NIST 800-53 REV 5 • ACCESS CONTROL

AC-20(5)Portable Storage Devices — Prohibited Use

Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Limits on the use of organization-controlled portable storage devices in external systems include a complete prohibition of the use of such devices. Prohibiting such use is enforced using technical methods and/or nontechnical (i.e., process-based) methods.

Practitioner Notes

In some environments, portable storage devices are completely prohibited — no exceptions. This is the simplest and most secure approach.

Example 1: Via GPO, set All Removable Storage classes: Deny all access to Enabled with no exceptions. Apply this GPO to all computers in the domain. Do not create exception groups — use network-based file transfer (approved shares, SFTP) instead of USB.

Example 2: Physically block USB ports on workstations using port blockers (small physical plugs that fit into USB ports). This provides a physical layer of protection in addition to the GPO-based blocking, covering scenarios where someone might boot from an alternate OS to bypass the software controls.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management