CMMC Practice AC.L2-3.1.21

Limit use of portable storage devices on external systems.

Bold Coast Security Guidance

The good news is you do not need to completely ban the use of portable storage devices, as some frameworks do, but you do need to "limit" their use. First, you should add language to your acceptable use agreement which all users must sign defining when, where, and how portable storage devices may be used. Second, and trickier, is to technically prohibit portable storage devices where they are not permitted. There are software solutions available, often part of a device management solution which also manages updates, malware protection, and other controls. You may also want to consider obtaining pre-approved devices, such as encrypted USB drives.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.

References