AC.2.006 Limit use of portable storage devices on external systems.

CMMC Practice AC.2.006: Limit use of portable storage devices on external systems.

Links to Publicly Available Resources

CMMC CLARIFICATION (Ref CMMC – Appendix B)
A portable storage device is a system component that you can insert and remove from a system. You use it to store data or information. Examples of portable storage devices include:

  • floppy disks;
  • compact/digital video disks (CDs/DVDs);
  • flash/thumb drives;
  • external hard disk drives; and
  • flash memory cards/drives that contain nonvolatile memory.

You can put this practice in place two ways:

  • set up a policy that describes the usage restrictions of these devices
  • establish technical means, such as configuring devices to work only when connected to a system to which they can authenticate.