All devices that are not connected to a keyboard, video monitor or mouse connected to a KVM switch should be used regardless of the current configuration of the KVM switch. This peripheral device may contain persistent memories that can be used to move data between the classification levels of the member STATE, which affects either the displaced data and the IS in which the data was moved. When the KVM switch is connected to ISs of different classification levels, ISSO, SA and the user ensure that no device other than the keyboard, video or mouse is connected to the KVM. If the KVM switch is configurable, the reviewer, with the help of security data verification, will attempt to change the configuration with a random password and no password. If the reviewer is able to change the configuration with a random password or not, that is a finding. Note: The emphasis here is on protecting the configuration and not the technique, if the configuration is protected based on a user-ID/preferred password connection or by a DoD PKI (for network-connected KVM switches), this meets this requirement. The use of shared group or user identifiers does not allow an action to be attributed to the original user. In the event of malicious action, this could make it impossible to prosecute. ISSO ensures that shared group or user identifiers are not used. If you use an A/B switch to change a device between two or more users, there is always a risk if the device is connected to the wrong IS. An example would be a scanner that is commonly used by two systems equipped with an A/B switch.
If the user presses the scanning button, if the A/B switch is shown on another DEE device, the document is scanned in the wrong system. This could lead to a compromise on sensitive data. ISSO or SA ensure that an A/B switch is not used to divide a device between two or more users. If the KVM switch configuration can be password-protected, including ID/password or PKI combinations for network switches, create a DOD-compatible password to protect the configuration. If the KVM switch configuration cannot be password protected, including ID/password or PKI combinations for network switches, replace it with a KVM switch that has no configuration or can protect the configuration with a password.