NIST 800-53 REV 5 • ACCESS CONTROL

AC-20(2)Portable Storage Devices — Restricted Use

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using {{ insert: param, ac-20.02_odp }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.

Practitioner Notes

Restrict or prohibit the use of personally owned portable storage devices on external systems that access your data. You cannot control the external system, but you can control the removable media policy.

Example 1: Include in your external system agreements a clause that prohibits the use of personally owned USB devices when accessing your data. Verify compliance during your annual review of interconnection agreements.

Example 2: For employees accessing your systems from partner locations, provide encrypted, organization-owned USB drives if data transfer is required. Use drives with hardware encryption (IronKey, Apricorn) and configure them to auto-wipe after 10 failed password attempts.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management