CMMC Practice AC.L2-3.1.21

Portable Storage Use: Limit use of portable storage devices on external systems.

Monarch ISC Guidance

The good news is you do not need to completely ban the use of portable storage devices, as some frameworks do, but you do need to "limit" their use. First, you should add language to your acceptable use agreement which all users must sign defining when, where, and how portable storage devices may be used. Second, and trickier, is to technically prohibit portable storage devices where they are not permitted. There are software solutions available, often part of a device management solution which also manages updates, malware protection, and other controls. You may also want to consider obtaining pre-approved devices, such as encrypted USB drives.

Discussion From Source

NIST SP 800-171 R2 Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.

References