NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-41Port and I/O Device Access

{{ insert: param, sc-41_odp.02 }} disable or remove {{ insert: param, sc-41_odp.01 }} on the following systems or system components: {{ insert: param, sc-41_odp.03 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/output (I/O) devices include compact disc and digital versatile disc drives. Disabling or removing such connection ports and I/O devices helps prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and/or devices is the stronger action.

Practitioner Notes

Control access to physical I/O ports — USB, Thunderbolt, serial, HDMI — on your systems to prevent unauthorized data transfer or device connections.

Example 1: Use a GPO to disable USB storage devices on workstations. Under Computer Configuration > Administrative Templates > System > Removable Storage Access, enable "All Removable Storage classes: Deny all access." This prevents data exfiltration via USB drives.

Example 2: Deploy endpoint protection with device control (CrowdStrike, Microsoft Defender for Endpoint) that allows you to whitelist specific authorized USB devices (like encrypted corporate drives) while blocking all other removable media. Log all USB device connections for audit.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability