This post explains how to implement NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MP.L2-3.8.2 for protecting Controlled Unclassified Information (CUI) on removable media and endpoints — with concrete tools, configurations, operational processes, and small-business examples that map directly to Compliance Framework expectations.
What MP.L2-3.8.2 requires (high level)
MP.L2-3.8.2 focuses on preventing unauthorized storage and movement of CUI onto removable media and non-approved endpoints, and on managing media lifecycle (use, authentication, encryption, sanitization, disposal). For Compliance Framework evidence you will need policy, technical controls, exception/approval records, inventory and logs showing enforcement, and sanitization/disposal procedures aligned to NIST SP 800-88.
Technical controls and tools — Windows
For Windows endpoints, use a combination of disk encryption (BitLocker/BitLocker To Go), Group Policy/Intune device restriction settings, and endpoint DLP/EDR. Key actionable settings: enable BitLocker with TPM+PIN and enforce BitLocker To Go for removable drives (use XTS-AES 256), configure Group Policy Computer Configuration → Administrative Templates → System → Removable Storage Access and set "All Removable Storage classes: Deny all access" or selectively enable "Removable Disks: Deny write access." To fully disable USB mass storage, set HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR Start = 4 via Group Policy preferences or use a device installation restriction policy to allowlist only approved USB device IDs. Centralize recovery keys in Intune/AD to meet key escrow evidence requirements.
Technical controls and tools — macOS, iOS, and Android
On macOS enforce FileVault full-disk encryption, manage external drive access with an MDM (Jamf/Intune) profile that disables external volumes or enforces read-only access for unmanaged devices, and use configuration profiles to restrict attachment of USB/Thunderbolt storage. For mobile devices, use Mobile Device Management (MDM) to disable USB OTG and block unmanaged cloud backup of CUI; enforce managed apps and controlled document containers for data-at-rest and in-transit. Keep enrollment and policy assignment logs as Compliance Framework evidence.
Technical controls and tools — Linux and embedded devices
Linux endpoints can be hardened by blacklisting the usb_storage kernel module (create /etc/modprobe.d/blacklist-usb.conf with "blacklist usb_storage"), employing USBGuard or udev rules to allowlist devices, and using LUKS full-disk encryption with TPM2 or keyfile escrow to an enterprise key manager. For servers and embedded systems, disable unused ports in BIOS/UEFI and use OS-level policies to prevent mounting of removable media by non-admin users. Log kernel events and udev actions and forward them to your SIEM for attestation.
DLP, EDR, MDM, hardware-encrypted media, and logging
Deploy Data Loss Prevention (Symantec, McAfee DLP, Digital Guardian, Microsoft Purview) to block copy-to-removable-media operations or to require policy approval and encryption. EDR (Microsoft Defender for Endpoint, CrowdStrike) should alert on suspicious file copies and new device attachments. Use hardware-encrypted and FIPS-validated USB drives for approved exceptions and require asset tagging; maintain an inventory with serial numbers. Implement logging: enable file/object auditing on Windows (Event IDs 4663/4656 for file access), endpoint device attach logs, and retain logs for the period required by your contract — forward to a SIEM for automated alerting and reporting for auditors.
Operational controls: policy, approvals, sanitization, and training
Technical measures must be paired with documented procedures: a written removable media policy that defines allowed media types, an approval workflow for exceptions (who can approve, for how long), chain-of-custody and media inventory records, and sanitization/disposal processes following NIST SP 800-88 (clear, purge, destroy). Train users quarterly on why removable media are restricted, run tabletop exercises for lost media, and log approvals and returns in a simple ticketing system to create audit trails for Compliance Framework evidence.
Real-world small-business scenarios and step-by-step mitigations
Scenario A: A subcontractor hands over a USB with CUI. Mitigation: refuse unmanaged media; if acceptance is required, only accept hardware-encrypted, asset-tagged drives and log serial + purpose; ingest data directly to a controlled endpoint, then sanitize the drive per 800-88. Scenario B: Employee copies CUI to a personal cloud. Mitigation: block unmanaged cloud sync for managed files via DLP; revoke access and require removal using MDM's remote wipe for managed app containers; document the incident, notify stakeholders per incident response plan. These examples demonstrate the combination of policy, technical block/allow listings, and documented exception handling required for Compliance Framework auditors.
Risks of not implementing MP.L2-3.8.2
Failure to control removable media and endpoints risks data exfiltration, loss of CUI, contractual penalties, damage to reputation, and potential exclusion from DoD/contracting opportunities. Technically, unencrypted USBs and uncontrolled endpoints are high-probability vectors for malware/ransomware and unauthorized disclosure; from an audit perspective, lack of policies, logs, and key escrow means failing Compliance Framework assessment even if no breach has occurred.
Best practices and compliance tips (summary)
Start with a baseline: inventory endpoints, enable full-disk encryption everywhere, and deploy DLP + EDR. Implement allowlists rather than broad denies where operationally necessary, document all exceptions and retain approval records, escrow encryption keys centrally, and use asset-tagged, hardware-encrypted media for approved needs. Keep retention of logs and evidence aligned with contract requirements and perform periodic control testing (simulate a removable-media policy violation) to prove effectiveness. Finally, include the removable media policy and technical configuration details in your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) so auditors see both the controls and remediation planning.
In summary, meeting MP.L2-3.8.2 requires layered defenses — encryption, endpoint/device controls, DLP/EDR, MDM, documented processes, and logging — all tied to a clear policy and exception workflow; for small businesses the practical path is: encrypt everything, block where possible, allow only vetted exceptions (hardware-encrypted drives with asset tracking), and keep demonstrable records and logs to satisfy Compliance Framework auditors.
