AC.L2-3.1.21

Limit use of portable storage devices on external systems. 

Assessment Objectives 

  • [a]: The use of portable storage devices containing CUI on external systems is identified and documented. 
  • [b]: Limits on the use of portable storage devices containing CUI on external systems are defined. 
  • [c]: The use of portable storage devices containing CUI on external systems is limited as defined. 

Spirit of the Control and Objectives 

This control is often misinterpreted due to the subtle mention of “external systems.” This control primarily focuses on the use of removable media, such as USB drives, on devices that are not within the organization’s system boundary. For example, if a user takes a USB drive to a customer site and plugs it into a customer’s computer to present a PowerPoint, it poses significant risks. This scenario highlights the potential for exposing Controlled Unclassified Information (CUI) and underscores the need for strict policies that govern the use of portable storage devices in external environments. 

Common Ways to Meet the Control 

  • Organizational Policy: Establish written policies that restrict or prohibit the use of portable storage devices on external systems. 
  • If permitted, define conditions under which portable storage devices may be used externally. 
  • Implement technical controls to prevent unauthorized access to portable storage devices, such as disabling USB ports or only allowing the use of company-managed/encrypted drives with authentication. This is commonly achieved by utilizing GPO policies or EDR device control policies. 

How We Interpret the Control 

The intent of this control is to ensure that organizations have well-defined policies and technical mechanisms in place to limit and monitor the use of portable storage devices on systems outside their direct control. This includes understanding the conditions under which these devices can be used and implementing restrictions that mitigate risks to sensitive information and organizational security. By managing these interactions carefully, organizations can better protect their data from potential exposure and compromise. 

What an Assessor Looks For 

  • Documentation of policies regarding portable storage device usage. 
  • Evidence that limits on the use of portable storage devices are enforced. 
  • Monitoring and logging related to the use of portable storage devices.