Portable Storage Definition: A data storage device that can be added or removed from a system and that has a small form factor making it easy to transport and lose.

Removable Media Definition: a portable data storage device that can be added or removed from a computing device.

Portable Storage and Removable Media Example: Flash/Thumb Drive, SD cards, eSATA, CD, DVD, Blu-ray, external HDD, external SSD.

AC.2.006: Limit use of portable storage devices on external systems. (Requirement Explanation)

MP.3.123: Prohibit the use of portable storage devices when such devices have no identifiable owner. (Requirement Explanation)

MP.2.121: Control the use of removable media on system components. (Requirement Explanation)

MP.3.125: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. (Requirement Explanation)

AC.2.006: In your acceptable use policy, state that the company provided portable/removable media devices may not be used on external systems. External systems are systems not controlled by your company such as personal computers, computers at hotels, and other such systems.

MP.3.123: Only provide authorized persons who have a business need with removable/portable media devices. Document the make, model, and the serial number of the device along with the name of the person who was provided the device.

MP.2.121: Either completely prohibit the use of portable storage devices on your systems or implement a portable storage device whitelist. You can accomplish this using group policy or another tool with similar functionality.

MP.3.125: Encrypt portable/removable media containing controlled unclassified information (CUI). As a best practice, you should encrypt all portable/removable media even if it doesn’t contain CUI unless there is a compelling business reason not to.