3.1.21 — USB Drives Under Control

The One-Liner

CUI on a USB drive plugged into an unmanaged computer is a data breach waiting to happen. Control which drives go where.

What It Says

Limit use of portable storage devices on external systems.

What It Actually Means

Portable storage — USB drives, external HDDs, SD cards — containing CUI must be:

1. Company-owned — no personal USB drives
2. Encrypted — if lost, the data is unreadable
3. Tracked — checked out from IT, returned when done
4. Restricted from external systems — don’t plug a CUI drive into a partner’s unmanaged workstation

Enforce it technically where possible (block USB ports via Intune/GPO) and administratively where you can’t (written policy with monitoring).

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are authorized portable storage devices documented?	A list of approved devices
2	Are usage circumstances defined?	When and where they can be used on external systems
3	Is usage limited as defined?	Technical or administrative enforcement

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, external system use procedures, system security plan, system config, connection agreements

People they’ll talk to: Personnel restricting portable storage, sysadmins, information security staff

Live demos they’ll ask for: “Show me your USB policy. Show me that unauthorized USB devices are blocked.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Which portable storage devices are authorized for external use?”
• “Under what circumstances can they be used on external systems?”
• “What limitations are in place — authorized personnel only, encryption required?”
• “How do you enforce this — technically or administratively?”

Real-World Example

A contractor blocks all USB storage on managed devices via Intune device restrictions. When USB transfer is needed for a specific business function, an exception is requested through the ticketing system. IT provides an encrypted, company-owned USB drive, logs the checkout, and collects it when the task is complete. All USB block events are logged.

---

Where Companies Trip Up

No USB policy. Anyone can plug in any USB device anywhere.

Policy but no enforcement. A written policy exists but USB ports aren’t blocked technically.

No encryption on portable media. USB drives with CUI but no encryption.

---

How to Talk About This

To a CEO or Board

USB storage is blocked by default on all our devices. When needed, we issue encrypted company drives through a tracked checkout process.

To an Engineering Team

Intune device restrictions block USB storage by default. Exceptions via ticketing with IT approval. Company-issued encrypted drives only. All USB events logged in Sentinel.

---

Connected Requirements

Requirement	Why it matters here
3.8.7 — Removable Media Control	Controlling removable media on your own systems
3.8.6 — Encrypt Media in Transit	Encrypting media during transport
3.1.20 — Control Outside Connections	Broader external connection controls

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: AC.L2-3.1.21 | SPRS Weight: 1 point | POA&M Eligible: Yes