Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY MP

MP.L2-3.8.7

Removable Media

Requirement

Control the use of removable media on system components.

Further discussion

Removable media are any type of media storage that you can remove from your computer or machine (e.g., CDs, DVDs, diskettes, and USB drives). Write a specific policy for removable media. The policy should cover the various types of removable media (e.g., write-once media and rewritable media) and should discuss the company’s approach to removable media. Ensure the following controls are considered and included in the policy: • limit the use of removable media to the smallest number needed; and • scan all removable media for viruses. Example You are in charge of IT operations. You establish a policy for removable media that includes USB drives [a]. The policy information such as: • only USB drives issued by the organization may be used; and • USB drives are to be used for work purposes only [a]. You set up a separate computer to scan these drives before anyone uses them on the network. This computer has anti-virus software installed that is kept up to date. Potential Assessment Considerations • Are removable media allowed [a]? • Are policies and/or procedures in use to control the use of removable media [a]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/