This post explains how to implement and document USB and removable media controls to meet Compliance Framework requirements (NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 Control AC.L2-3.1.21) with practical steps, concrete technical settings, and real-world examples for a small business.
Understand the control and define scope
AC.L2-3.1.21 requires organizations to control and limit the use of removable media to prevent unauthorized transfer of Controlled Unclassified Information (CUI). For Compliance Framework implementations you must define scope (which systems and users process CUI), classify what constitutes removable media (USB mass storage, SD cards, external HDDs, optical media, and even some Bluetooth file transfer methods), and identify the owners of devices and data flows. Document scope in your System Security Plan (SSP) and map the control to the Compliance Framework requirement set so assessors can follow your evidence trail.
Step 1 — Policy, governance, and exception process
Create or update a removable media policy that covers permitted device types, encryption requirements, authorized use cases, acceptance criteria for personal vs. company-owned media, and an exceptions procedure. Required artifacts for Compliance Framework evidence: the signed policy, a register of approved removable media (device serial numbers or asset tags), documented exception requests with business justification and compensating controls, and training records showing users understand the policy.
Practical policy elements
At minimum your policy should: (a) prohibit personal removable media for CUI, (b) require company-managed encrypted USB devices for any authorized exchange, (c) require anti-malware scanning before attachment to CUI systems, (d) mandate logging and regular audits, and (e) require removal-device sanitization (NIST SP 800-88). Tie enforcement to disciplinary and contract clauses for employees and contractors.
Step 2 — Technical controls (concrete configs)
Implement layered technical controls so policy is enforceable: endpoint DLP to block/inspect file transfers, OS/device-level blocking by device class, allowlisting corporate-approved devices, device encryption enforcement, and network controls (NAC VLANing). Examples and commands you can use right away:
# Windows: disable USB storage driver (central GPO/PowerShell)
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR' -Name 'Start' -Value 4
# Windows: list USB devices
Get-PnpDevice -Class 'USB' | Where-Object { $_.Present -eq $true }
# Linux (udev): block a USB vendor/product by vendor ID
# /etc/udev/rules.d/99-usb-block.rules
SUBSYSTEM=="usb", ATTR{idVendor}=="1234", ATTR{idProduct}=="abcd", MODE="0000", RUN+="/bin/logger 'Blocked USB device 1234:abcd'"
For enterprise management use Microsoft Intune / Endpoint Configuration Manager to enforce "Removable Storage Access" policies and deploy BitLocker To Go policies via Group Policy (Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Removable Data Drives). Set encryption algorithm to XTS-AES 256 and require a password or smartcard protector for BitLocker To Go. On macOS, enforce removable media policies via MDM profiles and FileVault + MDM restrictions; on Linux, enforce udev rules and sudo/group restrictions to access /dev/sd* devices.
Allowlisting and DLP
Use allowlisting for sanctioned USB vendor/product IDs and certificate-based allowlisting for smartcard/USB tokens. Deploy an endpoint DLP product to block copy operations from CUI-designated folders to removable storage, and to quarantine or prompt for authorization if a user tries to transfer data. Configure DLP to produce alerts, quarantine files, and create tickets for exceptions so you have an audit trail.
Step 3 — Operational controls: inventory, training, and exception handling
Operationalize the technical controls by maintaining an inventory of approved removable devices (asset tag, serial, assigned user), logging assignment and return, and using a standard secure issuance process for company USB drives (pre-encrypted, UUID-logged). Provide short, role-based training that demonstrates how to use encrypted devices, how to request exceptions, and how to report lost or found media. Implement a written exception process that requires manager approval and compensating controls (e.g., temporary network isolation, supervised transfer, additional logging).
Logging, monitoring, and audit evidence
Collect and retain evidence required by the Compliance Framework: OS logs showing device attach/detach events, DLP alerts and disposition, NAC logs showing network port and VLAN assignment, BitLocker key escrow records (store in Active Directory or an enterprise key manager), and exception tickets. Configure centralized SIEM ingestion of endpoint events and set alerts for anomalies such as repeated attach/detach events, unauthorized device IDs, or bulk file copies. Preserve logs for the retention period stated in your SSP (commonly 1–3 years for CUI workflows) and produce samples during assessment.
Real-world small-business scenario
Example: a 25-person engineering firm with a single CUI project. Steps they took: (1) added a removable media policy to the employee handbook, (2) issued 10 company-managed encrypted USB sticks (asset-tagged), (3) used Intune to block all non-managed USB devices and required BitLocker To Go on approved sticks, (4) configured DLP to block outbound transfers from the CUI project folder, and (5) documented all exceptions and trained staff in a 30-minute session. After implementation they were able to produce the SSP, policy, device register, DLP alerts, and training records for their CMMC Level 2 assessment.
Risk of not implementing this control
Without these controls you face high risk of data exfiltration, malware introduction, loss of CUI, contract penalties or loss of DoD work, regulatory fines, and reputational damage. Removable media is one of the simplest vectors for unauthorized copying — attackers and negligent insiders can bypass network defenses by plugging in an inexpensive USB stick. Failure to provide documented policies, technical enforcement, and audit evidence will result in nonconformities for the Compliance Framework and likely a failed assessment.
Summary: implement a defensible combination of policy, technical enforcement (block/allowlist, encryption, DLP), operational practices (inventory, training, exceptions), and logging to meet AC.L2-3.1.21. Begin by scoping systems that process CUI, update your SSP, deploy targeted OS and MDM/GPO settings, and collect audit evidence — these steps produce both effective risk reduction and the documentation auditors expect.
