NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control AC.L2-3.1.21 requires limiting the use of portable storage devices on external systems to protect Controlled Unclassified Information (CUI); this post provides a practical, step‑by‑step approach using Data Loss Prevention (DLP), Mobile Device Management (MDM), and USB device control to meet that requirement in a small-business environment.
Understanding the requirement and the risks of non‑implementation
AC.L2-3.1.21 is focused on preventing CUI from being placed onto or exfiltrated via portable storage connected to devices outside the assessed environment. For a small business working with the DoD or doing regulated work, failures here mean potential data breaches, loss of contracts, and noncompliance findings. The primary risks are unauthorized copying of CUI to unmanaged USB drives, employee shadow IT (personal drives / cloud storage), and infected removable media introducing malware into the corporate environment.
Architectural approach: DLP + MDM + USB Device Control
Think of the solution as three integrated layers: DLP enforces what data can move where (content-aware controls and channel blocking), MDM enforces policy on mobile and BYOD devices and implements conditional access, and USB device control enforces hardware-level restrictions on endpoints (whitelisting/blacklisting, blocking mass storage class drivers, requiring approved encrypted drives). Practically, you will combine an endpoint DLP product (e.g., Forcepoint, Symantec, Microsoft Purview DLP), an MDM/EPP stack (Microsoft Intune, Jamf, VMware Workspace ONE) and a device-control module (Ivanti Device Control, CoSoSys Endpoint Protector, ManageEngine Device Control Plus) or use built-in OS controls for smaller footprints.
Implementing DLP on endpoints and cloud
Start by identifying CUI / sensitive content via file type, metadata, file fingerprinting and content patterns (regular expressions for contract numbers, SSNs, technical data tags). Create DLP rules that: 1) block copy-to-USB operations for files matching CUI patterns except when the destination device is an approved, encrypted device; 2) prevent cloud upload to unmanaged accounts; and 3) encrypt or quarantine attempted transfers and alert SOC/Security. Example rule: "If file classification = CUI AND destination = removable storage AND device not in approved-list => block, log, alert, and optionally quarantine." For Windows endpoints use kernel-level DLP agents to intercept file write operations; for macOS use DLP agents that integrate with kernel extensions or system APIs. For enforcement of encryption on removable media, configure DLP to require BitLocker To Go (Windows) or approved hardware-encrypted drives; integrate recovery key escrow to Active Directory / Intune for auditability.
MDM and mobile device workflows
Use MDM to require device enrollment, enforce disk encryption, and apply app-level restrictions on mobile devices. For corporate-managed mobile phones and tablets, configure MDM profiles to disable OTG (on Android) and block installation of third-party file managers that can move files to external storage. Use conditional access – only allow corporate apps (Outlook, OneDrive for Business) to access CUI if the device is compliant. For BYOD scenarios use containerization (managed app with a separate work profile) so that corporate data cannot be copy-pasted or exported to personal apps or removable media. Example: with Microsoft Intune create a Compliance Policy (require encryption, require device health), then a Conditional Access policy that denies access to corporate data if the device is not compliant.
USB device control and endpoint configuration
At the endpoint layer, implement device control to enforce hardware rules: disable generic USB mass storage, whitelist vendor/product/serial IDs for approved drives, and allow read-only access where necessary. On Windows you can enforce via Group Policy: Computer Configuration → Administrative Templates → System → Removable Storage Access → Deny all access (or deny write access) and/or set the USB storage driver start value via PowerShell: Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR' -Name 'Start' -Value 4 (disables the UsbStor driver). Production deployments should use a commercial device-control product which supports granular policies (block by class, allow specific VID/PID/serial numbers, enforce encryption) and integrates with DLP and SIEM. Also disable autorun, and ensure antivirus/EDR monitors for suspicious execution from removable media.
Small‑business implementation roadmap and real‑world example
Practical rollout for a small business (50 employees): week 1 — inventory endpoints and mobile devices, identify who handles CUI and the locations; week 2 — draft policy (approved devices, exception workflow, sanctions), select vendors (e.g., Intune for MDM + Microsoft Purview DLP + Ivanti Device Control or Endpoint Protector); weeks 3–4 — pilot on 8–10 endpoints (mix of Windows/macOS and mobile); week 5 — review logs, tune false positives, train pilot users; weeks 6–8 — roll out to remainder, enroll devices, deploy policies, and schedule ongoing audits. Real-world scenario: a small defense subcontractor prevented a potential CUI exfiltration by blocking a user’s attempt to copy a design document to a personal USB drive — DLP blocked the operation, device-control logged the hardware ID, and SOC triggered an incident response that identified the user and applied a temporary access suspension while remediation/training occurred.
Compliance tips, monitoring, and best practices
Tips: maintain an approved‑device inventory (include serial numbers), escrow encryption recovery keys in AD/Intune, document an exceptions process (time-limited, logged, approved by ISSO), and run regular audits that correlate DLP incidents with device-control logs and conditional-access signals. Instrument logging so that USB connect/disconnect events, DLP block incidents, and conditional access denials feed into your SIEM for alerting and retention consistent with contract requirements — enable Windows auditing for object access and device install events and forward those to your SIEM. Train users on the 'why' (CUI exposure risk) and keep a simple one-page job aid for handling allowed removable media. Finally, test your incident response plan with a tabletop that includes a removable media exfiltration and recovery scenario.
Summary: meeting AC.L2-3.1.21 requires a layered, enforceable approach — combine content-aware DLP, device posture enforcement via MDM, and hardware level USB device control to block unauthorized portable storage use; for small businesses, use vendor-managed solutions where possible, pilot carefully, keep an approved-device inventory, log everything to a SIEM, and document an exceptions and response process to reduce risk and demonstrate compliance.
