Requirement text: MP.2.121: Control the use of removable media on system components.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
In contrast to requirement MP.2.119, which restricts user access to media, this requirement
restricts the use of certain types of media on systems, for example, restricting or prohibiting
the use of flash drives or external hard disk drives. Organizations can employ technical and
nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of
system media. Organizations may control the use of portable storage devices, for example,
by using physical cages on workstations to prohibit access to certain external ports, or
disabling or removing the ability to insert, read, or write to such devices.
Organizations may also limit the use of portable storage devices to only approved devices
including devices provided by the organization, devices provided by other approved
organizations, and devices that are not personally owned. Finally, organizations may control
the use of portable storage devices based on the type of device, prohibiting the use of
writeable, portable devices, and implementing this restriction by disabling or removing the
capability to write to such devices. Malicious code protection mechanisms include anti-virus
signature definitions and reputation-based technologies. Many technologies and methods
exist to limit or eliminate the effects of malicious code. Pervasive configuration management
and comprehensive software integrity controls may be effective in preventing execution of
unauthorized code. In addition to commercial off-the-shelf software, malicious code may
also be present in custom-built software. This could include logic bombs, back doors, and
other types of cyber-attacks that could affect organizational missions/business functions.
Traditional malicious code protection mechanisms cannot always detect such code. In these
situations, organizations rely instead on other safeguards including secure coding practices,
configuration management and control, trusted procurement processes, and monitoring
practices to help ensure that software does not perform functions other than the functions
intended.
CMMC CLARIFICATION
Removable media is any type of media storage that you can remove from your computer or
machine, for example, CDs, DVDs, diskettes and USB drives. Write a specific policy for
removable media for your company. The policy should cover that there are two types of
removable media: write-once media and rewritable media. Limit the use of removable media
to the smallest number needed. Scan all removable media for viruses. Track removable
media that you own and make sure you reuse and dispose of it properly.
Example
You are in charge of IT operations at your company. You establish a policy for USB drives.
All of them must be scanned for viruses and bugs before use on the company’s networks.
You set up a separate computer to scan these drives before anyone uses them on the
network. This computer has anti-virus software installed that is kept up to date.
References
• NIST SP 800-171 Rev 1 3.8.7
• CIS Controls v7.1 13.7, 13.8
• NIST CSF v1.1 PR.PT-2
• CERT RMM v1.2 MON:SG2.SP4
• NIST SP 800-53 Rev 4 MP-7