CMMC Practice AC.2.006: Limit use of portable storage devices on external systems.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
A portable storage device is a system component that you can insert and remove from a system. You use it to store data or information. Examples of portable storage devices include:
- floppy disks;
- compact/digital video disks (CDs/DVDs);
- flash/thumb drives;
- external hard disk drives; and
- flash memory cards/drives that contain nonvolatile memory.
You can put this practice in place two ways:
- set up a policy that describes the usage restrictions of these devices
- establish technical means, such as configuring devices to work only when connected to a system to which they can authenticate.