CMMC Practice MP.3.123

Prohibit the use of portable storage devices when such devices have no identifiable owner.


CMMC Version 1.02, pg. 180

Bold Coast Security Guidance

Like MP.2.121, the clarification from CMMC suggests a policy and training driven approach to satisfy the prohibition of portable storage devices without a clear owner. But, also like MP.2.121, there are technical solutions available which would block all but known devices. Your organization should consider these solutions in your environment. For instance, if you utilize Microsoft Active Directory, you can disable the use of removable storage using Group Policy.

Discussion From Source

DRAFT NIST SP 800-171 R2 Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).