This post gives a practical, implementable plan for using Endpoint Data Loss Prevention (DLP) and USB whitelisting to satisfy the Compliance Framework requirement MP.L2-3.8.7 (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2), with configuration patterns, small-business examples, audit evidence to collect, and risk considerations.
Why MP.L2-3.8.7 Requires Endpoint Controls
MP.L2-3.8.7 is focused on protecting Controlled Unclassified Information (CUI) and other sensitive data on media and preventing unauthorized removal or exfiltration. For the Compliance Framework this translates into two practical technical controls: (1) endpoint DLP to inspect and block sensitive-data movement across channels (USB, cloud uploads, email, clipboard), and (2) USB whitelisting (device allowlisting) to restrict which removable devices can be attached. Together these controls demonstrate to an assessor that you have technical measures to prevent unauthorized media exfiltration.
Practical Steps to Deploy Endpoint DLP
Start with data discovery and classification: inventory endpoints, identify where CUI resides (file shares, laptops, external drives) and create fingerprints/patterns (regex for account numbers, document templates, keywords, or exact-file hashes) that your DLP will detect. Choose a DLP product that integrates with your platform: Microsoft Defender for Endpoint/Endpoint DLP (for MS shops), Symantec/ Broadcom DLP, Forcepoint DLP, McAfee DLP, or agents from Digital Guardian/CrowdStrike with device control modules. For small businesses, managed offerings or cloud-native DLP (Microsoft Purview, Google Workspace DLP) can reduce operational overhead.
Define enforcement policies by channel: block copy-to-USB for files that match CUI patterns, block uploads to unmanaged cloud storage, quarantine or encrypt attachments with CUI leaving via email, and block clipboard/transcription to meetings. Implement a staged rollout: start with monitor-only policies for 2–4 weeks, evaluate false positives, refine patterns, then escalate to block for high-confidence detections. Ensure agents are installed in kernel/user mode as required and confirm compatibility with endpoint protection (AV/EDR) to avoid driver conflicts.
USB Whitelisting: Technical Implementation
Windows (Group Policy, Intune, EDR)
On Windows, combine Group Policy/Intune device-install restrictions with a device-control module in your EDR/DLP product. Use "Device Installation Restrictions" to allow devices that match specific device instance IDs, or use a vendor/product ID (VID/PID) and serial number to create an allowlist. In Intune, create a Device Configuration profile or Endpoint Security policy for removable storage and deploy an enforcement configuration to allow only approved device IDs. For higher assurance, require BitLocker for any allowed removable drives and enforce "Deny write access" for unapproved devices.
macOS (MDM / Jamf / Third‑party)
macOS does not expose the same Group Policy features, so use an MDM like Jamf to deploy a device-control profile (or rely on third‑party EDR/DLP such as CrowdStrike or Digital Guardian). Whitelist USB device serial numbers or vendor/product identifiers in the MDM or EDR, and block mount/transfer actions for all other devices. For example, Jamf can push a configuration that blocks external storage and allows exceptions by serial number; combine this with FileVault and policy-driven logging for audit trails.
Linux (udev rules and endpoint agents)
On Linux endpoints create udev rules matching ATTR{idVendor} and ATTR{idProduct} (and serial when available) to restrict behavior or to trigger scripts that set permissive permissions only for allowed devices. Example rule snippet to allow a specific device vendor/product: SUBSYSTEM=="usb", ATTR{idVendor}=="abcd", ATTR{idProduct}=="1234", MODE="0660". Complement udev controls with your DLP/EDR agent configuration to block file copy operations from non-whitelisted devices and to report events to your SIEM.
Small-Business Scenarios and Real-World Examples
Example 1 — Small engineering subcontractor: The company handles CUI drawings and places them on local laptops for field engineers. Implement Endpoint DLP to block copy-to-USB and block upload to consumer cloud storage unless the file is flagged as non-CUI. Whitelist company-issued encrypted USB drives by serial number; require use of vendor-supplied hardware encryption keys. Document exceptions for a small number of field devices and log each transfer to the SIEM for 90 days as audit evidence.
Example 2 — Professional services firm: Consultants often take work offsite. Deploy Defender Endpoint DLP with policies that allow read-only access of CUI on managed removable drives, deny clipboard copy for documents containing CUI, and use Intune to enforce disk encryption and device allowlisting. Train consultants on the policy and require a manager-approved exception process for emergency cases (temporary allowlist entries with short TTLs).
Compliance Evidence, Monitoring, and the Risk of Not Implementing
For a compliance assessment you need demonstrable evidence: deployment reports showing agents on all endpoints, DLP policy configurations, allowlist inventories (device IDs/serials), logs of blocked attempts and approvals, and exception records. Forward DLP alerts and device-attach events to a SIEM for retention and searchable audit trails. The risk of not implementing these controls includes inadvertent CUI exfiltration, contract breach, loss of DoD work, incident response costs, regulatory fines, and reputational damage. An unprotected removable-media channel is a high-probability, high-impact exfiltration vector.
Compliance Tips and Best Practices
Keep these practical tips: (1) integrate endpoint DLP with your asset inventory so policies are targeted to managed assets only, (2) prefer serial-number-based allowlists over VID/PID when possible (devices with same VID/PID are easy to spoof), (3) require hardware or OS-level encryption for all approved removable media, (4) maintain a formal exception process with short TTLs and manager approval, (5) run periodic policy tuning and red-team tests (attempt controlled file exfiltration) to validate enforcement, and (6) collect and timestamp policy changes and approvals for auditors.
In summary, meeting MP.L2-3.8.7 is achievable with a combination of endpoint DLP and strict USB/device allowlisting: discover and classify data, choose a DLP solution that fits your environment, implement device control via MDM/Group Policy/udev and EDR modules, require encryption on approved media, log everything centrally, and document exception handling. For small businesses the right balance is managed/cloud DLP plus a simple allowlist of company-issued hardware devices and robust logging — this combination provides both technical enforcement and the audit evidence assessors expect.
