It's not NSA we should be worried about.
It's the companies who make the USB sticks, probably mostly in China.
Haha - reminds me of a friend of a co-worker who phoned him once, in distress:
He had ordered USB-sticks directly in China, with some promotional demo-app already written on them directly at the factory.
The problem: the customer (who wanted to distribute the USB-sticks) had reported back that at least one sample USB-stick was infected with a virus.
Big problem: he had ordered 19000 USB sticks, which he couldn't possibly virus-check himself.
Morale: outsourcing to China is not easy. Esp. if you need accountability.
If he'd found a local company doing this, he would have had more success in insisting on a virus-free product.
But in with the contractor in China and he in Europe, they'd just LOL at you through the phone if you "insisted" on something...