Level 5 CMMC - CMMC Practices

AC.2.006  

Reference: CMMC 1.02

Family: AC

Level Introduced: 2

Practice:
Limit use of portable storage devices on external systems.

CMMC Clarification:
A portable storage device is a system component that you can insert and remove from a system. You use it to store data or information. Examples of portable storage devices include:
• floppy disks;
• compact/digital video disks (CDs/DVDs);
• flash/thumb drives;
• external hard disk drives; and
• flash memory cards/drives that contain nonvolatile memory.
You can put this practice in place two ways:
• set up a policy that describes the usage restrictions of these devices or
• establish technical means, such as configuring devices to work only when connected to a system to which they can authenticate.

Example
Your organization has a usage restriction policy. It states that users cannot use portable storage devices in external information systems without management approval.

3.1.21

Limit use of portable storage devices on external systems.

Discussion:
Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.

Source: NIST Special Publication 800-171 Rev. 2

AC-20 (2)

USE OF EXTERNAL INFORMATION SYSTEMS | PORTABLE STORAGE DEVICES

Description:
The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems.

Supplemental Guidance:
Limits on the use of organization-controlled portable storage devices in external information systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02