AC.L2-3.1.21 — Limit use of portable storage devices on external systems.

What this control requires

Limit use of portable storage devices on external systems.

Source: CMMC L2 v2.13 AC.L2-3.1.21 / NIST SP 800-171 R2 3.1.21 (official control text).

Why this matters

Portable storage devices — USB drives, external hard drives, SD cards — present a high-fidelity exfiltration vector for CUI. When employees plug organization-owned storage into external systems (contractor networks, home computers, hotel business centers, partner labs), those systems may lack the controls required to protect CUI. Malware can infect the device, data can be inadvertently copied to uncontrolled locations, and encryption may be circumvented. This control requires the organization to define which portable storage devices it owns, establish rules for where they can be used, and enforce those rules through policy, technical controls, and user awareness. Without these restrictions, a single USB drive can move regulated data outside the compliance boundary undetected.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, screenshot, training certificate. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls