AC.L2-3.1.21: Controlling Portable Storage on External Systems
Portable storage devices represent a critical security gap in CMMC Level 2 compliance. This control requires you to restrict how USB drives, external hard drives, and similar media can be used on systems outside your organization's network. Without proper portable storage governance, you risk unauthorized data exfiltration and loss of controlled unclassified information (CUI).
What this means
AC.L2-3.1.21 mandates that your organization establish and enforce policies limiting the use of portable storage devices on external systems—computers not owned or managed by your company. This includes personal devices, contractor systems, and third-party networks. The control recognizes that external systems lack your organization's security baseline, making them vulnerable entry points for malware and data theft. Your policies must clearly define which employees can use portable media, under what circumstances, and on which systems. You must also implement monitoring to detect unauthorized portable storage activity and maintain an audit trail of compliance.
How to comply
- 1.Document a portable storage policy that explicitly restricts or prohibits use of USB drives, external hard drives, SD cards, and similar devices on external systems
- 2.Define authorized exceptions and document business justifications for any permitted portable storage use outside your network
- 3.Implement technical controls such as USB port disabling, device encryption requirements, or mobile device management (MDM) to enforce restrictions
- 4.Establish monitoring and logging mechanisms to detect portable storage connections and data transfers
- 5.Conduct quarterly audits of portable storage incidents and maintain evidence of policy enforcement
- 6.Train all personnel on portable storage restrictions and document their acknowledgment
- 7.Review and update portable storage policy annually or when external threats evolve
Evidence auditors look for
- Written portable storage policy document signed by leadership and distributed to all staff
- Technical configuration screenshots showing disabled USB ports or blocked removable media on organization devices
- Mobile device management (MDM) policy screenshots enforcing encryption on portable devices
- System logs and monitoring reports showing blocked or logged portable storage access attempts
- Employee training records and signed acknowledgments of portable storage restrictions
- Quarterly audit reports documenting compliance findings and remediation actions
- Vendor agreements or third-party contracts requiring compliance with portable storage policies
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates portable storage policy enforcement and violation detection by centralizing your device inventory, ingesting USB activity logs, and generating compliance evidence reports—eliminating manual log review and ensuring AC.L2-3.1.21 audit readiness.
See how GRCWatch handles this control automatically
Start free trial