NIST SP 800-171 & CMMC 2.0 Control 3.8.8 Requirement:
Prohibit the use of portable storage devices when such devices have no identifiable owner.
NIST SP 800-171 & CMMC 2.0 3.8.8 Requirement Explanation:
Portable storage devices, especially non-company-owned devices can pose a security risk when used on your systems. They can carry malware and are easy to transport into your facilities. This is why they need to be prohibited from being used on your systems. Using technical controls you can ensure that only your company-owned storage devices are used on your system.
Example NIST SP 800-171 & CMMC 2.0 3.8.8 Implementation:
Document the serial numbers of the USB thumb drives and other portable storage devices used in your organization. When you provide one to an employee, document which device you gave them. As a result, all of your authorized devices will have an identifiable owner. Prohibit the use of any non-company provided storage devices on your systems. Using technical controls you can ensure that only your company-owned storage devices work on your systems. Enterprise anti-virus software often has the capability to allow only whitelisted storage devices on your systems. Using group policy is also an option for Windows computers.
NIST SP 800-171 & CMMC 2.0 3.8.8 Scenario(s):
- Scenario 1:
An employee found a USB thumb drive in the parking lot and attempted to plug it into their computer. Because the device isn't company-owned and hasn't been white listed it doesn't work on your systems.
Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:
Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.
Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.
Supply Chain Verifier
Trust is everything. Verify, monitor, and support subcontactor compliance.