Controlling removable media and preventing the use of unowned USB devices is a core requirement of NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (MP.L2-3.8.8); this post shows practical, vendor-agnostic steps for combining Mobile Device Management (MDM) and Endpoint Data Loss Prevention (DLP) to meet that control in a small-business environment.
What MP.L2-3.8.8 (Removable Media Control) requires and the Compliance Framework angle
At a high level the control requires organizations to limit and monitor use of removable media (including USB storage) so that Controlled Unclassified Information (CUI) is not unintentionally exposed or exfiltrated. For Compliance Framework practice you must translate that into documented technical policies, an SSP (System Security Plan) entry, implementation evidence (device configs, logs), and a POA&M for any exceptions.
Architectural approach: MDM + Endpoint DLP working together
The practical, defense-in-depth architecture is: use MDM to enforce device posture (enroll only company-owned endpoints, enable whole-disk encryption, disable or restrict USB device classes) and use Endpoint DLP to enforce content-aware controls (block writes of CUI to unauthorized USB mass storage, fingerprint CUI, and alert on attempted exfil). This splits responsibilities so MDM enforces device-level controls while DLP enforces data-centric controls.
MDM configuration: device enrollment, whitelisting, and port control
Actions to implement in a small business (example platform references: Microsoft Intune, Jamf, VMware Workspace ONE): 1) Enroll all corporate endpoints in MDM and require device compliance before network access (conditional access/NAC). 2) Require disk encryption (BitLocker/FileVault) and ensure key escrow to your enterprise key management. 3) Disable or restrict USB mass storage device class via a device configuration profile or group policy (e.g., "Removable Disks: Deny write access" and "Deny read access" GPOs for Windows) while allowing HID devices (keyboard/mouse). 4) Use MDM to allow installation only of devices matching a maintained allow list (VID/PID or serials) for company-issued USB tokens. Many MDMs expose "device installation restriction" or "allowed device IDs" policies — use those to implement whitelist-only USB installs.
Endpoint DLP configuration: content-aware blocking and exceptions
Configure your DLP agent (Microsoft Purview/Endpoint DLP, Symantec, Forcepoint, Digital Guardian, etc.) to: 1) Define CUI data identifiers / dictionaries (regex for SSNs, contract numbers, custom CUI templates). 2) Set policy actions to block copy/write operations to removable storage unless the target device is on the MDM-managed allow list and the file is encrypted. 3) Log and alert on attempted writes, and trigger automated quarantine or session termination for high-risk events. 4) Create exception workflows (temporary access tickets tied to rationale, manager approval, and written record) and map those exceptions in DLP so they generate different event severity.
Concrete technical details and examples for small businesses
Example: 45-person engineering shop using Intune + Microsoft Purview. Implementation steps: 1) Use Intune Device configuration profile (Windows 10/11) to set "Removable Storage Access" policies to deny writable/removable storage. 2) In Intune, use "Device installation > Allow installation of devices that match these device IDs" to add company USB tokens (VID/PID list exported from a test token). 3) Enable BitLocker for fixed and removable drives; configure Intune to require "Require device encryption" and escrow recovery keys to Azure AD. 4) Deploy Microsoft Purview DLP endpoint policy that blocks "Save/Copy" activities to removable drives when file matches CUI pattern. 5) Test with a non-company USB stick — copy should be blocked and an alert recorded; test with a company token — copy allowed only if token presents expected ID and the file is encrypted by BitLocker To Go.
Linux and macOS specifics
For macOS use Jamf to enforce FileVault and to restrict kernel extension/driver installation; third-party tools (e.g., USBBlock) or Jamf extensions can enforce device whitelists by serial/VID. For Linux, implement udev rules or USBGuard to block mass-storage class devices by default and add allow rules for specific thumb drive serials. Across all OSes, ensure DLP endpoints are installed and policies cover platform-specific APIs for file operations and removable media access.
Logging, monitoring, and evidence for auditors
Collect evidence that the control is effective: MDM enrollment lists, device compliance reports, configuration profiles showing removable-media policies, DLP policy definitions and incident logs, and retention of event logs for a defined period (e.g., 1 year). Produce sample incident records showing blocked attempts and follow-up actions. Map these artifacts into your SSP and reference them in your annual assessment to demonstrate practice-level compliance for the Compliance Framework.
Risks of not implementing MP.L2-3.8.8 controls
Failing to control unowned USBs increases risks of data exfiltration (insider or contractor theft), infection from malicious USB firmware (BadUSB), and accidental leakage of CUI outside contractual boundaries. For small businesses this can mean loss of DoD contracts, remediation costs, regulatory fines, and reputational damage. From an operational standpoint, unmanaged USBs also complicate incident response because they introduce unknown assets that bypass asset inventory and key management.
Compliance tips and best practices
Tips: 1) Start with a baseline policy that denies all removable storage and then create a measured allow list; 2) Use cryptographic controls (BitLocker To Go, FileVault) so any allowed USB use still enforces encryption; 3) Maintain a documented exception process with time limits and manager approvals; 4) Test policies with a staged pilot before enterprise rollout; 5) Train staff on "no unowned USB" culture and phishing/USB drop tests; 6) Keep a continuous monitoring dashboard for DLP alerts and remediate false positives to refine rules.
In summary, meeting MP.L2-3.8.8 requires combining MDM controls (device enrollment, port/class restrictions, allow-listing USB hardware, and encryption enforcement) with content-aware Endpoint DLP that blocks writes of CUI to unauthorized removable media, plus documentation and monitoring to satisfy the Compliance Framework evidence requirements. For a small business the most practical path is to enforce deny-by-default removable-media policies, allow only company-issued tokens by VID/PID or serial, require encryption for any permitted media, and retain logs and exception approvals to demonstrate compliance.
