NIST SP 800-171
Control 3.8.7
Control Removable Media Usage
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Control the use of removable media on information system components.
What This Means in Plain English
The use of USB drives, external hard drives, CDs, and other removable media must be controlled. You need policies defining who can use removable media, what types are allowed, and technical controls enforcing those policies.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Sophos XDR device control blocking all removable media by default
- Whitelisted encrypted USB drives provisioned by IT as exceptions
- Group Policy restricting removable media access based on user role
- DLP policies scanning removable media operations for CUI
- ComplianceArmor removable media policy signed by all users during onboarding
Assessment Guidance
Assessors will test that removable media is blocked by default on endpoints, verify that only approved media types are permitted, review device control policies, and check that removable media use is logged and monitored.
Common Implementation Gaps
- No removable media controls on endpoints
- All USB devices allowed without restriction
- No approved/whitelisted media list
- Removable media use not logged or monitored
- No policy governing removable media use
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | MP-7 |
| HIPAA | 164.310(d)(1) - Device and Media Controls |
Need Help Implementing 3.8.7?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment