3.1.21 Limit use of portable storage devices on external systems.

Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external” to that system.

Actionable Items: Active Directory Group Policy can limit or completely block portable storage devices. Limits can be placed by AD Groups.

Monitoring: Device usage can be monitored and reported by third party programs.