MP.L2-3.8.8 — Prohibit the use of portable storage devices when such devices have no identifiable owner.

What this control requires

Prohibit the use of portable storage devices when such devices have no identifiable owner.

Source: CMMC L2 v2.13 MP.L2-3.8.8 / NIST SP 800-171 R2 3.8.8 (official control text).

Why this matters

Unidentified USB drives, external hard drives, and SD cards are common vectors for malware injection and data exfiltration. When portable storage has no traceable owner, the organization cannot establish accountability, verify security posture, or trace incident origins. This control prevents anonymous or found devices from connecting to systems processing CUI. By requiring ownership identification—through asset tags, registration systems, or organizational issue records—the organization ensures every portable storage device can be linked to a responsible party who can be held accountable for its security hygiene and proper use.

What evidence assessors expect

Assessors typically look for: CSV export, screenshot, photo, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls