Requirement text: AC.2.006: Limit use of portable storage devices on external systems.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Limits on the use of organization-controlled portable storage devices in external systems
include complete prohibition of the use of such devices or restrictions on how the devices
may be used and under what conditions the devices may be used. Note that while
“external” typically refers to outside of the organization’s direct supervision and authority
that is not always the case. Regarding the protection of CUI across an organization, the
organization may have systems that process CUI and others that do not. Among the
systems that process CUI there are likely access restrictions for CUI that apply between
systems. Therefore, from the perspective of a given system, other systems within the
organization may be considered “external" to that system.
CMMC CLARIFICATION
A portable storage device is a system component that you can insert and remove from a
system. You use it to store data or information. Examples of portable storage devices
include:
• floppy disks;
• compact/digital video disks (CDs/DVDs);
• flash/thumb drives;
• external hard disk drives; and
• flash memory cards/drives that contain nonvolatile memory.
You can put this practice in place two ways:
• set up a policy that describes the usage restrictions of these devices or
• establish technical means, such as configuring devices to work only when connected
to a system to which they can authenticate.
Example
Your organization has a usage restriction policy. It states that users cannot use portable
storage devices in external information systems without management approval.
References
• NIST SP 800-171 Rev 1 3.1.21
• CIS Controls v7.1 13.7, 13.8, 13.9
• NIST CSF v1.1 ID.AM-4, PR.PT-2
• NIST SP 800-53 Rev 4 AC-20(2)