CMMC Practice AC.2.006
Limit use of portable storage devices on external systems.
Bold Coast Security Guidance
The good news is you do not need to completely ban the use of portable storage devices, as some frameworks do, but you do need to "limit" their use.
First, you should add language to your acceptable use agreement which all users must sign defining when, where, and how portable storage devices may be used
Second, and trickier, is to technical prohibit portable storage devices where they are not permitted. There are software solutions available, often part of a device management solution which also manages updates, malware protection, and other controls.
You may also want to consider obtaining pre-approved devices, such as encrypted USB drives.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.