AC.L2-3.1.21

AC.L2-3.1.21: Portable Storage Use

Limit the use of portable storage devices on external systems, and explain how you prevent data leakage via USB, SD cards, and other removable media.

This control addresses a simple but common problem: someone with a laptop takes it home, plugs in an external drive, copies CUI files, and drives it to a contractor’s facility. Your policy needs to prevent that, and you need to prove the prevention is actually working. This is part of the broader strategy for controlling external access covered in AC.L2-3.1.20 (external connections) and AC.L2-3.1.19 (mobile device encryption).

Family Access Control
Practice AC.L2-3.1.21
Difficulty Moderate
Key evidence USB restriction policy + device configuration showing USB disabled

What the assessor is actually evaluating

The NIST language says “limit the use of portable storage devices (e.g. USB) on external information systems.” The assessor is checking:

Do you have a policy prohibiting or restricting USB/removable media? Not just a vague statement. A clear policy that says portable storage devices are restricted and explains when they’re allowed (if at all).

Is the restriction actually enforced? Technical controls matter. If your policy says USB is disabled, the assessor will ask how it’s disabled. Group Policy, BIOS restrictions, hardware locks, or MDM policies. They want to see evidence that USB ports don’t work.

What happens on devices used outside your control? If an employee takes a laptop home, can they plug in a USB drive? Your policy needs to address remote work, home office, and external devices.

Do you have a process for managing approved removable media? If you do allow some USB drives (for legitimate data transfer or backups), there needs to be a documented process for approving and tracking them, and proof they’re encrypted.

What a realistic SSP definition looks like

Example SSP Language: AC.L2-3.1.21

[Organization Name] restricts the use of portable storage devices (USB drives, SD cards, external hard drives) to prevent data leakage from systems handling CUI. Our policy prohibits the use of personal or unapproved portable storage devices on any system that can access CUI.

All organization-provided devices used to access CUI have USB ports and removable media disabled through Group Policy or MDM configuration. This applies to office devices and remote work devices equally. Devices are monitored to ensure USB restrictions remain in place.

For legitimate data transfer needs, organization-provided and encrypted USB drives may be used, but only within the office environment and only with IT Director approval. Encrypted portable storage is tracked in an equipment inventory and its use is logged. Devices taken outside the office cannot use any portable storage without exception.

External systems that may temporarily connect to our network (contractor devices, third-party laptops) are not allowed to use portable storage containing CUI. Personal devices are not permitted to access CUI systems under any circumstances.

Notice: the policy distinguishes between office and remote work environments, addresses approved vs. unapproved media, and explains what happens with external devices. If approved portable storage is used, encryption requirements tie to SC.L2-3.13.11 (encryption at rest).

How to present your evidence

Evidence checklist
  • Portable Storage Restriction Policy (USB, SD cards, removable media)
  • Group Policy or MDM configuration showing USB disabled on all CUI devices
  • Device configuration showing USB ports are disabled or restricted
  • Monitoring evidence showing USB restrictions are active across all devices
  • List of approved portable storage devices (if any) with encryption verification
  • Portable storage inventory and usage logs

Your portable storage policy. The documented policy stating that USB drives and removable media are prohibited on systems accessing CUI. If you allow some approved storage, explain the approval process and encryption requirement.

Group Policy or MDM configuration. For Windows devices, show the Group Policy setting that disables USB. For macOS, show the similar restriction. For MDM-enrolled devices, show the policy enforcing USB restrictions.

Proof that USB is disabled on devices. Plug in a USB drive and show it doesn’t work. Or pull up a device’s Device Manager showing USB devices are disabled. Or show an event log entry when someone tries to use USB.

Monitoring and compliance. Evidence that you’re actively checking devices to ensure USB restrictions are in place. This might be a compliance scan from an EDR tool or a monthly audit report.

Remote work restrictions. Proof that remote work devices also have USB disabled. The SSP should explicitly state that external/remote devices don’t get an exception.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: "Can employees use USB drives?"
"[Pull up the policy] No. USB drives are prohibited on all systems that access CUI. [Plug in a USB drive on a system in the room] See, it doesn't recognize it. USB is disabled through Group Policy."
Assessor: "What about a device being used at home or in a remote office?"
"Same restriction. [Pull up the policy] Remote work devices have the same USB restrictions applied through Group Policy. Whether they're in the office or working from home, USB doesn't work."
Assessor: "Do you ever need portable storage for legitimate backup or data transfer?"
"[Pull up the approved storage inventory] If it's absolutely necessary, IT Director can approve an encrypted USB drive. But it stays in the office and never leaves the building. [Show an example device] It's encrypted, tracked, and usage is logged."
Assessor: "How do you verify USB restrictions are actually in place?"
"[Pull up a compliance scan] We scan all devices quarterly to confirm USB restrictions are active. [Show recent results] All devices compliant. And we monitor for any attempts to enable USB."

Common failures

What gets flagged

No USB restriction policy. If you don't have a documented policy addressing portable storage, that's a finding. The policy doesn't have to be elaborate, but it needs to exist and be clear.

Policy says USB is restricted but it's not actually disabled. The assessor plugs in a USB drive and it works. This is a critical failure. Technical enforcement is essential—a policy statement alone doesn't prevent the risk.

USB is disabled in the office but allowed on remote devices. Remote work devices need the same restrictions. If someone can work from home and use a USB drive, this control fails.

No monitoring or compliance checks. You set USB restrictions but you don't verify they're still in place. If someone re-enabled USB and nobody noticed, you're not controlling portable storage.

Approved portable storage without encryption. If you allow any USB drives (which is optional), they must be encrypted and tracked. Unencrypted portable storage defeats the purpose of controlling it.

What makes assessors move on satisfied

A clear portable storage policy. USB disabled on all CUI devices (proven by attempting to connect a drive). Remote work devices also restricted. If approved storage is used, it's encrypted and inventoried. Compliance monitoring shows restrictions are active. That's a passing control that works together with your mobile device controls and external system restrictions.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

If your MSP manages device configuration and compliance monitoring, they should be responsible for implementing and verifying USB restrictions.

What’s typically on you:

  • Approving the USB restriction policy
  • Approving any exceptions (rare)
  • Reviewing periodic compliance reports

What’s typically on the MSP:

  • Configuring Group Policy, MDM, or BIOS settings to disable USB
  • Monitoring devices to ensure restrictions are in place
  • Alerting you if USB restrictions are disabled on any device
  • Managing any approved portable storage (encryption, inventory, logging)

In the assessment, the MSP should be able to show the Group Policy or MDM configuration, explain how USB is disabled, and demonstrate a compliance scan showing all devices are compliant. They should also be able to explain what they do if a device’s USB restriction fails.

From the assessment room

Assessors often attempt to connect a USB device during the assessment to verify it's blocked. Have your USB policy documented and your endpoint management dashboard ready to show compliance. Make sure the policy applies to remote work devices as well as office devices. Know your approved portable storage (if any) and verify it's encrypted. Don't assume USB is blocked everywhere; verify it across all device types and locations.

A note on USB enforcement across remote work

The most common gap I see on this control is that USB is disabled in the office but overlooked on remote work devices. If your policy applies only to office devices, this control fails. USB restrictions need to be deployed on every device that accesses CUI, regardless of where it's used. Make sure your MSSP applies USB restrictions to remote work devices the same way they apply to office devices.

This page covers AC.L2-3.1.21 from NIST SP 800-171 Rev 2 (3.1.21). The guidance here is based on experience in real CMMC assessments and is intended to help you prepare. It is not legal or compliance advice. Your organization’s situation is unique, and you should work with qualified professionals for formal assessment preparation.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← AC.L2-3.1.22: Control Public Information All Practices AC.L2-3.1.20: External Connections →