MP.L2-3.8.7: Removable Media Control — CMMC Level 2
Removable media poses one of the highest data exfiltration risks in modern networks. CMMC Level 2's MP.L2-3.8.7 requires organizations to implement controls restricting unauthorized use of USB drives, external hard drives, and other removable storage. This guide walks you through implementation, evidence gathering, and enforcement.
What this means
This control requires you to establish and enforce restrictions on how removable media (USB drives, external hard drives, SD cards, optical media) can be used across all system components. You must define which devices are allowed, who can use them, under what circumstances, and implement technical or administrative controls to prevent unauthorized access or data transfer via removable media.
How to comply
- 1.Develop a removable media policy that defines approved media types, authorized users, and permitted use cases
- 2.Document which system components allow removable media and implement technical restrictions (USB port disablement, driver blocking, or MDM policies)
- 3.Configure endpoint protection software to detect and alert on removable media connections
- 4.Require encryption for any removable media used in your environment
- 5.Establish a baseline inventory of approved removable devices and assign ownership
- 6.Conduct regular audits to identify unauthorized or unapproved removable media connections
- 7.Train users on the removable media policy and consequences for non-compliance
- 8.Log and monitor removable media access attempts and maintain audit trails for compliance verification
Evidence auditors look for
- Removable media policy document with approval dates and version control
- Configuration settings from endpoint protection software showing USB/removable media restrictions
- Device management (MDM/EMM) policies blocking unauthorized removable media
- Group Policy objects (GPOs) disabling USB ports or removable storage drivers on Windows systems
- BIOS/firmware settings restricting removable media boot options
- Audit logs showing removable media connection attempts, user, timestamp, and device name
- Approved device inventory list with asset tags and authorized users
- Screenshots of endpoint detection and response (EDR) alerts triggered by removable media
- Incident reports documenting any removable media policy violations and corrective actions
- Training records or sign-offs confirming user awareness of removable media restrictions
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates removable media monitoring by aggregating endpoint logs, flagging unauthorized device connections in real-time, and generating ready-to-audit evidence reports—eliminating manual log reviews and compliance gaps.
See how GRCWatch handles this control automatically
Start free trial