NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 MP.L2-3.8.7 requires organizations to control removable media and restrict how Controlled Unclassified Information (CUI) can be moved off authorized systems β practical implementation combines endpoint Data Loss Prevention (DLP) with USB device whitelisting, logging, and policy enforcement to prevent unauthorized exfiltration.
Understanding the Compliance Framework requirement and objectives
Within the Compliance Framework, MP.L2-3.8.7 focuses on preventing unauthorized transfer of sensitive information via removable media; key objectives are to (1) deny or limit read/write access to removable storage for unauthorized users or endpoints, (2) allow only approved and encrypted devices, and (3) generate auditable logs of device connections and attempted data transfers. For a small business this means implementing technical controls that enforce policy consistently across a small fleet and demonstrating enforcement and auditability during assessments.
High-level implementation steps
Begin with policy and inventory: classify which data is CUI, map where it resides (file servers, local folders, cloud), inventory endpoints and current removable-device usage, and create a written removable-media policy aligned to MP.L2-3.8.7 (e.g., βOnly company-issued encrypted USB drives with registered serial numbers may be used to copy CUI.β). Next deploy an Endpoint DLP agent across all managed endpoints (Windows/macOS/Linux) and configure device control modules that explicitly block writing CUI to unauthorized removable media and unsanctioned cloud services.
Technical controls: USB whitelisting and DLP policy details
For USB whitelisting use a combination of device-control features in your EDR/DLP or MDM solution and platform configuration: on Windows you can deploy a Group Policy or Intune configuration to block USB storage class (USBSTOR) and use device installation restrictions to allow specific Device Instance IDs (e.g., USB\VID_1234&PID_ABCD\SERIAL12345). Many DLP vendors (Symantec/McAfee/Forcepoint/CrowdStrike + Device Control, Microsoft Defender for Endpoint + Defender for Endpoint device control, or Microsoft Purview DLP paired with Intune) let you whitelist by vendor/product ID and serial number while enforcing encryption and authentication. For macOS use Jamf or your MDM to restrict external volumes and whitelist system-managed secure drives; on Linux blacklist the kernel module (e.g., add usb-storage to /etc/modprobe.d/blacklist.conf) except for known device IDs handled by udev rules.
Example DLP rules and enforcement actions
Configure content-aware DLP rules to detect CUI via filename patterns, file path (e.g., \\CUI-Shares\), and content regex patterns (e.g., controlled keywords or structured data patterns). Example rule: "If document classification = CUI OR contains CUI-regex AND destination = removable storage AND device NOT in whitelist β block write, notify user, create alert, quarantine copy on endpoint." Technical specifics: implement client-side blocking (prevent I/O), server-side quarantine for attempted transfers, and logging to SIEM with fields: username, endpoint hostname, device ID (VID/PID/serial), file name, SHA256, rule triggered, timestamp. Set actions to block by default and allow an exception workflow for documented business needs.
Small-business real-world scenario
Example: a 30-seat small defense subcontractor uses Microsoft Intune + Defender for Endpoint + BitLocker and cannot afford enterprise DLP. Practical approach: enable BitLocker on all endpoints, use Intune Device Configuration to deny removable storage access except to company-tagged devices, deploy Defender for Endpoint to log device connections, and implement a lightweight DLP like Microsoft Purview DLP (or a lightweight third-party DLP) to block copy of files from \\CUI-Shares and files with CUI keywords. Whitelist only 10 company-issued USB drives by serial number; document an exception ticket process for temporary allowances and require return and reimaging checks. Test monthly by attempting to copy a harmless test file marked as CUI to an unapproved USB and verify it is blocked and logged.
Compliance tips, best practices and monitoring
Best practices include least privilege for local users (no admin rights unless necessary), mandate full-disk encryption for any allowed removable device (FIPS-validated AES where required), maintain an authoritative whitelist inventory with device serials and assignment records, and integrate DLP events into your SIEM/incident response workflow. Retain logs long enough for audits (typical small business target: 1 year for device connection events); run quarterly audits comparing whitelist inventory to endpoint-reported devices. Train staff on the removable-media policy and enforce disciplinary and revocation steps for violations. Implement an exception approval flow with time-bound approvals and mandatory encrypted transfer tooling if physical transfer is required.
Risks of not implementing MP.L2-3.8.7 and final considerations
Failure to restrict removable media and enforce DLP exposes organizations to accidental or malicious exfiltration of CUI, contract loss, regulatory penalties, and reputational damage. From a practical standpoint, unmanaged USB ports are one of the easiest exfiltration vectors β attackers or disgruntled insiders can walk out with data on a thumb drive. Combining prevention (block/whitelist), detection (alerts/logging), and response (incident playbooks and device reimaging) provides defense-in-depth required by Compliance Framework assessors.
In summary, meeting NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 MP.L2-3.8.7 is achievable for small businesses by documenting policy, inventorying endpoints and data, deploying endpoint DLP with device control, whitelisting only approved encrypted USB devices (by serial/VID/PID), and tying events into logging and incident response β test controls regularly and maintain an auditable trail to demonstrate compliance.
