CMMC Practice Requirement:

Prohibit the use of portable storage devices when such devices have no identifiable owner.

CMMC Requirement Explanation:

Portable storage devices, especially non-company owned devices can pose a security risk when used on your systems. They can carry malware and are easy to transport into your facilities. This why they need to be prohibited from being used on your systems. Using technical controls you can ensure that only your company owned storage devices can be used on your system.

Example CMMC Implementation:

Document the serial numbers of the USB thumb drives and other portable storage devices used in your organization. When you provide one to an employee document which device you gave them. As a result all of your authorized devices will have an identifiable owner. Prohibit the use of any non-company provided storage devices on your systems. Using technical controls you can ensure that only your company owned storage devices work on your systems. Enterprise anti-virus software often has the capability to allow only whitelisted storage devices on your systems. Using group policy is also an option.

Scenario(s):

- Scenario 1:

An employee found a USB thumb drive in the parking lot and attempted to plug it into their computer. Because the device isn't company owned and hasn't been white listed it doesn't work on your systems.
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance