CMMC v2.11 Practices

MP.L2-3.8.7  

Reference: CMMC v2.11

Family: MP

Level Introduced: 2

Title: Removable Media

Practice:
Control the use of removable media on system components.

Further Discussion:
Removable media are any type of media storage that you can remove from your computer or machine (e.g., CDs, DVDs, diskettes, and USB drives). Write a specific policy for removable media. The policy should cover the various types of removable media (e.g., write-once media and rewritable media) and should discuss the company’s approach to removable media. Ensure the following controls are considered and included in the policy:
• limit the use of removable media to the smallest number needed; and
• scan all removable media for viruses.

Example
You are in charge of IT operations. You establish a policy for removable media that includes USB drives [a]. The policy information such as:
• only USB drives issued by the organization may be used; and
• USB drives are to be used for work purposes only [a].

You set up a separate computer to scan these drives before anyone uses them on the network. This computer has anti-virus software installed that is kept up to date.

Potential Assessment Considerations
• Are removable media allowed [a]?
• Are policies and/or procedures in use to control the use of removable media [a]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11