NIST SP 800-171/CMMC MP.L2-3.8.7 requires organizations handling Controlled Unclassified Information (CUI) to enforce restrictions on removable media; this post shows how to translate that control into practical configurations for Windows, macOS, and Linux along with monitoring, exception handling, and real-world small-business examples.
Practical implementation overview for Compliance Framework
Treat MP.L2-3.8.7 as a combination of policy + technical enforcement: define a written removable-media policy (deny-by-default, allow-by-exception), deploy technical controls to enforce it, require encryption for any permitted media, and log all insert/mount events for audit. For small businesses that must meet the Compliance Framework, pick a single centralized management approach where possible (Microsoft Intune/Group Policy for Windows, Jamf/Apple MDM for macOS, and Ansible/Puppet/Canonical Landscape for Linux) and apply a consistent control set: block or read-only unauthorized devices, allow-list approved device IDs, require full-disk encryption for approved media, and capture insertion/mount events in your SIEM.
Windows: Group Policy, Intune, BitLocker, and Endpoint DLP
Windows provides multiple layers to enforce removable-media restrictions. Use Group Policy (or Intune Configuration Profiles) to block or restrict classes of removable storage: Computer Configuration → Administrative Templates → System → Removable Storage Access — enable "Removable Disks: Deny read access" and "Removable Disks: Deny write access" as appropriate. For device-installation-level controls, use Computer Configuration → Administrative Templates → System → Device Installation → Device Installation Restrictions to "Prevent installation of removable devices" or apply device ID-based DACLs.
For endpoint encryption, require BitLocker To Go for any allowed removable drives (GPO: Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives). Example BitLocker To Go GPO settings: enforce password protector, deny write access to unencrypted removable drives, and escrow recovery keys to Active Directory or Intune. For more granular data control, use Microsoft Defender for Endpoint (Endpoint DLP) to block copy/paste and file moves to removable drives by policy. A simple local registry approach to write-protect USBs (useful for staging) is:
New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies -Force; Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies -Name WriteProtect -Value 1 -Type DWord
Note: the registry key is a blunt instrument and affects all USB storage on the host. Prefer GPO/Intune for enterprise scale, and maintain an exception process (device allow-list via Device Instance ID in GPO or Intune's hardware ID device restriction profiles).
macOS: MDM profiles, Jamf policies, encryption, and lightweight blocking scripts
Apple platforms are managed best via an MDM. Use Jamf or another Apple MDM to push profiles that enforce FileVault (FileVault 2) and require external storage to be encrypted if used. For blocking/remediation you have two practical choices: 1) deploy an endpoint DLP/agent that enforces USB blocking (Symantec, Zscaler, Forcepoint, etc.), or 2) use an MDM-driven script/policy that unmounts unauthorized devices on connect. A simple approach for smaller shops without DLP: a jamf policy or launchd job that runs a script which detects new external disks and unmounts them unless they match an approved allow-list (by volume UUID or vendor/product ID). Example minimal unmount script (illustrative):
for disk in $(diskutil list external physical | awk '/\\/dev\\/disk/ {print $1}'); do diskutil unmountDisk $disk; done
Also deploy osquery on macOS to monitor USB events: a sample osquery query to detect new USB devices is: select * from usb_devices where datetime(time, 'unixepoch') > (strftime('%s','now') - 3600);. Combine that with a central log collector to alert on unauthorized device insertion. For macOS, rely on a formal exception process tied to MDM-managed allow-lists rather than ad-hoc local changes.
Linux: udev rules, kernel-module blacklisting, and auditd
On Linux, enforce restrictions with udev rules and kernel module controls. Common, effective options: blacklist the usb-storage module (prevents most USB mass-storage devices), create udev rules that set the authorized attribute to 0 for devices that match the USB Mass Storage class, or implement allow-listing using vendor/product IDs. Example kernel blacklist (Debian/Ubuntu/CentOS): append a file /etc/modprobe.d/blacklist-usb-storage.conf containing install usb-storage /bin/true and update initramfs if required. Example udev rule (blocks mass storage devices):
SUBSYSTEM=="usb", ATTR{bInterfaceClass}=="08", RUN+="/bin/sh -c 'echo 0 > /sys$DEVPATH/authorized' "
For monitoring and auditing, add auditd rules to capture mount events and device node writes, for example: auditctl -w /dev/disk -p wa -k removable_media and monitor dmesg/kernel logs for USB attach/detach messages. Use Ansible or Puppet to distribute rules and manage exceptions centrally; maintain a controlled allow-list file for vendor/product IDs and ensure that any allowed device is encrypted and tracked.
Compliance tips, best practices, and small-business scenarios
Best practices that help small businesses meet Compliance Framework expectations include: implement deny-by-default with an exceptions approval workflow, require and verify encryption on allowed media (BitLocker To Go, FileVault+APFS encrypted volumes, LUKS for Linux), log all insertion/mount events to a centralized SIEM for 1-year retention (or as required by contract), and limit administrative rights so users cannot disable controls locally. Example small-business scenario: a 30-person engineering firm that handles CUI design files should block all direct copy to USB by default, allow a single inventory-controlled encrypted USB device per engineer via allow-list and BitLocker To Go, and require managers to approve temporary exceptions in the ticketing system with automatic log retention and monthly review.
Operational controls and exception handling
Operationally, pair technical controls with these policies: training (brief users about the risk of removable media), an exception ticket and review process (time-limited approvals, device owner and serial number tracked), and periodic audits (monthly device-list reconciliation). Use endpoint inventory (e.g., Intune/Jamf/osquery) to verify the presence of required protection (BitLocker/FileVault/LUKS) and produce evidence for auditors: policy templates, GPO/MDM profiles, allow-list registry/manifest, SIEM logs showing mount/deny events, and approval tickets for exceptions.
Risks of not implementing MP.L2-3.8.7
Failing to enforce removable media restrictions exposes organizations to high-risk outcomes: data exfiltration (an insider copying CUI to a USB drive), malware introduction (ransomware or firmware-level attacks delivered via thumb drives), lost devices containing unencrypted CUI, and ultimately compliance failures that can lead to contract loss, financial penalties, or mandatory remediation. For small businesses, a single lost unencrypted drive can trigger a breach notification, damage reputation, and jeopardize DoD subcontracting eligibility under CMMC requirements.
In summary: document your removable-media policy, implement deny-by-default technical controls across Windows (GPO/Intune + BitLocker + Endpoint DLP), macOS (MDM + FileVault + DLP or scripted unmounts), and Linux (udev + kernel-module blacklist + auditd), keep an allow-list and an exception workflow, and centralize logging for audit evidence. These practical steps will help you meet NIST SP 800-171 / CMMC MP.L2-3.8.7 in a way that is scalable for small businesses and defensible during assessments.
