Requirement text: MP.3.123: Prohibit the use of portable storage devices when such devices have no
identifiable owner.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable
storage devices reduces the overall risk of using such technologies by allowing organizations
to assign responsibility and accountability for addressing known vulnerabilities in the
devices (e.g., insertion of malicious code).
CMMC CLARIFICATION
A portable storage device is a small hard drive or solid state device that is designed to hold
various types of data. It typically plugs into a laptop or desktop port (e.g., USB port). Due to
the small size of the device they can be easily lost. This makes the portable storage device
an attractive tool to hack an organization. Since the device can hold any type of file it could
contain an executable or document that a staff member opens to determine who owns the
portable storage device Therefore, an organization should prohibit use if it cannot trace the
device to an owner.
Example
You are the IT manager for your organization. As you enter the building a staff member says
they found a USB drive in the parking lot. You ask if the USB device indicates who might be
the owner. The staff member responds that there didn’t appear to be any special markings
on the drive. Once they get to their office they plan to plug the drive into their laptop to see
what type of files are on the drive. The data might indicate which project owns it. You
remind them that IT policies and practices expressly prohibit plugging unknown devices into
computers. You remind the staff member that your organization’s IT policy directs them to
turn in the lost USB device to the IT Helpdesk so they can resolve the issue.
References
• NIST SP 800-171 Rev 1 3.8.8
• NIST CSF v1.1 PR.PT-2
• CERT RMM v1.2 MON:SG2.SP4
• NIST SP 800-53 Rev 4 MP-7(1)