MP.L2-3.8.7 — Control the use of removable media on system components.
What this control requires
Control the use of removable media on system components.
Source: CMMC L2 v2.13 MP.L2-3.8.7 / NIST SP 800-171 R2 3.8.7 (official control text).
Why this matters
Removable media — USB drives, external hard drives, SD cards — are a major vector for data exfiltration and malware introduction. An attacker or negligent insider can copy gigabytes of CUI in seconds, or plug in an infected drive that bypasses network defenses. This control mandates that organizations technically restrict which removable devices can connect to systems processing CUI, preventing unauthorized data movement and reducing the attack surface from physical media. Without enforcement, any user with physical access can become a data breach.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on MP.L2-3.8.7.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →