Before we get into the meat and potatoes of USB compliance for NIST 800-171 and CMMC we need to clarify that we are in fact talking about removable media. The term USB is often incorrectly used as a term for data storage devices that use a Universal Serial Bus (USB) connection. Many peripherals connected to your computer like your mouse and keyboard use USB, but they are not storage devices. Resultantly, they are outside of the scope of the requirements we will discuss in this blog.
Before we start, Important Definitions
In NIST SP 800-171 and CMMC 2.0, removable media devices and portable storage devices are addressed. So, what are they?
According to the NIST glossary a removeable media device
is a “Portable device that can be connected to an information system (IS), computer, or network to provide data storage... Examples include, but are not limited to: USB flash drives, external hard drives, and external solid-state disk (SSD) drives.”
Did you notice how the definitions are exactly the same? Confusing right? We agree. But in any case, they describe the same types of devices. Essentially, a device that stores data, is portable, and is easily inserted and removed from a computing device.
Removable Storage or “USB” Requirements for NIST 800-171 & CMMC 2.0
There are three security controls in NIST SP 800-171 and CMMC 2.0 that directly address removable media. These controls are 3.8.7, 3.8.8, and 3.1.21. There are several others that are closely related, these are 3.8.6, 3.8.4, and 3.8.3. We will provide a summary of each and describe what you need to do become compliant.
3.8.7 Requirement: Control the use of removable media on system components
To meet this requirement you need to either completely prohibit the use of removable media devices or control them. How do you accomplish this?
Using Microsoft group policy or Microsoft endpoint manager you can completely prohibit removable media devices or create a whitelist. A whitelist will only allow approved removable media to work on your systems. Some anti-malware solutions also offer this functionality.
You should also have a policy on the use of removable media and describe the policy in your acceptable use policy that your employees sign.
3.8.8: Prohibit the use of portable storage devices when such devices have no identifiable owner
To meet this requirement you must create an inventory of your removable media devices and document who they are assigned to. You also need to configure your systems to only allow the use of approved removable media devices. Alternatively, completley prohibit the use of removable media.
3.1.21 Limit use of organizational portable storage devices on external systems.
External systems are systems over which your organization has no direct control over its security and is outside of your authorization boundary. Your authorization boundary includes the systems that are within the scope of your NIST SP 800-171 and CMMC 2.0 requirements.
The most realistic way to meet this requirement is to include a clause in your acceptable use policy restricting employees from using organization provided media on external systems.
3.8.6 Requirement: Implement cryptographic mechanisms to protect the confidentiality of “Controlled Unclassified Information” (CUI) stored on digital media during transport unless otherwise protected by alternative physical safeguards.
To meet this requirement, you should encrypt your removable media devices. You can use Microsoft’s bit-locker to accomplish this. If you use Macs, you can use FileVault. If your system consists of Windows and Mac computers you should use something like the secure removable storage devices from Apricorn
Technically, if the removable media devices don’t leave your physically secured facility, they don’t have to be encrypted but that is taking a big risk. It is very easy for an employee to take the device outside of the facility thus violating this security requirement. So, make sure that all removable media are encrypted using FIPS validated cryptography.
3.8.4 Requirement: Mark media with necessary “Controlled Unclassified Information” (CUI) markings and distribution limitations
As it relates to removable media, to meet this requirement simply put a label on all removable media containing controlled unclassified information (CUI). The label should read “controlled” followed by your organization’s initials.
3.8.3 Sanitize or destroy information system media containing controlled unclassified information before disposal or release for reuse
The requirement applies to all types of media including removable media. Most types of removable media are flash or SSD media. When you need to dispose of these media use a DoD approved sanitation method. For more detail, you may review our blog post on NIST SP 800-171 CUI Sanitization and Destruction Methods.
In conclusion the safest bet for meeting your NIST 800-171 and CMMC USB compliance requirements is to completely prohibit and block the use of removable media. With modern secure cloud-based file sharing technologies such as OneDrive and SharePoint there is rarely a business justification for using removable media.