Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MP.L2-3.8.7 – Control the use of removable media on system components.
Understanding the Requirement
This control requires you to limit and manage how removable storage devices (USB thumb drives, external HDDs, SD cards, etc.) are used with your systems so they cannot introduce malware or be used to exfiltrate data. The core objective is that “the use of removable media on system components is controlled,” which means formal policies, technical restrictions, and operational checks are in place to minimize use to only approved, inventoried, and scanned devices. This guidance supports compliance with NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 and helps reduce both malware and data loss risk for small and medium businesses.
Technical Implementation
-
Write and publish a removable media policy that defines permitted devices, approved use cases, who can request exceptions, and required handling (encryption, labeling, return/retirement). Keep the policy short, specific, and tied to job roles so technicians can enforce it consistently.
-
Implement a whitelist approach with endpoint controls: use native OS controls, Group Policy (Windows), or your endpoint management agent to block all removable storage by default and allow only serial numbers or device IDs of company-owned media.
-
Issue company-owned, encrypted removable media for authorized needs. Maintain an inventory that records device owner, asset tag, encryption status, serial number, and last scanned date; require that only these inventoried items are whitelisted.
-
Configure anti-virus/endpoint protection to automatically scan removable media on connection and enforce quarantine or block if malware is detected. If possible, enforce real-time scanning and an automated upload of suspicious files to a centralized EDR or sandbox for analysis.
-
Provide a technical process for scanning external media before any use: a dedicated scanning station or isolated VM where IT can plug in new devices, run a full malware scan, and verify encryption and integrity before adding to the whitelist.
-
Log and monitor removable media events: enable audit logging for USB connect/disconnect and file transfer actions, forward logs to your SIEM or a central log server, and review alerts for unauthorized devices or unexpected data transfers. Tie logging to an incident response playbook that covers lost devices and suspected exfiltration.
Example in a Small or Medium Business
Acme Fabrication is a 60-person shop that designs and builds custom enclosures and needs occasional field data transfers. They adopt a removable media policy that permits only company-issued encrypted USB drives and limits requests to authorized engineers. When a technician needs to transfer a large CAD file from the production floor to an offsite partner, they submit a short ticket explaining the business reason. IT verifies the need, assigns an encrypted thumb drive from inventory, and whitelists its device ID in the endpoint management console. Before the drive is used on any engineering workstation, IT plugs it into a dedicated scanning station; the endpoint protection performs a full scan and confirms no malware is present. The workstation allows the drive because it is whitelisted, the transfer proceeds, and the activity is logged centrally. If the drive is lost or shows up on a threat feed later, IT can rapidly revoke its whitelist entry, disable access via management tools, and follow the incident checklist to determine exposure.
Summary
Combining a clear policy with technical controls—default-deny blocking, whitelisted company-owned encrypted media, mandatory pre-use scanning, and centralized logging—meets the requirement to control removable media on system components. For SMBs this approach minimizes administrative overhead while addressing the biggest risks: malware introduction and data exfiltration. Keep the policy simple, inventory and tag devices, automate scans and whitelisting through endpoint management, and maintain an incident-ready process to revoke access quickly when needed.
