Reference: CMMC 2.0
Level Introduced: 2
Title: Shared Media
Prohibit the use of portable storage devices when such devices have no identifiable owner.
A portable storage device is a small hard drive or solid state device that is designed to hold various types of data. It typically plugs into a laptop or desktop port (e.g., USB port). Due to the small size of the device they can be easily lost. This makes the portable storage device an attractive tool to hack an organization. Since the device can hold any type of file it could contain an executable or document that a staff member opens to determine who owns the portable storage device Therefore, an organization should prohibit use if it cannot trace the device to an owner.
You are the IT manager for your organization. As you enter the building a staff member says they found a USB drive in the parking lot. You ask if the USB device indicates who might be the owner. The staff member responds that there didn't appear to be any special markings on the drive. Once they get to their office they plan to plug the drive into their laptop to see what type of files are on the drive. The data might indicate which project owns it. You remind them that IT policies and practices expressly prohibit plugging unknown devices into computers. You remind the staff member that your organization's IT policy directs them to turn in the lost USB device to the IT Helpdesk so they can resolve the issue.