Limit use of portable storage devices on external systems
π What This Means
This practice requires organizations to control and restrict the use of portable storage devices (like USB drives, external hard drives, or SD cards) on systems that are not directly managed by the organization. The goal is to prevent unauthorized access to sensitive data and reduce the risk of malware infections. Essentially, if an employee uses a portable storage device on an external system (like a personal laptop or a public computer), the organization must ensure that sensitive data isn't exposed or compromised. For example, an employee might use a USB drive to transfer files from a work computer to a home computer, but this practice ensures that only approved devices and systems are used for such transfers. Another example is preventing the use of unknown USB drives found in public places, which could contain malware.
π― Why It Matters
Portable storage devices are a common vector for malware and data breaches. When used on external systems, they can easily introduce malicious software into your network or expose sensitive data to unauthorized users. A real-world example is the 2008 breach of the U.S. militaryβs CENTCOM network, where malware was introduced via a USB drive. The potential impact of such breaches includes significant financial losses, reputational damage, and legal penalties. From the DoD/CMMC perspective, this control is critical because it protects Controlled Unclassified Information (CUI) from being exposed or compromised by unauthorized systems or devices.
β How to Implement
- Configure cloud storage solutions (e.g., OneDrive, Google Drive) to restrict downloads to approved devices only.
- Implement Conditional Access Policies in Azure AD to block access from unauthorized devices.
- Use Data Loss Prevention (DLP) policies in Microsoft 365 to prevent sensitive data from being copied to portable storage devices.
- Enable encryption for any data stored on cloud-connected devices.
- Regularly audit and monitor cloud storage access logs for unusual activity.
π Evidence Examples
Policy Document
Group Policy Configuration Screenshot
Endpoint Security Logs
Employee Training Records
DLP Policy Configuration
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For AC.L2-3.1.21 ("Limit use of portable storage devices on external systems"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how access to CUI systems is controlled, including the specific IAM tools, policies, and processes used. Reference your Access Control Policy and identify the systems in scope. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"AC.L2-3.1.21 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to limit use of portable storage devices on external systems. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"AC.L2-3.1.21 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to limit use of portable storage devices on external systems. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"AC.L2-3.1.21 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Identify all access points to CUI systems (VPN, direct network, cloud portals)
- β’ Document which IAM system manages access (Azure AD, AWS IAM, on-prem AD)
- β’ Map user roles to system access levels
- β’ Ensure this control covers all systems within your defined CUI boundary where limit use of portable storage devices on external systems applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π Access Control Policy
- π IAM configuration documentation
- π Access request and approval records
- π Evidence artifacts specific to AC.L2-3.1.21
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will verify that access controls are implemented as described, test whether unauthorized users are blocked, and review access logs for evidence of enforcement.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you have a documented policy restricting portable storage device usage?
Question 2: Are USB ports disabled on all workstations?
Question 3: Do you use endpoint protection software to block unauthorized USB devices?
Question 4: Are employees trained on portable storage device policies?
Question 5: Do you monitor and audit portable storage device usage?
β οΈ Common Mistakes (What Auditors Flag)
1. USB ports not disabled on all workstations.
2. No employee training on portable storage device policies.
3. DLP policies not configured.
4. Monitoring logs not reviewed regularly.
5. Approved portable devices not encrypted.
π Parent Policy
This practice is governed by the Access Control Policy