MP.L2-3.8.8: Shared Media — CMMC Level 2 Control
MP.L2-3.8.8 requires organizations to prohibit portable storage devices without identifiable owners, reducing the risk of unauthorized data access and loss. This control addresses a critical vulnerability in data handling practices by ensuring accountability for all removable media in your environment.
What this means
This control mandates that your organization prevent the use of portable storage devices—such as USB drives, external hard drives, and memory cards—that cannot be traced to a specific owner. Unidentified devices create compliance gaps and security blind spots. By enforcing ownership accountability, you establish a clear audit trail and reduce the likelihood of data breaches through unauthorized or lost media.
How to comply
- 1.Develop a portable storage device policy that requires all devices to be registered with identifiable owners
- 2.Implement technical controls such as USB port disablement or device whitelisting on systems handling sensitive data
- 3.Create an inventory of approved portable storage devices and their authorized users
- 4.Enforce media labeling requirements so all devices are clearly marked with owner information and asset tags
- 5.Establish a device check-out and check-in process to maintain accountability
- 6.Conduct regular audits to identify any non-compliant or unknown devices connected to your network
- 7.Provide employee training on portable storage policies and the security risks of unidentified media
Evidence auditors look for
- Documented portable storage device policy prohibiting unidentified devices
- Technical controls configuration logs showing USB restrictions or device whitelelist enforcement
- Asset inventory listing all approved portable storage devices with owner names and asset IDs
- Device labeling standards and photographs of labeled media in use
- Audit reports showing regular scans for unauthorized or unidentified devices
- Employee training records acknowledging the portable storage policy
- Check-out/check-in logs demonstrating device accountability tracking
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks and flags unidentified portable storage devices across your network, maintains a real-time device inventory tied to specific owners, and generates audit evidence for CMMC assessments—eliminating manual spreadsheet tracking and reducing compliance risk.
See how GRCWatch handles this control automatically
Start free trial