CMMC Portable/Removable Storage Security Requirements
What are the cybersecurity maturity model certification (CMMC) requirements for portable storage devices? How should you control USB thumb drives, removable drives, and SD cards to meet your CMMC or NIST SP 800-171 requirements?
Join our newsletter:
What is Portable Storage and Removable Media?
Portable Storage Definition: A data storage device that can be added or removed from a system and that has a small form factor making it easy to transport and lose.
Removable Media Definition: a portable data storage device that can be added or removed from a computing device.
Portable Storage and Removable Media Example: Flash/Thumb Drive, SD cards, eSATA, CD, DVD, Blu-ray, external HDD, external SSD.
CMMC Portable Storage Control Requirements
AC.2.006: Limit use of portable storage devices on external systems. (Requirement Explanation)
MP.3.123: Prohibit the use of portable storage devices when such devices have no identifiable owner. (Requirement Explanation)
MP.2.121: Control the use of removable media on system components. (Requirement Explanation)
MP.3.125: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. (Requirement Explanation)
CMMC Removable/Portable Storage Requirements Summary:
AC.2.006: In your acceptable use policy, state that the company provided portable/removable media devices may not be used on external systems. External systems are systems not controlled by your company such as personal computers, computers at hotels, and other such systems.
MP.3.123: Only provide authorized persons who have a business need with removable/portable media devices. Document the make, model, and the serial number of the device along with the name of the person who was provided the device.
MP.2.121: Either completely prohibit the use of portable storage devices on your systems or implement a portable storage device whitelist. You can accomplish this using group policy or another tool with similar functionality.
MP.3.125: Encrypt portable/removable media containing controlled unclassified information (CUI). As a best practice, you should encrypt all portable/removable media even if it doesn’t contain CUI unless there is a compelling business reason not to.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.