Removable media controls are a critical piece of the Compliance Framework for protecting Controlled Unclassified Information (CUI): MP.L2-3.8.7 mandates that organizations prohibit, detect, and mitigate the use of removable media on system components; this post gives a pragmatic, step-by-step implementation guide tailored to small businesses pursuing NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 compliance.
Overview and implementation planning
Start by translating the control into measurable requirements for your environment: prohibit unauthorized USB mass-storage devices by default, allow only approved encrypted devices, detect insertions and file transfers, and provide a documented exception and mitigation process. In your Compliance Framework documentation produce: a policy (removable media policy), an approved-device registry, technical configuration baselines (GPO/MDM), DLP rules, audit logging requirements, and an exceptions workflow. For small businesses, scope these items to endpoints that process CUI—workstations in engineering, accounting, and contract management—so you prioritize enforcement where it matters most.
Step 1 — Policy, roles, and exceptions
Write a short, authoritative removable media policy that states: removable media is prohibited by default on CUI systems; only company-issued, hardware-encrypted devices (or centrally-managed encrypted volumes) are permitted after approval; all approved devices must be registered (device serial, VID/PID) and scanned before use. Assign roles: an Approver (security officer), an IT enroller (MDM/GPO admin), and a Reviewer (periodic audit owner). Define an exception process requiring a signed justification, timeframe, and compensating controls (e.g., anti-malware scan, isolated transfer station, supervisor sign-off).
Step 2 — Technical controls (Windows, macOS, Linux)
Enforce controls with existing enterprise tooling where possible. Windows: use Group Policy (Computer Configuration → Administrative Templates → System → Removable Storage Access) to Deny Read/Write/Execute on removable disks and use Device Installation Restrictions to prevent new USB storage installs. As a registry-based enforcement example, disable the USB storage driver with PowerShell: Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR' -Name 'Start' -Value 4 -Type DWord. For allowlisting of approved devices, configure "Prevent installation of devices that match any of these device instance IDs" and add the approved VID/PID/serials. macOS: use your MDM (Jamf, Intune macOS profiles, Kandji) to restrict removable storage; implement endpoint protection agents that support device control. Linux: blacklist the usb-storage kernel module (echo "blacklist usb-storage" > /etc/modprobe.d/blacklist-usbstorage.conf and update initramfs) and use udev rules to allowlist device serials for approved devices. Be careful: these steps block USB storage only—HID devices (keyboards/mice) remain functional when implemented correctly.
Step 3 — Managed allowlist and encryption
Only permit pre-approved, company-controlled removable media and enforce encryption for all allowed devices. Practical small-business approach: issue a limited number of hardware-encrypted USB drives (with hardware PIN) OR require BitLocker To Go (Windows) / FileVault-encrypted images / VeraCrypt containers on removable media. Maintain an allowlist in your asset inventory with metadata (serial, VID/PID, assigned user, issuance date). Implement technical allowlisting in your endpoint security product (Microsoft Intune + Defender for Endpoint, CrowdStrike with Device Control, or Sophos) to map physical device identity to policy enforcement—blocks otherwise.
Step 4 — Detection, logging, and monitoring
Detection is required to demonstrate you can find unauthorized activity. Enable audit logging for removable device events and file copy operations: configure Windows audit policies for object access and device install events, ingest logs into a central SIEM or cloud logging service, and create alerts for blocked device insertions, attempted file copies to removable devices, or device installation failures. Use Data Loss Prevention (DLP) tools (Microsoft Purview DLP, Symantec/McAfee DLP) to detect and block CUI exfiltration attempts to removable media and to generate evidence for assessments—alerts should capture username, endpoint hostname, device ID, file hashes, and timestamps.
Step 5 — Compensating controls for necessary use cases
For legitimate workflows that require removable media (e.g., secure delivery of large CAD files to a subcontractor), implement controlled transfer stations: an isolated, hardened workstation without network access used only for vetted transfers, with disk imaging, AV scanning, and logged chain-of-custody. Require supervisor approval and quarantine scans for files. If remote users need temporary use of removable media, use time-bound exceptions, require VPN to an audited file-share for transfer, or leverage enterprise file sync tools (OneDrive for Business with DLP) to avoid physical media entirely.
Real-world small business scenarios and examples
Example 1: A small defense contractor must prevent designers from copying CUI to personal thumb drives. They implement GPO deny policies, issue 10 company-encrypted USBs to authorized staff, enroll devices in Intune, and use Defender for Endpoint to block any non-enrolled devices; audit logs show blocked attempts during the first 30 days. Example 2: A subcontractor with Mac and Linux systems uses Jamf and an open-source DLP agent for macOS, blacklists usb-storage on Linux, and runs monthly spot checks—this combination reduced incidents and provided audit evidence for assessors.
Compliance tips, testing, and risk of non-compliance
Tips: document every design choice in your System Security Plan (SSP), save screenshots of GPO/MDM profiles and DLP rules as evidence, collect logs for at least 90 days, and maintain a register of approved devices. Perform regular validation: scheduled audits of allowlist, simulated attempts to copy CUI to blocked devices (controlled red-team or internal tests), and review alert volumes monthly. Risks of not implementing MP.L2-3.8.7 include data exfiltration of CUI, introduction of malware via infected media (historical incidents such as Stuxnet), regulatory penalties, and failed CMMC assessments; for small businesses these consequences can be business-ending.
Summary
To satisfy MP.L2-3.8.7 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2, combine policy, an approval workflow, and technical enforcement (GPO/MDM, device allowlisting, encryption, DLP, and logging), plus compensating controls where necessary. For small businesses, prioritize simplicity: deny-by-default, issue a small set of managed encrypted devices, use built-in OS controls and low-cost MDM tools, and document everything for your SSP and assessment evidence. Implement monitoring and periodic validation to ensure controls remain effective and to demonstrate compliance to assessors.
