CMMC Practice MP.L2-3.8.8 – Shared Media: Prohibit the use of portable storage devices when such devices have no identifiable owner.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This is a sample removable storage policy for the Colorado Department of Education. The Principle of Least Privilege (POLP) is widely considered to be one of the most effective practices for strengthening an organization’s cybersecurity posture, in that it allows organizations to control and monitor network and data access. By applying the principle of least privilege, organizations can limit the reach of user access into their network, information systems and media access. The DCSA CUI Program Office is dedicated to providing up-to-date information, tools, and resources to support Industry's implementation of CUI programs. This Defense Counterintelligence and Security Agency (DCSA) Controlled Unclassified Information (CUI) webpage is routinely updated with news and information related to DCSA’s CUI oversight responsibilities. The cybersecurity risk of using unknown QR codes and how to mitigate it. This article provides an overview of removable media including the risks associated with this technology and how to implement a control policy. McAfee Total Protection to reduce the attack surface This article breaks down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI) The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. This sample policy provided by SANS discusses removable media. This SANS whitepaper discusses a holistic approach to USB port-security. This article provides an overview of the risks associated with removable media for industrial facilities based on a 2018 Honeywell report. This GSA-IT Security MP Procedurals reference provides guidance for the MP security controls identified in NIST SP 800-53 and federal contractor media protection requirements. This paper focuses on the risks associated with simple media devices and smart media devices.
Discussion [NIST SP 800-171 R2]
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).
Further Discussion
A portable storage device is a system component that can be inserted into and removed from a system and is used to store data or information. It typically plugs into a laptop or desktop port (e.g., USB port). These devices can contain malicious files that can lead to a compromise of a connected system. Therefore, use should be prohibited if the device cannot be traced to an owner who is responsible and accountable for its security.
This practice, MP.L2-3.8.8, furthers the protections provided by MP.L2-3.8.7 by prohibiting unidentified media use even if that media type is allowable.