Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - AC.L2-3.1.21 – Limit use of portable storage devices on external systems.
Understanding the Requirement
This control requires an organization to identify, document, define and enforce limits on using portable storage devices that contain Controlled Unclassified Information (CUI) when those devices are attached to external systems (any system not managed by your company). Portable storage devices include thumb drives, CDs, DVDs, external hard drives and floppy disks; because they are small, removable and easily transferred, the organization must both record where and how these devices may be used and restrict or prohibit their use on systems outside company control. As part of meeting NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 you should have clear approved exceptions and controls (technical and procedural) so CUI is not exposed through unmanaged endpoints.
Technical Implementation
- Formal policy and exception process: Publish a concise policy banning or restricting use of portable media on external systems and require documented, time-limited exceptions approved by a designated manager or security officer. Exceptions should require a business justification and a compensating controls checklist (e.g., encryption, supervision, secure transport).
- Block or restrict USB/mass-storage at the endpoint: Use endpoint management (Group Policy, MDM, or EDR) to disable USB mass-storage classes by default on company laptops and workstations. Where needed, implement allow-listing so only company-issued, inventory-tagged encrypted devices can be used.
- Require hardware encryption and company-managed keys: Mandate FIPS-validated or AES-256 encrypted USB drives for any approved removable storage. Ensure keys are managed by the company (not stored on the device) and require PIN/password protection plus remote wipe capability where supported.
- Provide secure alternatives to external-device use: Offer and enforce use of company-managed cloud storage or secured file-transfer services, VPN access, or a locked presentation laptop for off-site work. Train employees to use these alternatives rather than copying CUI to personal or client systems.
- Logging, monitoring and inventory: Maintain an inventory of issued portable media and log all mounts and file transfers where possible. Configure endpoint logging to record attach/detach events and file access; review alerts for unauthorized use and retain logs per policy for incident response.
- Training and workstation checks: Train employees on the policy, how to request exceptions, and secure handling of CUI. Include physical checks and periodic audits (e.g., before off-site meetings) to ensure only authorized, encrypted devices are used.
Example in a Small or Medium Business
Acme Design Co., an SMB that handles CUI for a government client, creates a portable-media policy that bans use of personal USB drives on client or third-party systems. The IT manager issues company-owned encrypted USB drives for limited use and logs each device in an asset register. When a project lead needs to present at a client site with restricted network access, they submit a short exception request explaining the business need and duration; the security officer approves and marks the assigned encrypted drive with a return date. Before departure, IT disables non-essential services on the laptop, enforces full-disk encryption, and records the expected file set to be copied. During the presentation the employee uses the company-issued drive and returns it to IT the same day for a secure erase and integrity check. If the drive is lost or an unexpected connection is observed, the incident response plan is triggered and the drive is remotely revoked and investigated. Regular training reminds staff to use company-managed transfer methods where available and to follow the documented exception workflow for any off-site portable-media use.
Summary
Combining a clear, enforced policy with technical controls — endpoint blocking/allow-listing, company-managed encrypted media, alternatives to removable storage, logging, and an approvals process — lets SMBs meet the control's objectives: identify and document portable-media use, define acceptable limits, and enforce those limits so CUI is not exposed on external systems. Practical enforcement, routine audits and simple exception handling keep the process manageable for smaller teams while protecting sensitive information.
