Level 5 CMMC - CMMC Practices

MP.3.123  

Reference: CMMC 1.02

Family: MP

Level Introduced: 3

Practice:
Prohibit the use of portable storage devices when such devices have no identifiable owner.

CMMC Clarification:
A portable storage device is a small hard drive or solid state device that is designed to hold various types of data. It typically plugs into a laptop or desktop port (e.g., USB port). Due to the small size of the device they can be easily lost. This makes the portable storage device an attractive tool to hack an organization. Since the device can hold any type of file it could contain an executable or document that a staff member opens to determine who owns the portable storage device Therefore, an organization should prohibit use if it cannot trace the device to an owner.

Example
You are the IT manager for your organization. As you enter the building a staff member says they found a USB drive in the parking lot. You ask if the USB device indicates who might be the owner. The staff member responds that there didn’t appear to be any special markings on the drive. Once they get to their office they plan to plug the drive into their laptop to see what type of files are on the drive. The data might indicate which project owns it. You remind them that IT policies and practices expressly prohibit plugging unknown devices into computers. You remind the staff member that your organization’s IT policy directs them to turn in the lost USB device to the IT Helpdesk so they can resolve the issue.

3.8.8

Prohibit the use of portable storage devices when such devices have no identifiable owner.

Discussion:
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).

Source: NIST Special Publication 800-171 Rev. 2

MP-7 (1)

MEDIA USE | PROHIBIT USE WITHOUT OWNER

Description:
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.

Supplemental Guidance:
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02