MP.L2-3.8.7: Control the use of removable media on system components

📖 What This Means

This practice requires organizations to limit and monitor the use of removable media (like USB drives, external hard drives, or CDs) on systems that handle Controlled Unclassified Information (CUI). It means you need to have policies and technical controls in place to prevent unauthorized copying or transfer of CUI via these devices. For example, you might disable USB ports on workstations or require encryption for all removable media. A real-world example would be a defense contractor that only allows pre-approved encrypted USB drives for transferring CUI between secure systems, with each use logged. Another example is disabling DVD burners on engineering workstations that handle sensitive design files.

🎯 Why It Matters

Uncontrolled removable media poses significant data exfiltration risks. The 2020 DoD Cyber Exchange reported that 15% of data breaches involved removable media. A well-known case is the 2008 Pentagon breach where malware spread via USB drives, costing $500M+ in remediation. For defense contractors, a single unencrypted USB with CUI could lead to contract termination, fines up to $1M, and loss of security clearance eligibility. The DoD specifically calls out removable media controls in DFARS 252.204-7012 as a critical safeguard against insider threats and accidental data loss.

✅ How to Implement

1. Configure Azure Conditional Access or AWS IAM policies to block cloud data transfers to removable media
2. Implement Microsoft Defender for Endpoint or AWS Macie to detect and alert on unauthorized media use
3. Deploy Intune or Workspace ONE to enforce device control policies on cloud-managed endpoints
4. Use Azure Information Protection or AWS Key Management Service to enforce encryption requirements
5. Enable logging in CloudTrail/Azure Monitor for media-related events

⏱️

Estimated Effort

Implementation typically takes 2-3 weeks for small teams (40-60 hours). Basic technical controls can be implemented by sysadmins, while policy development requires security/compliance expertise. Ongoing maintenance is 2-4 hours monthly for monitoring and exception handling.

📋 Evidence Examples

Removable Media Policy

Format: PDF/DOCX

Frequency: Annual review

Contents: Approval process, encryption requirements, prohibited devices, logging requirements

Collection: Export from document management system

Group Policy Settings Screenshot

Format: PNG/PDF

Frequency: After each change

Contents: Show disabled USB storage settings

Collection: gpresult /h output or screenshot

Media Usage Logs

Format: CSV/EVTX

Frequency: Monthly

Contents: Date, user, device ID, files accessed

Collection: Export from SIEM or endpoint protection tool

Encrypted Media Inventory

Format: XLSX

Frequency: Quarterly

Contents: Serial numbers, assigned users, last audit date

Collection: Export from asset management system

Employee Training Records

Format: PDF/CSV

Frequency: Annual

Contents: Completed removable media security training

Collection: LMS export

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MP.L2-3.8.7 ("Control the use of removable media on system components"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how CUI on media is protected throughout its lifecycle, including encryption, access controls, marking, transport procedures, sanitization methods, and accountability tracking. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MP.L2-3.8.7 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to control the use of removable media on system components. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MP.L2-3.8.7 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to control the use of removable media on system components. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MP.L2-3.8.7 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all removable media types within the CUI boundary
• Document media storage locations (on-site, off-site)
• Specify media sanitization and destruction methods
• Ensure this control covers all systems within your defined CUI boundary where control the use of removable media on system components applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Media Protection Policy
📄 Media inventory database
📄 Certificates of destruction
📄 Transport chain-of-custody records
📄 Evidence artifacts specific to MP.L2-3.8.7
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will check for CUI markings on media, verify encryption is enabled, review the media inventory for completeness, and examine destruction certificates.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you have a written policy governing removable media use with CUI?

✅ YES → Proceed to Q2

❌ NO → GAP: Develop policy using NIST SP 800-171 template. Timeline: 2 weeks.

Remediation:

Template available at: https://csrc.nist.gov/Projects/protecting-cui

Question 2: Are technical controls in place to block unauthorized removable media?

✅ YES → Proceed to Q3

❌ NO → GAP: Implement Group Policy or endpoint protection controls. Timeline: 1 week.

Remediation:

Guide: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/controlling-usb-devices-using-microsoft-defender-for-endpoint/ba-p/1883353

Question 3: Is all approved removable media encrypted?

✅ YES → Proceed to Q4

❌ NO → GAP: Deploy BitLocker To Go or purchase FIPS 140-2 validated drives. Timeline: 3 weeks.

Remediation:

FIPS validated drives list: https://csrc.nist.gov/projects/cryptographic-module-validation-program

Question 4: Are media insertion events logged and reviewed?

✅ YES → Proceed to Q5

❌ NO → GAP: Configure Windows Event Log forwarding or SIEM integration. Timeline: 2 weeks.

Remediation:

Event ID 6416 for USB blocking events

Question 5: Do employees receive annual training on media policies?

✅ YES → COMPLIANT

❌ NO → GAP: Add module to security awareness training. Timeline: Next quarterly training cycle.

Remediation:

CMMC L2 training requirements: https://www.acq.osd.mil/cmmc/dod-cyber-training.html

⚠️ Common Mistakes (What Auditors Flag)

1. Allowing personal USB drives without oversight

Why this happens: Convenience over security mindset

How to avoid: Issue organizationally-managed encrypted drives and disable general USB storage

2. Missing logs of media usage

Why this happens: Not configuring event logging

How to avoid: Enable Windows Event Log auditing for removable storage (IDs 6416, 4656)

3. Inconsistent enforcement across devices

Why this happens: Lack of centralized management

How to avoid: Use MDM/endpoint management tools to enforce uniform policies

4. No process for media sanitization

Why this happens: Focus only on access control

How to avoid: Include media sanitization procedures in policy (NIST SP 800-88 guidelines)

5. Failing to test controls

Why this happens: Assuming policies work as intended

How to avoid: Quarterly tests: attempt unauthorized media use and verify blocking

📚 Parent Policy

This practice is governed by the Media Protection Policy

View MP Policy →

📚 Related Controls

MP.L2-3.8.6 (Media sanitization) AC.L2-3.1.8 (Remote access controls) SI.L2-3.14.4 (Malicious code protection) IA.L2-3.5.10 (Authenticator management)