Kids Malware Viruses

CMMC Portable/Removable Storage Security Requirements

February 08, 2021
What are the cybersecurity maturity model certification (CMMC) requirements for portable storage devices? How should you control USB thumb drives, removable drives, and SD cards to meet your CMMC or NIST SP 800-171 requirements?

What is Portable Storage and Removable Media?

Portable Storage Definition: A data storage device that can be added or removed from a system and that has a small form factor making it easy to transport and lose.
Removable Media Definition: a portable data storage device that can be added or removed from a computing device.
Portable Storage and Removable Media Example: Flash/Thumb Drive, SD cards, eSATA, CD, DVD, Blu-ray, external HDD, external SSD.

CMMC Portable Storage Control Requirements

AC.2.006: Limit use of portable storage devices on external systems. (Requirement Explanation)
MP.3.123: Prohibit the use of portable storage devices when such devices have no identifiable owner. (Requirement Explanation)
MP.2.121: Control the use of removable media on system components. (Requirement Explanation)
MP.3.125: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. (Requirement Explanation)

CMMC Removable/Portable Storage Requirements Summary:

AC.2.006: In your acceptable use policy, state that the company provided portable/removable media devices may not be used on external systems. External systems are systems not controlled by your company such as personal computers, computers at hotels, and other such systems.
MP.3.123: Only provide authorized persons who have a business need with removable/portable media devices. Document the make, model, and the serial number of the device along with the name of the person who was provided the device.
MP.2.121: Either completely prohibit the use of portable storage devices on your systems or implement a portable storage device whitelist. You can accomplish this using group policy or another tool with similar functionality.
MP.3.125: Encrypt portable/removable media containing controlled unclassified information (CUI). As a best practice, you should encrypt all portable/removable media even if it doesn’t contain CUI unless there is a compelling business reason not to.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance