NIST SP 800-171 / CMMC 2.0 AC.L2-3.1.21 requires organizations handling Controlled Unclassified Information (CUI) to limit or block the use of portable storage devices and prevent movement of sensitive data to external systems — this post shows practical endpoint-security steps small businesses can implement to meet that requirement within a Compliance Framework context.
Implementation overview for Compliance Framework
Start with a layered approach: (1) policy and inventory — define where CUI may reside, which endpoints are in-scope and whether any portable storage is ever allowed; (2) technical controls — enforce device control, encryption and MDM/EDR policies on in-scope endpoints; (3) monitoring and exceptions — log device activity, review alerts and maintain an approvals process for exceptions. These align with common Compliance Framework practice requirements (risk assessment, control implementation, continuous monitoring) and are practical for small businesses.
Windows endpoints: Group Policy, Intune and Defender configuration
For Windows desktops/laptops, use Group Policy or Microsoft Intune (Endpoint Manager) plus Defender for Endpoint or a third‑party EDR with device-control to enforce the rule. Key settings to apply: (a) GPO: Computer Configuration → Administrative Templates → System → Removable Storage Access — Deny read/write/execute as required; (b) BitLocker: Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives → Enable “Deny write access to removable drives not protected by BitLocker” so only encrypted (approved) devices are writable; (c) Intune: create a Device Configuration profile under Device restrictions to block removable storage or restrict writes; (d) PowerShell to enforce registry write-protect where needed: New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies" -Force; Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies" -Name "WriteProtect" -Value 1 -Type DWord. Combine these with your EDR’s device-control feature to block USB mass storage IDs and to allowlist approved serials if absolutely required.
macOS and Linux endpoints: MDM and host controls
On macOS, use an MDM (Jamf, Intune for macOS) and an endpoint agent (CrowdStrike, SentinelOne, or DLP agent) to block external storage. Modern EDRs include device control that prevents mounting unapproved USB storage. For Linux workstations/servers, use usbguard or udev rules to restrict or block USB-storage class devices, and set mount options (noexec,nodev,nosuid) for auto-mounted devices; example with usbguard: install usbguard and configure its policy to default-deny unknown devices and explicitly allow only approved device fingerprints. Always combine with full-disk encryption on mobile endpoints and file-system encryption for removable device content when allowed.
Data Loss Prevention (DLP), EDR integration and handling external systems
Endpoint device control should be closely integrated with a DLP solution to catch attempts to copy CUI to removable media or to upload it to cloud services from an external or unmanaged system. Configure DLP rules to block copy/write operations to removable storage on in-scope endpoints and to block use of corporate credentials on unmanaged devices. For external systems (contractor machines or personal devices), rely on network segmentation and NAC (e.g., Aruba ClearPass, Cisco ISE) to prevent unmanaged endpoints from accessing internal CUI repositories — require device compliance posture (MDM enrollment, patch level, disk encryption) before access is allowed.
Real-world small business scenarios and practical steps
Example 1: A small engineering firm (20 users) that stores drawings containing CUI can implement Intune + Defender for Endpoint: create a device-compliance policy, deploy a Device Restriction profile to block removable storage write access, enforce BitLocker and require Defender EDR. Example 2: A 10-person legal practice with mixed macOS/Windows can deploy Jamf for Macs, Intune for Windows, and a cloud DLP (Microsoft Purview or third‑party) to block external USB writes and enforce cloud upload controls. Practical steps: inventory endpoints, classify CUI locations (file shares, SharePoint, local folders), deploy block-by-default policies, whitelist specific device fingerprints only after documented business justification, and test policies on a pilot group before organization-wide rollout.
Compliance tips and best practices
Keep these best practices when implementing AC.L2-3.1.21: (1) Policy first — update your acceptable-use and BYOD policy to explicitly address portable storage and external systems; (2) Least privilege — only allow write access when a documented business need exists; (3) Approved devices — if you must allow removable media, require company-issued, BitLocker To Go–encrypted devices with endpoint agent installed; (4) Logging and retention — ensure endpoint logs and DLP alerts are forwarded to your SIEM and retained per your compliance retention policy; (5) Exception workflow — maintain a formal exception request and approval record; (6) Test — verify policies on different OS versions and with real devices to avoid business disruption.
Risks of not implementing the control
Failing to limit or block portable storage and external-system transfers increases the risk of unauthorized exfiltration of CUI, malware introduction via USB, and accidental leakage to unmanaged devices or cloud services — all of which can lead to contract breaches, regulatory penalties, reputational damage and loss of competitive advantage. In a Compliance Framework audit, a lack of technical enforcement, logging and exception controls will commonly be cited as a major deficiency.
Summary: To meet NIST SP 800-171 / CMMC 2.0 AC.L2-3.1.21 in a small-business environment, combine clear policies, MDM/Group Policy enforcement, device-control via EDR/DLP, network access controls and continuous monitoring; prefer deny-by-default and require approved, encrypted devices for any allowed portable storage — and document exception workflows and audit trails to demonstrate compliance.
