AC.2.006

Control Acronym

AC

Family

Access Control

CMMC Level

2

800-171 Control #

3.1.21

CMMC Description

Limit use of portable storage devices on external systems.

CMMC Clarification

A portable storage device is a system component that you can insert and remove from a system. You use it to store data or information. Examples of portable storage devices include: * floppy disks * compact/digital video disks (CDs/DVDs) * flash/thumb drives * external hard disk drives * flash memory cards/drives that contain nonvolatile memory. You can put this practice in place two ways: * set up a policy that describes the usage restrictions of these devices or * establish technical means, such as configuring devices to work only when connected to a system to which they can authenticate. Example Your organization has a usage restriction policy. It states that users cannot use portable storage devices in external information systems without management approval.

800-171 Description

Limit use of portable storage devices on external systems.

800-171 Discussion

Limits on the use of organization-controlled portable storage devices in external systems include complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. Among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.

Other Source Discussion

N/A

CIS Control References

CIS Controls v7.1 13.7, 13.8, 13.9

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-20(2)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.21

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 ID.AM-4, PR.PT-2

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

AC.2.006.[a] the use of portable storage devices containing CUI on external systems is identified and documented;

Assessment Sub-Criteria 2

AC.2.006.[b] limits on the use of portable storage devices containing CUI on external systems are defined; and

Assessment Sub-Criteria 3

AC.2.006.[c] the use of portable storage devices containing CUI on external systems is limited as defined.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15