CMMC Practice MP.L2-3.8.7 – Removable Media: Control the use of removable media on system components.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This is a sample removable storage policy for the Colorado Department of Education. While removable media is easy to use and has many business applications, it isn’t without its share of risks. This publication addresses some considerations to keep in mind when using removable media at your organization. This article provides an overview of removable media including the risks associated with this technology and how to implement a control policy. McAfee Total Protection to reduce the attack surface This article breaks down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI) The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. This sample policy provided by SANS discusses removable media. This SANS whitepaper discusses a holistic approach to USB port-security. This article provides an overview of the risks associated with removable media for industrial facilities based on a 2018 Honeywell report. This GSA-IT Security MP Procedurals reference provides guidance for the MP security controls identified in NIST SP 800-53 and federal contractor media protection requirements. This document advises on the storage of personal or special category personal data (sensitive data) on portable devices including laptops, USB flash drives, hard drives, other portable storage devices, CDs, DVDs and other portable media. This paper focuses on the risks associated with simple media devices and smart media devices.
Discussion [NIST SP 800-171 R2]
In contrast to requirement MP.L2-3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices.
Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. Many technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended.
Further Discussion
Removable media are any type of media storage that you can remove from your computer or machine (e.g., CDs, DVDs, diskettes, and USB drives). Write a specific policy for removable media. The policy should cover the various types of removable media (e.g., write-once media and rewritable media) and should discuss the company’s approach to removable media.
Ensure the following controls are considered and included in the policy:
- limit the use of removable media to the smallest number needed; and
- scan all removable media for viruses.