MP.L2-3.8.6

MP.L2-3.8.6: Portable Storage Encryption

Implement cryptographic mechanisms to protect CUI on portable storage devices such as external drives and USB sticks.

Portable storage encryption is non-negotiable. Any external hard drive, USB stick, or flash drive containing CUI must be encrypted. This is straightforward technical control with clear evidence. Portable storage encryption complements MP.L2-3.8.7 (removable media control) and MP.L2-3.8.8 (shared media prohibition).

MP.L2-3.8.6 At a Glance

  • Encrypt all portable storage with AES-256 or equivalent
  • Use hardware-based encryption or full-disk encryption software
  • Require strong passwords to unlock encrypted media
  • Document which devices are encrypted and their encryption method
  • Verify encryption is enabled before media is used
  • Include portable storage encryption in device procurement

What the assessor is actually evaluating

The assessor is checking whether your portable storage is protected against physical loss or theft. If someone steals your laptop, the hard drive is encrypted so the thief gets nothing. If someone finds a USB drive in a parking lot, the USB is encrypted so they cannot read it. The encryption is the control. Physical locks and locked drawers are supplemental.

There are two approaches. First, use encrypted devices at purchase time. Kingston IronKey USB drives come with hardware encryption. Seagate Barracuda Pro external drives come with hardware encryption. You buy these, use them, and encryption is automatic. Second, add encryption software to any device. VeraCrypt, BitLocker, or Mac FileVault for external drives. Windows BitLocker can encrypt USB drives. This works but requires manual setup.

For most companies, hardware-encrypted devices are easier. You buy them encrypted and you’re done. For critical backups or specialized use, software encryption is fine. Either way, you need documentation showing what devices you have and that they’re encrypted.

Small contractors often ask: “Do we really need this for USB drives?” Yes. If a single USB drive with client contracts gets lost, and it’s not encrypted, you have a data breach. The cost of an encrypted USB drive is under fifty dollars. The cost of a breach notification is tens of thousands. Budget for encryption.

What a realistic SSP definition looks like

Example SSP Language

"Organization implements cryptographic mechanisms to protect CUI on portable storage devices.

Device Selection: All portable storage procured for organizational use must support AES-256 encryption. Approved devices include Kingston IronKey (hardware encrypted), WD My Passport (hardware encrypted), and approved external drives used with BitLocker software encryption.

Encryption Implementation: Hardware-encrypted devices are configured at purchase with a strong password. Software-encrypted devices (external drives with VeraCrypt or BitLocker) are encrypted before being placed in service. The encryption key or password is stored securely (hardware token, password manager, or key escrow).

Approved Media: Organization maintains a list of approved portable storage devices. Only approved encrypted devices may contain CUI. Use of non-approved devices is prohibited. This is enforced through endpoint management policy blocking USB devices that are not on the approved list or lack encryption.

Password Management: Encryption passwords are at least 12 characters and include uppercase, lowercase, numbers, and symbols. Passwords are not written on the device. They are stored in a secure password manager or hardware security key. If a device is lost, the password is changed or the device is destroyed.

Verification: When a new portable storage device is acquired, the encryption is verified through a test: attempt to access the device without the password. Access should be denied. This is documented in the device inventory."

How to present your evidence

Evidence Checklist for MP.L2-3.8.6

  • Portable Storage Inventory: List of all external drives, USB sticks, and removable media with serial numbers, encryption method, and encryption status
  • Encryption Verification: Screenshots or reports showing encryption is enabled on each device
  • Device Procurement Policy: Documentation of approved encrypted devices
  • Software Encryption Configuration: If using software encryption, documentation showing BitLocker, VeraCrypt, or equivalent is configured
  • Password Management: Policy showing how encryption passwords are stored and protected
  • Hardware Encrypted Device Receipts: Proof that Kingston IronKey or similar hardware-encrypted devices were purchased and deployed
  • Test Results: Verification tests showing devices cannot be accessed without the encryption password
  • Incident Reports: Any lost portable media and confirmation that no data was recoverable because it was encrypted
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

What You'll Hear in the Assessment Room

Assessor: "Do you use portable storage containing CUI?"

What works: "We use encrypted external drives and USB sticks. All of them are either hardware-encrypted or software-encrypted with BitLocker. Here's our inventory." [Pull up device list]

Assessor: "Show me one. I want to see how the encryption works."

What works: [Plug in a Kingston IronKey USB drive. It asks for a password before mounting.] "This is a hardware-encrypted USB. Without the password, you cannot access it. The encryption is built into the drive controller."

Assessor: "What about external hard drives?"

What works: "All external drives are encrypted with BitLocker. When you plug it in, it asks for a password before mounting." [Plug in an encrypted external drive to demonstrate]

Assessor: "If someone loses a USB drive, what happens?"

What works: "The drive is encrypted so data cannot be accessed without the password. We still report the loss and deactivate the password in our password manager to prevent potential brute-force attacks. Here's an incident report from when this happened last year." [Pull up incident report]

Assessor: "Are employees allowed to bring their own USB drives?"

What works: "No. Endpoint management policy blocks non-approved USB devices. Only approved encrypted drives are allowed. If an employee needs portable storage, they use an organizational device." [Pull up MDM policy]

Assessor: "How do you manage the encryption passwords?"

What works: "Passwords are stored in our secure password manager and accessible only to authorized IT staff. Passwords are at least 12 characters and changed when devices are transferred or retired." [Pull up password manager policy]

Common failures

Why Companies Fail MP.L2-3.8.6

  • Portable storage is not encrypted. An external hard drive or USB stick contains CUI but has no encryption. Assessor asks how it's protected and you say "it's in a locked office." That's not sufficient.
  • USB drives are prohibited but not enforced. Policy says USB drives need encryption, but no endpoint management blocks non-encrypted USB. Employees are using non-approved drives without consequences.
  • No inventory of portable storage. Company doesn't know how many USB drives or external drives exist or whether they're encrypted.
  • Encryption password is weak or shared. The USB drive is encrypted but the password is "password123" written on a Post-it. Or everyone knows the same password.
  • "We don't use portable storage." But then they use USB drives for backups or to move files between offices without documenting they're encrypted.
  • Lost device is not properly handled. When a drive is lost, IT doesn't know to change the encryption password or destroy the device. Months later, someone finds the drive and accesses it.

How to Pass MP.L2-3.8.6

  • Use hardware-encrypted devices. Kingston IronKey, WD MyPassport, or similar. Encryption is transparent and automatic.
  • Create an inventory. List every external drive and USB stick the company owns. Note which are encrypted and which are not allowed on the network.
  • Block non-approved USB. Use Intune or Group Policy to prevent USB devices from connecting unless they're on an approved list or pass encryption checks.
  • Use strong passwords. 12+ characters, mixed case, numbers, and symbols. Store them in a password manager.
  • Test encryption. Try to mount an encrypted device without the password. Confirm access is denied. Document the test.
  • Replace old drives. If you have old non-encrypted external drives sitting around, either encrypt them or physically destroy them.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

Portable Storage Encryption with Managed Service Providers

If your MSP provides portable storage or manages device encryption, require a service agreement specifying AES-256 encryption or equivalent. Request monthly reports of all encrypted devices and their status. If your MSP handles password management for encrypted devices, verify they use a secure password manager with access controls. For critical backups or sensitive data transport, include portable storage encryption in your SLA. Request evidence that devices are encrypted before they're put into service. You remain responsible for auditing compliance, so periodically verify that devices your MSP uses are actually encrypted and that passwords are properly managed.

Disclaimer: This guide is for educational purposes. CMMC Level 2 assessments are conducted by Authorized C3PAO partners. Consult the official NIST SP 800-171 standard and your assessor for definitive requirements.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MP.L2-3.8.7: Removable Media All Practices MP.L2-3.8.5: Media Accountability →