Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MP.L2-3.8.8 – Prohibit the use of portable storage devices when such devices have no identifiable owner.
Understanding the Requirement
This control requires that portable storage devices (USB thumb drives, external hard drives, SD cards, etc.) not be used on company systems unless they have a clearly identifiable, authorized owner. The objective is to eliminate untracked, potentially malicious media from entering and moving within your environment. For organizations aligning to NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, the emphasis is on both policy and technical enforcement so only company-issued and inventoried devices are usable on corporate endpoints.
Technical Implementation
-
Inventory and labeling: Maintain a central inventory (spreadsheet or asset system) that records make, model, serial number, and assigned owner for every company-issued portable storage device. Physically label devices with an asset tag and owner name or ID to make ownership obvious.
-
Policy and training: Publish a clear removable media policy that prohibits use of any portable storage device that is not company-issued and recorded in the inventory. Train employees to never connect found or personal devices, and to report discovered media to IT or security immediately.
-
Endpoint controls / whitelisting: Deploy endpoint security (EDR/AV or specialized device-control software) that enforces a whitelist of allowed USB device IDs or serial numbers. Configure the control to block mass-storage-class devices that are not on the approved list.
-
Operating-system restrictions: Use Group Policy (Windows) or MDM (macOS, Linux endpoints where supported) to restrict USB mass storage driver installation and to allow only those devices that match permitted hardware identifiers. Combine driver-blocking with a user prompt and admin approval flow for exceptions.
-
Encryption and secure provisioning: Issue only encrypted, company-provisioned devices (hardware-encrypted drives or drives provisioned with company keys). Record the provisioning steps and link the device's cryptographic identity to the inventory entry and owner.
-
Monitoring and incident handling: Log all removable-media attach/detach events and alert on attempts to use an unregistered device. Define an incident workflow for discovered or blocked devices (quarantine, malware scan, owner verification, and disposal if necessary).
Example in a Small or Medium Business
Acme Tech, a 60-person engineering firm, maintains a simple asset registry in a shared database where each issued USB drive and external SSD is recorded with serial number, provisioning date, and the employee to whom it was issued. IT physically labels devices with an asset tag and records the label in the database at handoff. The company policy forbids plugging in any non-company device; staff receive short annual training and a one-page quick reference describing the rule and the reporting process. On Windows workstations, Group Policy blocks unapproved USB storage drivers and an endpoint agent enforces a whitelist of device serial numbers. One day an engineer finds a thumb drive in the parking lot and attempts to use it; the endpoint agent blocks access, logs the event, and notifies the security mailbox. IT follows the response playbook: the device is quarantined, scanned in an isolated VM, and then securely destroyed because the owner could not be identified. Quarterly audits cross-check physical tags against the registry, and missing or returned devices are tracked until ownership is updated or the device is officially retired.
Summary
Combining a clear policy that forbids unknown portable media with an up-to-date inventory, physical tagging, and technical enforcement (whitelisting, OS restrictions, and monitoring) lets SMBs meet MP.L2-3.8.8. Policy defines expectations and reporting paths; technical controls prevent unauthorized devices from functioning and create forensic logs when blocks occur. Regular audits, training, and an incident workflow close the loop so only company-owned, identifiable storage devices are used on your systems, reducing the risk of malware introduction and data loss.
