MP.L2-3.8.7

MP.L2-3.8.7: Removable Media

Control the use of removable media on system components to prevent unauthorized data transfer or loss of CUI.

Removable media control is simpler than it sounds. You either prohibit USB drives entirely, or you allow only approved encrypted drives through a policy. There is no middle ground of “USB drives are ok if they’re encrypted” without enforcement. That’s just hope. Removable media control works with MP.L2-3.8.6 (portable storage encryption) and MP.L2-3.8.8 (shared media prohibition) to create layered media protection.

MP.L2-3.8.7 At a Glance

  • Block removable media by default through endpoint management
  • If removable media is needed, create an approved device list
  • Use MDM or Group Policy to enforce USB restrictions
  • Allow only encrypted removable devices on the approved list
  • Monitor and log USB device connections
  • Document business justification for any allowed removable media

What the assessor is actually evaluating

The assessor is checking whether your systems can be weaponized against you. Can an employee plug in a personal USB drive and copy contracts to it? Can a contractor connect an external hard drive and exfiltrate source code? Can someone use a USB stick to install malware? These are the scenarios you’re preventing.

There are two paths. First path: ban all USB. Set group policy to disable USB ports. Intune policy to block USB devices. Optical drives and SD card readers are disabled. This is the secure approach. Second path: USB is allowed but only for approved encrypted devices. An employee can plug in an authorized Kingston IronKey, but the computer will not recognize a personal USB drive.

Most companies take the second path because completely banning USB is disruptive. You need a USB port occasionally for printer drivers or firmware updates. So you allow USB but control what USB devices work.

The assessment room question will be: “Show me your removable media policy. How is it enforced?” You show your endpoint management policy (Intune, Group Policy, or equivalent) that blocks USB devices or restricts them to an approved list. You show the applied policy on sample computers. You show incident logs showing any unauthorized USB connection attempts.

What a realistic SSP definition looks like

Example SSP Language

"Organization controls the use of removable media on system components through endpoint management policies and approved device lists.

Policy: Removable media (USB drives, external hard drives, SD cards, optical media) are restricted. Personal or unapproved removable media cannot be used on organizational systems.

Approved Media: The following types of removable media are approved: (1) Encrypted USB drives from the approved device list (Kingston IronKey, approved equivalent), (2) External hard drives encrypted with AES-256 (for backup purposes only), (3) Printers requiring USB drivers for setup (USB connection only during initial setup).

Technical Controls: Windows computers are configured via Group Policy to disable or restrict USB devices. Intune device management enforces USB restrictions on all company devices. MacOS devices are configured to disable USB port access except for approved peripherals (keyboard, mouse). Mobile devices are managed through MDM with USB file transfer disabled.

Exceptions: If a business need requires temporary USB access, an exception is requested in writing to the CISO. Exceptions include: (1) Initial setup of new devices, (2) Maintenance of specialized equipment. Exceptions are temporary and are revoked after the business need is fulfilled.

Monitoring and Logging: Endpoint management logs all USB connection attempts. Failed attempts (unauthorized devices) are reviewed monthly. Any successful connection of an unapproved device triggers an incident investigation. Logs are retained for one year."

How to present your evidence

Evidence Checklist for MP.L2-3.8.7

  • Group Policy / Intune Policy: Screenshot of USB restriction policy applied to computers
  • MDM Configuration: Mobile device management policy showing USB or removable media restrictions
  • Approved Device List: List of removable media devices approved for use (if any)
  • Removable Media Policy: Written policy document explaining restrictions and exceptions
  • Exception Requests: Any approved exceptions with business justification and expiration date
  • USB Connection Logs: Evidence that endpoint management logs USB device connections
  • Incident Reports: Any attempts to connect unauthorized USB devices and how they were handled
  • Training Records: Staff trained on removable media restrictions during onboarding
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

What You'll Hear in the Assessment Room

Assessor: "I see you have USB ports on your computers. Can I plug in a USB drive?"

What works: "You can, but it won't work. We have a policy that blocks non-approved USB devices. Only Kingston IronKey drives on our approved list will mount." [Demonstrate by plugging in an unapproved USB drive. It fails to mount]

Assessor: "Show me your policy."

What works: "This is our removable media policy. It's enforced through Group Policy on Windows and Intune on all devices. Here's the policy screenshot." [Pull up Group Policy and Intune policy]

Assessor: "What if someone opens a computer, disables the port in BIOS, and re-enables USB?"

What works: "BIOS is locked with a password that IT personnel only know. And even if BIOS is changed, the Intune policy on the device applies the USB block at the OS level, so USB would still be blocked." [Pull up BIOS password policy and device compliance rules]

Assessor: "Have there been any attempts to use non-approved USB devices?"

What works: "Yes, our logs show attempts. Here are the monthly logs." [Pull up USB connection logs showing failed attempts from unapproved devices]

Assessor: "What's the process if someone has a legitimate need for USB access?"

What works: "They submit an exception request to IT. We review the business need. If approved, we whitelist the device for a limited time. Here's an exception request from last quarter." [Pull up approved exception with business justification and expiration date]

Assessor: "What about printers or other USB peripherals?"

What works: "Printers are networked, not USB-connected. USB peripherals like keyboards and mice are hardware-listed in Intune, so they're allowed. Data transfer via USB is blocked regardless." [Show Intune peripheral allowlist]

Common failures

Why Companies Fail MP.L2-3.8.7

  • No USB restrictions at all. USB devices are allowed to connect without any control. Assessor plugs in a USB drive and accesses the system. Immediate failure.
  • Policy exists but is not enforced. The company has a removable media policy in the handbook, but Group Policy or Intune is not configured. The policy is documented hope.
  • USB is allowed on the basis of "they're encrypted." No technical control exists. Employees are trusted to use only encrypted USB drives, but BIOS has no password, USB is not restricted in policy, and anyone can plug in anything.
  • USB is disabled but there's no exception procedure. Legitimate business needs (printer setup, firmware updates) require temporary USB access but there's no way to grant exceptions. IT staff work around the policy.
  • No logging or monitoring. USB devices are restricted but the company has no idea if anyone is trying to bypass the restrictions or if unapproved devices are connecting.
  • Old computers with outdated policy. Some laptops were set up five years ago and the USB policy was never updated. Assessment uncovers uncontrolled USB on older systems.

How to Pass MP.L2-3.8.7

  • Start with a default deny policy. USB is not allowed unless explicitly approved. This is cleaner than trying to list every bad device.
  • Use Group Policy on Windows. Use Intune on cloud-joined or hybrid-joined devices. Enforce USB restrictions at the OS level.
  • Use MDM for mobile devices. Apple MDM and Android MDM both support USB/removable media restrictions.
  • Lock the BIOS. Set a BIOS password so employees cannot disable policy in BIOS. This is one step above the OS-level control.
  • Create an exception procedure. If USB is needed for legitimate business, define the process: request, approval, whitelist the device, set an expiration, remove it when done.
  • Monitor and log. Configure endpoint management to log all USB connection attempts. Review logs monthly. Report unexpected connections to management.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

Removable Media Control with Managed Service Providers

If your MSP manages endpoints through Intune or Group Policy, require them to implement USB restrictions as specified in your security policy. Request evidence that the policy is applied to all managed devices. Ask for monthly logs of USB connection attempts. If your MSP manages exceptions, require written approval from your CISO before whitelisting any device. Periodically verify that the policy is actually enforced by testing with an unapproved USB device on a managed computer. Do not assume the policy is deployed just because you requested it. Verify through testing.

Disclaimer: This guide is for educational purposes. CMMC Level 2 assessments are conducted by Authorized C3PAO partners. Consult the official NIST SP 800-171 standard and your assessor for definitive requirements.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MP.L2-3.8.8: Shared Media All Practices MP.L2-3.8.6: Portable Storage Encryption →