Kids Malware Viruses

CMMC Portable/Removable Storage Security Requirements

What are the cybersecurity maturity model certification (CMMC) requirements for portable storage devices? How should you control USB thumb drives, removable drives, and SD cards to meet your CMMC or NIST SP 800-171 requirements?

Join our newsletter:

What is Portable Storage and Removable Media?

Portable Storage Definition: A data storage device that can be added or removed from a system and that has a small form factor making it easy to transport and lose.
Removable Media Definition: a portable data storage device that can be added or removed from a computing device.
Portable Storage and Removable Media Example: Flash/Thumb Drive, SD cards, eSATA, CD, DVD, Blu-ray, external HDD, external SSD.

CMMC Portable Storage Control Requirements

AC.2.006: Limit use of portable storage devices on external systems. (Requirement Explanation)
MP.3.123: Prohibit the use of portable storage devices when such devices have no identifiable owner. (Requirement Explanation)
MP.2.121: Control the use of removable media on system components. (Requirement Explanation)
MP.3.125: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. (Requirement Explanation)

CMMC Removable/Portable Storage Requirements Summary:

AC.2.006: In your acceptable use policy, state that the company provided portable/removable media devices may not be used on external systems. External systems are systems not controlled by your company such as personal computers, computers at hotels, and other such systems.
MP.3.123: Only provide authorized persons who have a business need with removable/portable media devices. Document the make, model, and the serial number of the device along with the name of the person who was provided the device.
MP.2.121: Either completely prohibit the use of portable storage devices on your systems or implement a portable storage device whitelist. You can accomplish this using group policy or another tool with similar functionality.
MP.3.125: Encrypt portable/removable media containing controlled unclassified information (CUI). As a best practice, you should encrypt all portable/removable media even if it doesn’t contain CUI unless there is a compelling business reason not to.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.