3.8.7 — Control Removable Media

The One-Liner

If a user can plug in any USB drive and copy CUI to it, your removable media controls are failing.

What It Says

Control the use of removable media on system components.

What It Actually Means

Removable media — USB drives, external hard drives, SD cards, CDs, DVDs — must be controlled on CUI systems. “Controlled” means technically restricted, not just covered by policy.

The best approach for most DIB contractors: block all removable storage by default on CUI systems via Intune device restriction policies or Group Policy. Then, if a legitimate business need exists, allow specific approved devices by exception — whitelisted by hardware ID, encrypted (BitLocker To Go), and documented.

What the assessor checks:

1. A policy exists. Written policy covering removable media: what’s allowed, what’s blocked, how exceptions are handled, who approves exceptions.

2. Technical controls enforce the policy. Intune device restriction profiles, Group Policy, or endpoint DLP blocking USB storage. The assessor will plug in a USB drive on a CUI workstation and expect it to be blocked.

3. Exceptions are documented. If any removable media is permitted, it’s documented: which devices (by hardware ID or serial number), who’s authorized to use them, for what purpose, and with what encryption.

4. USB events are logged. Whether access is blocked or permitted, the connection event should be logged for detection and investigation purposes.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is removable media use controlled on CUI system components?	USB storage blocked by default via Intune/GPO; approved exceptions documented and whitelisted; USB events logged

---

What to Have Ready on Assessment Day

Documents they’ll review: Media protection policy; removable media procedures; Intune/GPO configuration showing USB restrictions; list of approved exceptions (if any); system security plan

People they’ll talk to: Personnel with media protection responsibilities; information security personnel; system administrators

Live demos they’ll ask for: “Plug a USB drive into a CUI workstation — what happens?” “Show me the Intune policy blocking removable storage.” “Are there any exceptions? Show me the approved list.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Are removable media allowed on CUI systems?”
• “Show me the technical control — Intune policy, GPO, or endpoint agent.”
• “Plug in a USB drive — is it blocked?”
• “Are there any exceptions? Show me the approved device list.”
• “Are USB connection events logged? Show me.”
• “How does someone request a removable media exception?”

Real-World Example

A defense contractor blocks USB storage on all CUI workstations via an Intune device restriction profile — “Removable storage: Block.” Two exceptions exist: one encrypted USB drive (FIPS 140-2 certified, hardware ID whitelisted in Intune) used by the IT Security Lead for emergency data transfer, and one for the project lead to exchange deliverables with a client who requires USB handoff. Both drives are BitLocker-encrypted, registered by hardware ID, and the exception is documented in the media protection policy with business justification and approval by the CEO. All USB connection events — blocked and allowed — are logged via Defender for Endpoint. The assessor plugs in an unapproved USB drive on a CUI workstation — it’s blocked. They review the Intune policy, the two-device exception list, and a Defender log showing USB connection events.

---

Where Companies Trip Up

No restrictions. All USB ports are open on CUI systems. This is one of the easiest things to fix and one of the most common findings. Deploy an Intune device restriction profile or Group Policy to block removable storage.

Policy without enforcement. The policy says “USB restricted” but the system allows any device. Technical enforcement is required — not just a policy document.

Too many exceptions. Twelve people have approved USB drives because “they need them for their job.” Challenge every exception — most data transfer can happen via secure file sharing instead.

No logging. USB events aren’t captured. Even with blocking in place, log USB connection attempts for detection of unauthorized activity. Defender for Endpoint captures this by default.

---

How to Talk About This

To a CEO or Board

USB storage is blocked by default on all CUI systems. Only two approved, encrypted devices are permitted — each with a documented business justification. All USB activity is logged and monitored.

To an Engineering Team

Intune device restriction: Removable storage → Block. Exceptions: hardware ID whitelist for specific FIPS-certified encrypted drives. USB events logged via Defender for Endpoint. Exception process: business justification → IT Security Lead review → CEO approval → hardware ID added to whitelist. Exception list reviewed quarterly.

---

Connected Requirements

Requirement	Why it matters here
3.8.8 — No Mystery USB Drives	Prohibition on unidentified media — technical controls here enforce it
3.8.6 — Encrypt Media in Transit	Any permitted removable media must be encrypted
3.4.7 — Block What’s Not Needed	USB blocking is part of restricting nonessential functions
3.14.5 — Scan Regularly	Real-time scanning for files from removable media

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: MP.L2-3.8.7 | SPRS Weight: 5 points | POA&M Eligible: No