizing, purging, discarding, and destroying removable
media
• Destroy classified removable media in accordance with its classification level