NIST SP 800-171 & CMMC 2.0 3.8.8 Requirement:

Prohibit the use of portable storage devices when such devices have no identifiable owner.

NIST SP 800-171 & CMMC 2.0 3.8.8 Requirement Explanation:

Portable storage devices, especially non-company-owned devices can pose a security risk when used on your systems. They can carry malware and are easy to transport into your facilities. This is why they need to be prohibited from being used on your systems. Using technical controls you can ensure that only your company-owned storage devices are used on your system.

Example NIST SP 800-171 & CMMC 2.0 3.8.8 Implementation:

Document the serial numbers of the USB thumb drives and other portable storage devices used in your organization. When you provide one to an employee, document which device you gave them. As a result, all of your authorized devices will have an identifiable owner. Prohibit the use of any non-company provided storage devices on your systems. Using technical controls you can ensure that only your company-owned storage devices work on your systems. Enterprise anti-virus software often has the capability to allow only whitelisted storage devices on your systems. Using group policy is also an option for Windows computers.

NIST SP 800-171 & CMMC 2.0 3.8.8 Scenario(s):

- Scenario 1:

An employee found a USB thumb drive in the parking lot and attempted to plug it into their computer. Because the device isn't company-owned and hasn't been white listed it doesn't work on your systems.
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.