Reference: CMMC v2.13
Family: MP
Level Introduced: 2
Title: Removable Media
Practice:
Control the use of removable media on system components.
Further Discussion:
Removable media are any type of media storage that you can remove from your computer or machine (e.g., CDs, DVDs, diskettes, and USB drives). Write a specific policy for removable media. The policy should cover the various types of removable media (e.g., write-once media and rewritable media) and should discuss the company’s approach to removable media. Ensure the following controls are considered and included in the policy:
• limit the use of removable media to the smallest number needed; and
• scan all removable media for viruses.
Example
You are in charge of IT operations. You establish a policy for removable media that includes USB drives [a]. The policy information such as:
• only USB drives issued by the organization may be used; and
• USB drives are to be used for work purposes only [a].
You set up a separate computer to scan these drives before anyone uses them on the network. This computer has anti-virus software installed that is kept up to date.
Potential Assessment Considerations
• Are removable media allowed [a]?
• Are policies and/or procedures in use to control the use of removable media [a]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.