What are the cybersecurity maturity model certification (CMMC) requirements for portable storage devices? How should you control USB thumb drives, removable drives, and SD cards to meet your CMMC or NIST SP 800-171 requirements?
MP.3.125: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. (Requirement Explanation)
AC.2.006: In your acceptable use policy, state that the company provided portable/removable media devices may not be used on external systems. External systems are systems not controlled by your company such as personal computers, computers at hotels, and other such systems.
MP.3.123: Only provide authorized persons who have a business need with removable/portable media devices. Document the make, model, and the serial number of the device along with the name of the person who was provided the device.
MP.2.121: Either completely prohibit the use of portable storage devices on your systems or implement a portable storage device whitelist. You can accomplish this using group policy or another tool with similar functionality.
MP.3.125: Encrypt portable/removable media containing controlled unclassified information (CUI). As a best practice, you should encrypt all portable/removable media even if it doesn’t contain CUI unless there is a compelling business reason not to.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.