Reference: CMMC 2.0
Family: MP
Level Introduced: 2
Title: Shared Media
Practice:
Prohibit the use of portable storage devices when such devices have no identifiable owner.
CMMC Clarification:
A portable storage device is a small hard drive or solid state device that is designed to hold various types of data. It typically plugs into a laptop or desktop port (e.g., USB port). Due to the small size of the device they can be easily lost. This makes the portable storage device an attractive tool to hack an organization. Since the device can hold any type of file it could contain an executable or document that a staff member opens to determine who owns the portable storage device Therefore, an organization should prohibit use if it cannot trace the device to an owner.
Example
You are the IT manager for your organization. As you enter the building a staff member says they found a USB drive in the parking lot. You ask if the USB device indicates who might be the owner. The staff member responds that there didn't appear to be any special markings on the drive. Once they get to their office they plan to plug the drive into their laptop to see what type of files are on the drive. The data might indicate which project owns it. You remind them that IT policies and practices expressly prohibit plugging unknown devices into computers. You remind the staff member that your organization's IT policy directs them to turn in the lost USB device to the IT Helpdesk so they can resolve the issue.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.