What does MP.L2-3.8.8 require for CMMC Level 2?

You must prohibit shared or anonymous portable storage. Every USB drive, external hard drive, or removable media device must have a clearly identifiable owner. This means no shared USB drives in common areas, no anonymous devices, and no 'anyone can use this drive' policies.

What evidence do I need for MP.L2-3.8.8?

Policy prohibiting shared portable storage, inventory of portable storage with ownership and serial number, serial number labels or ownership markings on physical devices, training records showing staff understand single-owner requirements, and incident reports of any shared media and how it was removed from service.

What's the most common failure for MP.L2-3.8.8?

A shared USB drive sits in a common area marked 'Use This Drive for Backups.' Multiple people use it with no tracking of who accessed what. Assessor asks who owns the drive and finds no answer. Immediate failure on accountability.

MP.L2-3.8.8

MP.L2-3.8.8: Shared Media

Prohibit the use of portable storage without identifiable owner to prevent unauthorized data transfer and ensure accountability.

Updated March 30, 2026

This practice is refreshingly simple. You cannot have shared portable storage. Every USB drive must belong to someone. If you find a USB drive with no clear owner, it should not be on your network. Shared media prohibition works with MP.L2-3.8.6 (portable storage encryption) and MP.L2-3.8.7 (removable media control) to prevent unauthorized data transfer.

MP.L2-3.8.8 At a Glance

All portable storage must have a single identified owner
Devices are labeled with owner name or employee ID
Shared drives for group backups are not permitted
Devices are checked out and returned like library books
Lost or found devices are immediately reported
Staff trained on ownership requirements

What the assessor is actually evaluating

The assessor is checking whether you can track who did what with portable media. If a USB drive is used by five different people, you cannot determine who copied CUI to it or accidentally lost it with sensitive data. Accountability breaks. If every USB drive is owned by one person, that person is responsible. They know when it was last used. If it goes missing, they report it immediately. They control access.

This is a cultural and administrative control, not a technical one. You don’t need special software. You need a policy and discipline. The policy says: no shared drives. Every drive has an owner. Owners are responsible for storage, use, and reporting loss. Staff training reinforces this. Inspections find shared drives and remove them.

Small contractors might ask: “Can our team share a backup drive?” The answer is no. Instead, each team member gets their own encrypted external drive and is responsible for it. If a backup is shared, it breaks MP.L2-3.8.8. If you need team backup storage, that belongs on a shared server or cloud storage with access controls, not on a physical USB drive.

What a realistic SSP definition looks like

Example SSP Language

"Organization prohibits the use of shared or unowned portable storage devices.

Ownership Requirement: All portable storage devices (USB drives, external hard drives, portable SSD) containing CUI must be assigned to a single identified employee. The device is labeled with the owner's name and employee ID. The device inventory maintains the current owner and any transfers of ownership.

Ownership Responsibility: The designated owner is responsible for the physical security, encryption, use, and reporting of the device. The owner ensures the device is locked or encrypted, is not left unattended in public areas, and is reported immediately if lost or stolen.

Shared Storage Alternative: If a team requires shared storage for backup or file transfer, the data is stored on a shared network drive or cloud storage with role-based access controls. Physical portable storage is not used for shared purposes.

Labeling: All organizational portable storage is labeled with an asset tag or written label identifying the owner. Personal USB drives are not used for organizational CUI.

Inspection and Remediation: During security audits, all portable storage is inspected. Any device found without a clear owner is removed from the organization. Any shared device found in use is immediately removed and the owners are retrained."

How to present your evidence

Evidence Checklist for MP.L2-3.8.8

Portable Storage Inventory: List of all portable devices with serial number, owner name, and owner ID
Device Labels: Photo evidence of devices labeled with owner names
Shared Media Policy: Written policy prohibiting shared or unowned portable storage
Check-Out Procedure: If devices are issued and returned, documentation of the process
Inspection Records: Quarterly or semi-annual audits confirming all devices have identifiable owners
Training Records: Staff training on ownership requirements
Incident Reports: Any shared or unowned devices found and how they were handled
Lost Device Reports: Reports of lost portable storage and actions taken

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

What You'll Hear in the Assessment Room

Assessor: "Are there any shared USB drives or portable storage in your organization?"

What works: "No. Every portable device is assigned to a single owner. If a team needs shared storage, they use cloud drives or shared network storage, not physical USB drives." [Pull up policy]

Assessor: "Show me your portable storage inventory."

What works: "Here's our inventory. Each device has a serial number and the owner's name and employee ID. We inspect quarterly to confirm all devices are still owned and accounted for." [Pull up inventory]

Assessor: "Show me a physical device. Is it labeled?"

What works: [Hold up a device with a label showing the owner's name and ID] "Yes, all devices are labeled. The owner is responsible for the device."

Assessor: "What happens if a device is found without an owner?"

What works: "We remove it from the organization. During our last inspection, we found one unowned drive. We removed it, and I retraining the team on ownership requirements." [Pull up incident report and training record]

Assessor: "If a device is lost or stolen, what's the procedure?"

What works: "The owner immediately reports it to IT and management. We remove the device from inventory, and because the device is encrypted, we don't have a data exposure concern. Here's an example from six months ago." [Pull up lost device report]

Assessor: "Do employees ever use personal USB drives for work?"

What works: "No, this is prohibited. Our endpoint management blocks non-approved USB devices. And our policy requires all work data to be on organizational devices only." [Pull up USB restriction policy]

Common failures

Why Companies Fail MP.L2-3.8.8

Shared USB drives are in use. A drive sits in a common area or with a shared password. Multiple people use it. Assessor asks who owns it and finds no answer.
No inventory of portable storage. Company doesn't know how many USB drives exist or who owns them.
Personal USB drives are used for work. Employees bring in personal drives and use them for organizational data with no tracking or control.
Devices are not labeled. A USB drive has no indication of who owns it. If found, the organization doesn't know who to contact.
Lost devices are not reported. A USB drive goes missing and the owner doesn't tell anyone. No incident investigation occurs.
Shared team backup drive. The team argues that a shared external drive is convenient for backups. Policy prohibits it, but the team uses it anyway and IT doesn't know to enforce the policy.

How to Pass MP.L2-3.8.8

Create an inventory. List every USB drive and external drive the company owns. Assign an owner to each one. Write names on the devices.
Get buy-in from leadership. Explain that shared drives create accountability gaps. Management directs all shared storage to be done on the network, not on USB.
Train staff. One sentence: "Every USB drive you use belongs to someone. If you use a device, you're responsible for it. Keep it secure."
Inspect periodically. Walk around. Look for USB drives. Ask the owner if they own it. If no owner can be identified, remove the drive.
Report lost devices. Establish a procedure: if a device is lost, the owner tells IT immediately. Document it in an incident report.
Block personal devices. Use endpoint management to block non-approved USB devices. This prevents personal drives from being used.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

If you use an MSP/MSSP

Shared Media Control with Managed Service Providers

If your MSP manages portable storage or device issuance, require them to maintain an inventory with clear ownership assignment. Request a quarterly report showing all portable devices and their owners. Require written procedures prohibiting shared devices. If your MSP audits portable storage, ask for inspection reports confirming all devices are owned. You should conduct your own periodic audits as well to verify the MSP's control is effective. Ownership is a policy control, but you must verify it's being followed.

Disclaimer: This guide is for educational purposes. CMMC Level 2 assessments are conducted by Authorized C3PAO partners. Consult the official NIST SP 800-171 standard and your assessor for definitive requirements.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MP.L2-3.8.9: Protect Backups All Practices MP.L2-3.8.7: Removable Media →