Access Control 3.1.21 (3.1.21)

Limit use of portable storage devices on external systems.

Get Full Guidance

What Is This CMMC Control?

Organizations must control how employees use company-owned USB drives, external hard drives, and other portable storage devices when connecting them to systems outside the organization's direct control. This includes systems at customer sites, partner locations, home networks, or even other internal systems that don't process the same type of sensitive data. The goal is to prevent sensitive information from being accidentally copied to uncontrolled locations or malware from being introduced into the organization's environment.

Control Intent

Prevent unauthorized disclosure of CUI and introduction of malware by controlling the use of portable storage devices in environments where the organization cannot enforce its security policies.

Who This Control Applies To

  • Organizations that issue portable storage devices (USB drives, external hard drives, SD cards) to employees
  • Systems that process CUI and may interact with external systems
  • Remote workers who use organizational portable storage devices
  • Employees who work at customer sites or partner locations
  • Contractors who use organizational portable storage devices

Not Applicable When

  • The organization does not issue or allow use of any portable storage devices
  • All work is performed exclusively on organization-controlled systems with no external system interaction
  • The organization has completely prohibited portable storage device use across all scenarios

Key Objectives

  • 1Prevent CUI from being transferred to external systems through portable storage devices where it cannot be adequately protected.
  • 2Reduce the risk of malware introduction from external systems via portable storage devices.
  • 3Maintain visibility and control over organizational data when portable storage devices are used outside the organization's security boundary.

Sample Self-Assessment Questions (Partial)

Does your organization issue USB drives, external hard drives, or other portable storage devices to employees?

Do employees ever connect organizational portable storage devices to systems outside your direct control (customer sites, home computers, partner systems)?

Implementation Approaches (High-Level)

Complete Prohibition with Approved Alternatives

Organization prohibits all use of portable storage devices on external systems and provides approved alternatives for necessary data transfers

Risk-Based Restrictions with Approval Process

Organization allows limited use of portable storage devices on external systems under specific conditions with management approval

Technical Enforcement with Device Management

Organization uses technical controls to prevent or detect unauthorized use of portable storage devices on external systems

Scoped Prohibition Based on System Boundaries

Organization defines internal system boundaries and prohibits portable storage device use across those boundaries without authorization

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If no policy exists, POA&M should include policy development with clear definition of external systems and restrictions If policy exists but is not enforced, POA&M should address enforcement mechanisms (technical or procedural) If personnel are unaware of restrictions, POA&M should include training and awareness activities If no inventory of portable storage devices exists, POA&M should include inventory creation and tracking process If technical controls are planned but not implemented, POA&M should specify the controls and implementation timeline POA&M should address any approved exceptions and how they will be managed during the remediation period If organization cannot immediately prohibit use, POA&M should include interim compensating controls such as encryption requirements and usage logging POA&M milestones should be realistic given the need for policy development, procurement of encrypted devices, and personnel training

Related CMMC Controls

3.1.203.8.73.8.93.13.113.13.163.14.6

Frequently Asked Questions

Does this control require us to completely prohibit USB drives and other portable storage devices?

No, the control requires you to limit their use on external systems, not prohibit them entirely. You can allow portable storage devices on your own managed systems while restricting their use on systems outside your control. The specific restrictions (complete prohibition, approval-based use, technical controls, etc.) are determined by your organization based on risk and business needs.

What exactly is an 'external system' for this control?

An external system is any system where your organization cannot enforce its security policies. This typically includes systems at customer sites, partner locations, personal home computers, and public computers. However, it can also include other systems within your own organization that process different types of data or have different security boundaries. Your organization must define what 'external' means in your specific context.

Do we need to track every time an employee uses a USB drive on an external system?

The control does not explicitly require logging every use, but you must have some way to limit and verify compliance with your restrictions. This could be through complete prohibition, an approval process with documentation, technical controls that prevent unauthorized use, or usage logging. The appropriate mechanism depends on your chosen implementation approach and risk tolerance.

Can we allow employees to use encrypted USB drives on external systems?

Yes, using encrypted portable storage devices with appropriate approval and restrictions is an acceptable implementation. However, encryption alone does not satisfy this control - you still need documented restrictions on when and how the encrypted devices can be used on external systems, and personnel must be aware of these restrictions. Encryption is a compensating control that reduces risk but does not eliminate the need for usage limitations.

How does this control apply to remote workers using company laptops at home?

If remote workers connect organizational portable storage devices to their home computers or other personal devices, those personal devices are considered external systems. Your policy must address this scenario, either by prohibiting such use or by defining specific conditions under which it is allowed (such as requiring encrypted devices and approval). The remote worker's company-issued laptop itself is not an external system if it is managed by your organization.

What should we do if an employee accidentally connects a company USB drive to an external system?

Your policy should define this as a reportable incident. The employee should immediately disconnect the device, report the incident to your security team, and the device should be treated as potentially compromised. Depending on your risk assessment, you may need to sanitize the device, scan it for malware, or retire it from use. The key is having a documented process for handling such incidents and ensuring personnel know to report them.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.