03.08.07 — (a) Restrict or prohibit the use of {{ insert: param, A.03.08.07.ODP.01 }}. (b) Prohibit the use of removable system media without an identifiable owner.

What this control requires

(a) Restrict or prohibit the use of {{ insert: param, A.03.08.07.ODP.01 }}. (b) Prohibit the use of removable system media without an identifiable owner.

Source: NIST SP 800-171 R3 §03.08.07 (official control text).

Why this matters

Removable media—USB drives, external hard drives, SD cards—are classic malware delivery vectors and data exfiltration tools. An attacker can drop an infected thumb drive in your parking lot; an insider can copy terabytes of CUI to a pocket-sized device. This control forces organizations to define which types of media are allowed, under what conditions, and to ensure every permitted device has a named, accountable owner. Without these restrictions, you have untracked entry and exit points for sensitive data that bypass network security entirely.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls