AC.L2‑3.1.21 requires organizations handling Controlled Unclassified Information (CUI) to block and manage portable storage devices; this post provides concrete, Compliance Framework–aligned steps you can implement across Windows, macOS, and Linux endpoints so a small business can practically meet the requirement with policies, MDM/EDR configurations, allowlisting, encryption enforcement, and audit logging.
Why this control matters (Compliance Framework perspective)
Portable storage devices (USB flash drives, external HDDs, SD cards) are a common and high‑probability vector for data exfiltration and malware introduction; from a Compliance Framework viewpoint, implementing AC.L2‑3.1.21 protects confidentiality and integrity of CUI by removing easy removable‑media channels, creating controlled exceptions, and ensuring auditable enforcement consistent with NIST SP 800‑171 / CMMC 2.0 Level 2 objectives.
Practical implementation steps
Windows domain (Group Policy and registry)
Start with Group Policy for domain‑joined Windows endpoints: under Computer Configuration → Administrative Templates → System → Removable Storage Access, enable "All Removable Storage classes: Deny all access" (or granular deny read/write as needed). Enforce BitLocker To Go by enabling Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives → "Deny write access to removable drives not protected by BitLocker". To hard‑disable the USB mass storage driver as a fallback, set HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR\Start = 4 (SERVICE_DISABLED) via GPO preferences or startup script; remember this affects all USB storage but not keyboards/mice. For allowlisting, use Computer Configuration → Administrative Templates → System → Device Installation → "Prevent installation of devices not described by other policy settings" and add permitted hardware IDs for approved devices (Device Installation Restrictions → "Allow installation of devices that match these device instance IDs"). Publish these policies to an OU and pilot on a representative group first.
Microsoft Intune & Microsoft Defender for Endpoint
For cloud‑managed endpoints use Intune Configuration Profiles: under Device Configuration → Templates → Endpoint protection, configure Removable Storage access to block read/write for USB storage and require BitLocker encryption for permitted drives. In Microsoft Purview Data Loss Prevention (DLP), create an endpoint policy that prevents copying or saving documents labeled as CUI to removable drives, with an option to block or notify. Defender for Endpoint and many EDR products include a Device Control feature—enable policies to block writing to USB mass storage by default, maintain an allowlist of device instance IDs or certificate‑signed devices, and forward device control events to your SIEM for monitoring and forensic capability.
macOS and Linux (Jamf, MDM, usbguard)
For macOS, use Jamf or your MDM to enforce restrictions: require FileVault and use configuration profiles to restrict external media when possible (block mounting of external volumes or require encrypted volumes). Many vendors offer macOS agent‑based device control; use it to enforce allowlists by device serial or vendor/product ID. On Linux, prefer a tool like usbguard (recommended) to enforce policy rather than ad‑hoc udev hacks: run 'usbguard generate-policy' to create a base policy, then 'usbguard allow --device
Real‑world small‑business scenario
Example: a 50‑person engineering firm with a single CUI project. Start by adopting a written removable media policy requiring no use of personal USB devices for work. Deploy a staged rollout: pilot group of 5 users with domain GPO or Intune policy that denies all removable storage and logs attempts. For the engineering lab that needs hardware‑attached storage, implement an allowlist by device instance ID plus BitLocker To Go enforced; require those users to register device IDs in the CMDB and justify business need. Configure DLP to block writes of files containing CUI file patterns to non‑encrypted removable drives. Send device control events to Splunk/Elastic and review weekly for unauthorized attempts; use exceptions workflow for temporary just‑in‑time access tied to approvals.
Compliance tips and best practices
Operationalize the control with the Compliance Framework in mind: document policy, exception workflow, and retention periods; maintain an inventory of permitted devices and rationale; use least‑privilege and default deny; integrate policies with asset management and HR offboarding; and automate logging/alerting so every blocked attempt produces a ticketable event. Keep technical details simple for end users: provide encrypted corporate USBs preconfigured with BitLocker and autoprovisioning, and require users to request additional devices through a tracked process. Regularly test by attempting controlled unauthorized device insertion on test machines to validate policy enforcement and logging.
Risks of not implementing AC.L2‑3.1.21
Without robust blocking and management you risk easy exfiltration of CUI (lost/stolen flash drives), malware introduction via infected media, failed audits, contract penalties, and reputational damage. For small businesses working with DoD or federal primes, a single data loss incident can lead to contract suspension, loss of future business, and expensive incident response and notification obligations—costs that almost always exceed the incremental effort to implement endpoint controls correctly.
Summary: To meet NIST SP 800‑171 Rev.2 / CMMC 2.0 Level 2 AC.L2‑3.1.21, combine policy, technical controls, and operational processes: block removable storage by default, allowlist explicitly and temporarily, require encryption (BitLocker/To Go, FileVault, LUKS) for permitted devices, enforce DLP on endpoints, log and forward events to a SIEM, and document exception/approval workflows. Start with a pilot, use MDM/EDR tools to scale, and keep technical and compliance stakeholders aligned so controls remain effective and auditable.
