CMMC Practice Requirement:
Control the use of removable media on system components.
CMMC Requirement Explanation:
Removable storage devices such as USB thumb drives can contain malware. If you allow the use of them on your systems you increase the risk of malware infections. USB thumb drives are also a convenient way to extract data from your environment. By controlling the use of removable storage devices you can improve your security posture.
Example CMMC Implementation:
Write a policy restricting the use of removable media. Your objective is to limit removable media to the smallest number needed. Ideally you should block all removable storage devices from functioning on your systems unless they are on a white list. Scan all removable storage media for viruses on a separate computer before using them on your systems. If possible, configure your anti virus software to scan removable storage devices. Create an inventory of removable media controlled by your organization. Document who is in possession of it and their business justification.
- Scenario 1:
An employee named John submits a ticket requesting a USB thumb drive. He tried to use a personnel thumb drive but it was blocked by his computer. After verifying the business need you provide him a company thumb drive. Because the thumb drive has been white listed it functions on John's computer and is scanned by his anti-virus.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance